File: blk00281.txt

Mined by AntPool bj5
u= | tomatocc:
Mined by AntPool usa1
Mined by AntPool bj6
Mined by AntPool usa1
Mined by digcoinwgs3
Mined by AntPool sc182
Mined by AntPool bj6
Mined by AntPool sz0
Mined by AntPool bj6
Mined by AntPool bj7
4BTCChina Pool | Charity Engine is changing the world
Mined by digcoinwgs3
Mined by AntPool bj7
Mined by AntPool bj5
Mined by AntPool sc0
Mined by AntPool usa1
Mined by AntPool bj5!
Mined by AntPool sc182
Mined by metabank0050
First test on main block chain.
*j(This example stores 47 bytes in the bloc0
Mined by AntPool bj6
Mined by AntPool bj6
Mined by AntPool sc0
Mined by AntPool bj5
"j Second test on main block chain.
(j&rs5AnvGhjFtoiDuBRAc3DWnRfL7fQSM8ny:usd | Happy Birthday to BTCChina from Pixelmatic!
Mined by AntPool bj5
Mined by AntPool usa1
9BTCChina Pool | jsyzgaoyou:
Mined by AntPool sc182
Who is Variety Jones?
22:45 < warren> jgarzik: if you aren't near one of the consulates there are some companies that will charge you money to do it...
22:47 < HM3> gmaxwell, the schnorr construction is just cleaner algebraically, and I like that you can't do public key recovery
22:48 < gmaxwell> ::shrugs:: Not really more than anything else that does the same thing, and its compatible.
22:48 < gmaxwell> HM3: yea, sure, I like schnorr too, but randomness isn't an argument for it.
22:49 < HM3> the lack of a need for a perfect RNG during signing is
22:50 < gmaxwell> HM3: DSA and Schnorr are the same in that regard. You derandomize them both under the same method
22:50 < HM3> sure but schnorr requires that construction to work
22:51 < gmaxwell> HM3: no they don't, go look at the schnorr patent. It's described using a random k.
22:52 < HM3> no I mean Schnorr is H(m||rG) and during verification you have to compute the candidate rG and recalculate H(m||rG)
22:52 < warren> "go look at the * patent" told to another engineer is wise?
22:53 < HM3> in DSA you just check, if i remember correctly, that sG is correct
22:53 < gmaxwell> warren: it's expired. Also, you need to go turn in your JD if you think it's not, see in re seagate. :)
22:54 < gmaxwell> (otherwise my response would have been "forget about it, it's patented")
22:55 < HM3> anyway. keeping DSA has no more merit than replacing it if you you plan on breaking compatibility anyway. but it's a fair point that you can derandomize DSA if you don't
22:55 < jgarzik> warren, yep, like Travisa ;p
22:55 < jgarzik> warren, communist state was never destined to make life easy and efficient
22:55 < warren> jgarzik: oh, they do F visas?  didn't see that option
22:56 < warren> jgarzik: I like how easy and efficient things are here.
22:57 < gmaxwell> HM3: hm, why do you say that recovery isn't possible in Schnorr? I believe it is, in fact.
22:57 < HM3> doubtful
22:58 < HM3> sipa agreed with me months ago when i asked him as well :P
22:58 < HM3> Appeal to authority! appeal to authority
22:59 < HM3> s = k - xe
22:59 < HM3> sG = kG - xeG
22:59 < HM3> you know eG and sG but not kG (which is r)
23:00 < HM3> and you know e = H(M||r)
23:00 < HM3> and obviously not xG (the key you're trying to recover)
23:01 < gmaxwell> HM3: You know r.
23:01 < HM3> nah, r isn't part of the sig
23:01 < gmaxwell> pray tell how you compute H(M||r) without it in the verifier?
23:02 < HM3> you calculate candidate r
23:02 < HM3> then compute H(M||r) and compare with e, which = H(M||r)
23:02 < warren> Don't worry, only *hard* math is patentable subject matter.  Not abstract ideas.
23:02 < HM3> I don't know why Wikipedia uses such silly letters
23:03 < HM3> r should be for the randomly selected number damnit
23:03 < gmaxwell> HM3: ah right, you recover r.
23:03 < HM3> gmaxwell, right, but you need the public key you're verifying against to do it
23:04 < HM3> in DSA you s = (1/k) * (H(M) + xr)
23:04 < HM3> and r = kG anyway
23:04 < gmaxwell> well thats a bummer then, minus one for Schnorr signatures. :P
23:04 < HM3> so it's fairly redundant
23:04 < HM3> gmaxwell, but DSA is broken if there's a collision on your hash function :P
23:06 < gmaxwell> so is schnorr, I take your signature and rebind it onto M' where H(M'||r) == H(M||r). :P
23:06 < HM3> if you were stupid and used a raw SHA instead of HMAC, then trick you in to signing 2 length extended messages such that there was a collision,  I can work out your privy
23:06 < HM3> gmaxwell, yes but it wouldn't reveal the private key like DSA would
23:07 < HM3> even your derandomized DSA would if you used H(priv || H(M)) instead of H(priv || M) for the rerandomization bit
23:08 < gmaxwell> Fair enough. I'm not going to argue that you don't need to bother with the private key if you can just rebind, because, I realize that collisions in reality are never quite that freeform. :)
23:09 < HM3> nobody has broken anything decent collision wise yet anyway have they?
23:09 < warren> gmaxwell: thanks for in re seagate, not sure how I didn't see this before.
23:11 < gmaxwell> HM3: sure, md5, though not second-preimages on a arbritaryly selected input.
23:12 < gmaxwell> HM3: I'm busy chastizing myself because I'm usually irritated by people who refuse to distinguish theoretical security from pratical security, and I did almost make that counterargument to you in earnest.
23:13 < HM3> I saw that SHA-3 got knocked down a bit during recent standardisation
23:14 < gmaxwell> HM3: IIRC Schnorr also has nice threshold signatures, alas.
23:14 < HM3> they cut some bit lengths
23:14 < gmaxwell> HM3: yea, they changed the input rate. Which was kinda surprising, because capacity was specifically cited as a reason to exclude cubehash from the final round.
23:15 < HM3> did they give a reason?
23:15 < gmaxwell> Sure, speed.
23:15 < HM3> Pish
23:15 < gmaxwell> Its not entirely unreasonable.
23:15 < gmaxwell> But I was surprised.
23:16 < gmaxwell> DJB did some saber rattling on the NIST list to adjust the capacity to a fixed 576 bits (so a constant 1024 bit input rate)
 which is sort of a middle ground (more security for the orignal proposal at 256 bits output, less than the original proposal for 512 bit output). Doesn't sound like NIST or the Keccak team like the proposal. .. but NIST went quiet
with the government shutdown.
23:17 < gmaxwell> For small inputs (e.g. <1024 bits) it doesn't matter.
23:19 < HM3> maybe when they reopen they'll forget they made the change
23:19 < gmaxwell> it's kinda irritating that the NIST list is closed-access. I see that the wikipedia sha-3 article mentions this discussion but has no citation.
23:19 < gmaxwell> well the change apparently was proposed by the Keccak team, which is totally believable the original capacity was the minimum nist required.
23:19 < gmaxwell> DJB basically said FUCK YOU to that requirement and refused to meet it in his proposal, and... well. :P
23:20 < gmaxwell> the other hashes met the requirement but many of then whined.
23:20 < HM3> Good old DJB
23:20 < HM3> I find his written material very accessible
23:21 < gmaxwell> esp having 512 bits of preimage security for the 512 bit hash required >1024 bits of state (in addition to the update state) which was getting a bit burdensome.
23:22 < gmaxwell> the DJB proposed modification to sha3 would have the nice side effect of making it always process 1024 bits at a time, regardless of the output size.  On that basis I like it.
23:22 < HM3> and presumably that allows for optimisation
23:23 < gmaxwell> (currently it does something like 1344 bits at a time for 256 bit output, and 1088 bits at a time for 512 bit output)
23:23 < gmaxwell> well it simplifies implementations at least, might also make hardware versions that do both sizes easier.
23:24 < HM3> 1337 bits would have been better
23:24 < gmaxwell> I am imagining millions of duck sized engineers stabbing you in the foot.
23:26 < HM3> ah well, i must retire to bed
23:26 < HM3> i'll take that duck sized engineer thing with me
--- Log closed Tue Oct 15 00:00:11 2013
--- Log opened Tue Oct 15 00:00:11 2013
02:12 < warren> sipa:
02:16 < sipa> let me guess
02:16 < sipa> yup :)
02:26 < warren> sipa: just as likely as my one time pad
05:36 < wumpus> CodeBug : should compare return value from memcmp with zero.
05:36 < wumpus> wrong channel
08:45 < HM3> since Bitcoin already uses boost you could use boost array instead of 'vch' in CKey
08:45 < HM3> would have got operator== for free
09:56 < petertodd> BlueMatt: from the point of view of a SPV node, verifying that a block header is correct is verifying it fully, so relaying that header (or even full block) to other SPV nodes does no harm.
09:57 < sipa> well, you would at least want to announce that you did not verify transactions in that case
09:57 < petertodd> BlueMatt: anyway, I put that in the BIP to show how NODE_BLOOM should be thought of "I'm willing to apply bloom filters to stuff I relay to you" and nothing more
09:57 < petertodd> sipa: which you do because you didn't set NODE_NETWORK (in that case)
09:58 < sipa> right, NODE_BLOOM is orthogonal to what you are relaying
09:58 < petertodd> sipa: exactly
09:59 < petertodd> You could (uselessly) say NODE_BLOOM and !NODE_* just means I'm willing to apply bloom filters to the nothingness I will relay to you; if you implement this I suggest you apply for an art grant.
09:59 < sipa> perhaps apply it to addr or alert messages :p
10:00 < petertodd> With an extended NODE_BLOOM definition that makes a lot of sense.
14:41 < gmaxwell> uh. Michael Gronager has ... um. not quite sure what to call it:
14:43 < petertodd> looks fixable to me, though ugly
14:44 < gmaxwell> yea, it's apparently already fixed.
14:45 < gmaxwell> 50% drop in namecoin exchange rate though.
14:45 < petertodd> good example of how blockchains can separate proof-of-data distribution, global consensus on ordering, and the actual rules themselves...
14:45 < petertodd> ha, yeah, I should have quickly bought some at the low point :P
15:07 < warren> amusing to see the deniers in the thread
15:10 < amiller> does anyone know who first created namecoin
15:10 < sipa> vinced?
15:15 < K1773R> gmaxwell: (namecoin) holy, thats horrible... i wonder why nobody looked at it :S
15:16 < sipa> i suppose because nobody competent cared? *ducks*
15:16 < amiller> but no one has heard from vinced in a long time?
15:17 < petertodd> K1773R: namecoin isn't getting used for anything yet; it just hasn't caught on
15:17 < petertodd> K1773R: well, other than speculators...
15:18 < K1773R> petertodd: i used it as backup solution for important stuff
15:18 < sipa> eh?
15:18 < petertodd> K1773R: backup? how so?
15:18 < K1773R> your aware its just a simple key/value storage?
15:19 < sipa> yes
15:19 < sipa> but there are certainly easier ways
16:17 < amiller> jtimon, ok well fair enough, that is indeed a good way to do it, but you probably also need a way of discouraging utxo bloat
16:18 < jtimon> amiller I advocate for explicit colors
16:18 < amiller> jtimon, yes i advocate for it too, i just don't see what the solution is for discouraging utxo bloat now that you add a functionality that increases it
16:19 < jtimon> if nobody has to store the full utxo, utxo bloating is not that much of a problem
16:20 < maaku_> amiller: this doesn't result in any utxo bloat...
16:20 < amiller> do coins have at most 1 color or something?
16:20 < maaku_> scripts are in the txin, not out
16:20 < killerstorm> amiller: color tag is just a hash of genesis transaction or something like that. ~32 bytes per UTXO won't hurt.
16:20 < maaku_> amiller: yes
16:21 < amiller> ok that sounds pretty nice.
16:21 < amiller> adding that single op code and that single change to UTXO is by far the simplest way of getting fairly scalable colored coins usage.
16:22 < killerstorm> jtimon: there is no difference between OP_CHECKCOLORVERIFY and explicit colors. OP_CHECKCOLORVERIFY can be in scriptSig.
16:22 < amiller> i'd be really interested to see that
16:22 < jtimon> killerstorm: in fact, in the next version of freimarkets specs, you can save the tag, by ommiting it you mean "the same color as the previous output"
16:22 < killerstorm> jtimon: I mean I'm not aware of any practical difference.
16:22 < amiller> that sounds pretty great to me
16:22 < amiller> how about a reference impl that deviates minimally from satoshi client?
16:24 < maaku_> amiller: what scheme are you talking about?
16:24 < killerstorm> Well I've heard iXcoin guys are interested in implementing this, but they lack developers. (Essentially it is just the guy who does the marketing...)
16:24 < killerstorm> I've outlined the spec although I'm not sure about some decisions.
16:25 < jtimon> saposhi nasakyoto I think (I can't believe ixcoin is alive, and there's still people who say MM kills altcoins...)
16:29 < jtimon> but yeah, why not use it to experiment
16:30 < jtimon> is already MM, it's in a great position to be used for this things
16:31 < killerstorm> It got new life: new PR/marketing team :)
16:32 < killerstorm> MM means that it is 100% controlled by
16:32 < jtimon> killerstorm, how do you implement per-asset interest/demurrage with OP_CHECKCOLOR ?
16:32 < jtimon> only merge-mines it?
16:33 < killerstorm> No, has 40% of bitcoin hashpower and is mining alt-coins. Since some Bitcoin miners do not do merged mining, this means that hash more than 50% of hashpower of Namecoin and IXCoin
16:34 < petertodd> killerstorm: +1 wish people realized that earlier
16:39 < warren>'s_theorem
16:39 < warren> (for those thinking of memory hard to hash but easy to validate PoW, would this theoretical limit apply?)
16:42 < petertodd> I'm not seeing the connection
16:49 < jtimon> I don't see why memory hard is better
16:50 < warren> I didn't say it was.
16:50 < warren> people were discussing it here in past months
16:50 < petertodd> jtimon: the theory is memory hard targets memory, which is most likely to be an availalbe commodity product and thus escapes the ASIC centralization trap
16:51 < petertodd> jtimon: however, practical memory hard that really is ASIC-hard appears to be a very difficult problem
16:51 < petertodd> jtimon: reasonably easy to do in cases where the work to be done in non-parallizable, but crypto-consensus systems must be parallelizable
17:01 < jtimon> I don't see why ASICs are worse
17:05 < warren> IMHO, mining pool centralization is the real problem, not ASIC's.
17:07 < jtimon> warren, agreed, and I thought that was solved with trustless pools (p2pool, eligious...)
17:07 < petertodd> jtimon: ASICs centralize control in the hands of a very small number of chip fabs
17:08 < maaku_> petertodd: meh, coordinated quality control could mitigate that
17:08 < petertodd> jtimon: and p2pool and getblocktemplate don't "solve" the problem because there's no incentive to use either
17:08 < petertodd> maaku_: huh?
17:08 < maaku_> petertodd: a scanning electron microscope is not hard to get access to
17:09 < petertodd> jtimon: they *do* help with "non-selfish" actors, but they fall short of the security ideal where bitcoin is secure in the presense of selfish actors
17:09 < maaku_> there should be efforts to take asic chips at random from batches and do SEM scans of their circuits
17:09 < maaku_> then anyone with tools can verify that they are not backdoored
17:09 < petertodd> maaku_: the problem isn't hardware that's bugged, the problem is getting hardware at all - those chip fabs can easily *publicly* control the bitcoin network
17:10 < jtimon> can't the operator of a centralized pool cheat you somehow?
17:10 < maaku_> jtimon: out of your shares, yes
17:10 < jtimon> or decide for you what transactions to, say censor?
17:11 < petertodd> jtimon: they can cheat you in lots of ways, that doesn't change the fact that per unit hashing power they'll be more profitable in many scenarios
17:11 < maaku_> jtimon: using GBT you can choose your own transactions
17:11 < petertodd> jtimon: after all, they might own the hashing power too you know in which case cheating doesn't even come into it - owns much of their physical hashing power
17:11 < petertodd> maaku_: in theory, in practice pools don't allow that - very high bandwidth cost
17:12 < maaku_> well, eligius does
17:12 < jtimon> maybe centralized operators aren't being as malevolent as they "should"
17:12 < petertodd> maaku_: yes, and eligius is being operated by alturistic people
17:12 < petertodd> jtimon: who cares? what matters is that our security isn't as good if we have to rely on that
17:13 < maaku_> meh, i would say that eligius is operated by knowlegable people/person
17:13 < sipa> it's my theory that if every actor started out as malevolent/selfish/rational, bitcoin would never have worked
17:13 < sipa> it's an experiment in building a system that doesn't need trust in many actors
17:13 < maaku_> as bitcoin matures i expect more pools to act like Luke-Jr
17:13 < sipa> but we'll need to get there step by step
17:13 < jtimon> sipa you're probably right, the start was incredible difficult
17:14 < maaku_> or maybe the causality is reversed - bitcoin will never mature unless more pools act like Eligius does
17:14 < maaku_> either way once it happens, it happens
17:14 < jtimon> I mean, I wasn't around,'s surely the hardest part
17:15 < petertodd> sipa: yes, we got incredibly lucky there
17:16 < petertodd> fact of the matter is that relying on alturism is dangerous and subject to sudden changes
17:16 < petertodd> never mind the fact that what were were talking about, ASIC-hardness, has nothing to do with alturism
17:17 < sipa> yup, but removing much it suddenly is equally dangerous
17:17 < petertodd> sipa: what do you mean by "removing" it?
17:17 < petertodd> sipa: no-one is proposing removing anything
17:17 < sipa> oh, i'm not saying that
17:18 < sipa> but if suddenly many people/miners/whatever started acting selfishly, i'm sure it could hurt bitcoin's survival chances
17:18 < sipa> +suddenly
17:18 < petertodd> oh sure, but the fact that it would hurt just shows that bitcoin is poorly designed
17:18 < sipa> i'd say it just isn't evolved enough :)
17:19 < petertodd> heh, equally true statement
17:19 < petertodd> though the ugly thing is changing the design is probably an economic change so...
17:20 < petertodd> anyway, as I said about the selfish miner attack, these attacks are real, and we're damn lucky that for now the big players are acting alturisticly, take advantage of that time to study alternatives so we'll have them ready when they're needed
17:20 < jtimon> come'on miners have to attack MM chains because "the good of their coin is their good", but they cannot trustless mine because "it is not selfish enough"?
17:21 < petertodd> jtimon: what do you mean by trustless mine?
17:21 < jtimon> p2pool, eligious
17:21 < sipa> p2pool/gbt?
17:21 < jtimon> yes
17:21 < petertodd> jtimon: remember, my point re MM attack was that if you have a big pool, then your MM chain is in a dangerous position
17:22 < petertodd> jtimon: my point with trustless mining is that it *costs more* than just pointing your hashing power at
17:22 < jtimon> my point now is to apply your same "for the future of the coin" reasoning for miners to use p2pool/gbt
17:22 < petertodd> after all, this all came up with mastercoin when I got hired to analyze what type of blockchian they should use, and the result was "Why use anything less secure?"
17:23 < petertodd> jtimon: that's a very bad comparison - you're comparing the behavior of a large pool to a small hasher
17:24 < jtimon> a large pool is composed of small hashers
17:25 < jtimon> if anything, they should be more stupid in groups, no?
17:25 < petertodd> not at all, think in terms of incentives to defect and do what's better for you, but worse for the group
17:25 < petertodd> IE, I earn more money for less work if I hash at
17:26 < petertodd> vs. "I'm a 30% pool and killing off FooCoin is cheap and easy and the public doesn't like it anyway so the PR will be good for me."
17:26 < petertodd> (especially relevant in my advice to mastercoin you know...)
17:26 < jtimon> IE, I earn more money for less work if I MM instead of attacking a "competing" coin
17:26 < petertodd> oh piss off, scale makes the incentives very different
17:26 < sipa> merge mining a tiny currency doesn't gain you anything significant
17:27 < jtimon> your advice to mastercoin was to use your proof of sacrifice design draft?
17:27 < jrmithdobbs> jtimon: you're failing to control for internet assholes
17:27 < jtimon> sipa how much you lose by gbt vs ?
17:27 < jrmithdobbs> "Some men just like to watch the world burn."
21:18 < petertodd> what? satoshidice?
21:19 < Luke-Jr> yes
21:19 < petertodd> ok, go to a jurisdiction where gambling is legal and or replace that example with another business
21:20 < Luke-Jr> I don't see a court accepting the basis that I am forced to do business with <other business>
21:20 < petertodd> Or heck, lets say I write an Android app called "Rip off zeroconf merchants!" that automates the process, and give Eligius 10% of the stolen funds in terms of fees.
21:20 < Luke-Jr> even outside of bitcoin, I have the right to choose who I do and don't do business with
21:20 < petertodd> This has nothing to do with who you choose business with - no-one is making you mine those transactions.
21:21 < petertodd> We're just forcing you to follow standard good practice and accept them into your mempool so double-spends can be detected and not mined.
21:21 < gmaxwell> well be careful to distinguish civil liability and criminal.
21:21 < gmaxwell> I think making a criminal claim out of anything in this space would be very hard.
21:21 < gmaxwell> It's too easy to deny intent.
21:21 < Luke-Jr> petertodd: accepting them into my mempool is forcing me to provide a service to them
21:21 < petertodd> gmaxwell: indeed, and civil is majority, which is a much lower bar...
21:21 < gmaxwell> (except in cases like where they were directly and obviously profiting from it)
21:22 < petertodd> gmaxwell: I brought up the app example because it could be used in court to infer conspiracy to commit a crime.
21:22 < Luke-Jr> petertodd: why should I be forced to provide conflict detection services for <your business>?
21:22 < gmaxwell> In a civil claim, its almost sufficient to just show someone was harmed and that you were on the critical path.
21:22 < petertodd> Luke-Jr: what gmaxwell said...
21:22 < petertodd> Luke-Jr: you are being forced to take the minimal accepted prudent action
21:23 < gmaxwell> It's uncertian what the standards people would be held to in the future.
21:23 < petertodd> gmaxwell: +1 - Reality is this is all uncertain.
21:23 < Luke-Jr> petertodd: especially in the case of a spammer, who is abusing these exact resources
21:23 < gmaxwell> Basically as petertodd says. Doing something unusual that is responsible for someone else losing money, which you could or should have foreseen, may leave you with civil liablity.
21:23 < gmaxwell> _may_
21:23 < gmaxwell> In the case of these gambling services its totally moot.
21:24 < Luke-Jr> gmaxwell: even if they know they can lose money?
21:24 < petertodd> gmaxwell: yup, which is why defacto-zeroconf scares me a lot - the other half of it is "something unusual" might just mean you didn't invest as much money in network bandwidth
21:24 < gmaxwell> Their services are very likely unlawful in any jurisdicition that you care about being exposed to, and so they don't get to enjoy relief from the courts.
21:24 < gmaxwell> Luke-Jr: sure, and in defense someone being accused of a civil claim here would point to the fact that everyone knows zeroconf is unsafe.
21:25 < petertodd> Luke-Jr: "Every knows zeroconf is unsafe? Why we have the Lead Developer of Bitcoin on record saying it's safe for low-value transactions and that no pool would mine double-spends to preserve the value of their Bitcoins."
21:25 < gmaxwell> Luke-Jr: most of the US uses in deciding these things...
21:26 < gmaxwell> It's possible to get a decision that "yea, they should have known it was unsafe, so you're only 5% at fault"
21:26 < petertodd> Yup, and 5% of tens of thousands might still bankrupt you.
21:27 < gmaxwell> more importantly, you really just want to not be in a position where someone can bring a claim to court.... just defending is very expensive.
21:27 < petertodd> nor do you want to be in a position where some regulator is actually working behind the scenes to make the case happen
21:28 < Luke-Jr> all sounds like more reason to remove any sense of "defaults" from bitcoind
21:28 < gmaxwell> well, the right case happening wouldn't be so bad.
21:28 < petertodd> Luke-Jr: that I agree with mostly
21:29 < phantomcircuit> gmaxwell, boy is it
21:29  * petertodd brb, starting a fake ringtone company to set precedent
21:30 < gmaxwell> you really want the precident setting defrauded site to be that girls gone wild guy
21:31 < petertodd> ha, ok, "pay by the minute barely legal live BDSM porn"
21:31 < Emcy> cant you just ensire tor mining is a thing for the foreseeable and preclude all this nonsense
21:32 < petertodd> Emcy: "As a major pool, you should put a stop to this nonsense by discouraging blocks with double-spends." <- I've seen this as a suggest way too many times
21:32  * warren is anyone else creeped out by that guy?
21:33 < petertodd> warren: which guy?
21:34 < Emcy> whats wrong with discouraging double spends
21:34 < petertodd> Emcy: by that I mean if you see a block with a double-spend in it, you delibrately orphan it
21:34 < petertodd> Emcy: is very dangerous for consensus
21:34 < Luke-Jr> nOgAnOo: yes; no
21:35 < Emcy> i didint know you could get a double spend into the same block
21:35 < petertodd> Emcy: block would double-spend a tx in the mempool in this case
21:35 < Emcy> that seems bund
21:50 < gmaxwell> Does anyone offer abortions for bitcoin?  Now there would be your double feature test case.
21:50 < gmaxwell> catholic abets a double spend fraud of a payment for an abortion. 0_o
21:54 < Luke-Jr> gmaxwell: you didn't think that through ;)
21:54 < Luke-Jr> I'm not about to aide someone seeking a murder for hire
21:57 < warren> Luke-Jr: now sure how you'd code that into eligius ...
21:58 < gmaxwell> Luke-Jr: no thats exactly the point.
21:58 < gmaxwell> Luke-Jr: someone accepts payments for abortions. You, as expected, block the transactions if you can.
21:58 < gmaxwell> They get ripped off via a double spend as a result.
21:59 < warren> gavinandresen: sent
21:59 < gmaxwell> Now they sue you claiming that you're culpable for the theft. You defend saying that it would be unconscionable to demand that you knowingly aid their enterprise.
22:00 < Luke-Jr> hmm, in that case I'd have to figure out a way to blacklist the coin ;)
22:01 < gmaxwell> I didn't mean it seriously in any case, its a thought expirement about miner culpability. (and what a perrilous route it is)
22:02 < gavinandresen> petertodd: zero-confirmation transactions can be made  "safe-enough" for in-person low-value transactions where there is some trust that the person standing in front of you isn't colluding with a miner to double-spend.
22:03 < gavinandresen> trust/safety are not booleans
22:04 < warren> does the android wallet tell you about double spends?
22:05 < gmaxwell> petertodd: does android wallet still hide (some?) confirmed nlocktime payments?
22:05 < Luke-Jr> it doesn't even get normal spends right, so I doubt it
22:06 < Luke-Jr> btw, anyone here know an accountant into bitcoin?
22:06 < gmaxwell> TD[away]: Were you ever able to get android wallet to compile?
22:11 < BlueMatt> gmaxwell: huh? the android wallet is easy to compile
22:11 < BlueMatt> or are you talking about a branch?
22:14 < gmaxwell> derp right it was multibit that had the issue, now AW.
22:16 < warren> nOgAnOo: You are not being helpful here.
22:37 < jrmithdobbs> Is there a testnet chain big enough for io subsystem fuzzing?
22:38 < jrmithdobbs> I want 100k or so blocks I can throw at n bitcoind instances in parallel for parsing/indexing
22:39 < warren> testnet3 has over 100k blocks
22:39 < warren> not very big though
22:40 < jrmithdobbs> Guess I can jus use the real chain.
22:41 < jrmithdobbs> Actually. Tesnet3 may be ideal
22:41 < jrmithdobbs> Less CPU choking on smaller blocks and more io thrashing
22:43 < jrmithdobbs> Someone have it in a < .8 && <= bdb 4.8 format somewhere?
22:45 < Luke-Jr> uh?
22:45 < Luke-Jr> blockchains don't use db formats
22:47 < jrmithdobbs> The Indra
22:47 < jrmithdobbs> Index
22:48 < jrmithdobbs> Guess could just reindex it, forget how non-intensive test net processing is. ;p
--- Log closed Thu Nov 21 00:00:50 2013
--- Log opened Thu Nov 21 00:00:50 2013
00:42 < petertodd> gmaxwell: no, it's even worse now: looks like anything other than standard nSequence=max and nLockTime=0 just doesn't show up in the wallet at all
00:43 < gmaxwell> petertodd: wow, so setting locktime to other values will hose them, even if the sequence was always max? :-/
00:43 < petertodd> gmaxwell: yup
00:43 < petertodd> gmaxwell: how do people fuck this shit up?
00:43 < petertodd> gmaxwell: the previous behavior was *better* than that
00:46 < gmaxwell> petertodd: thats the kinda question you can only answer by looking at commits.
00:51 < petertodd> gmaxwell: it's probably something to do with edf37998ca6c47c31a72271db136ac94ce2a6a13 in bitcoin
00:52 < gmaxwell> bitcoinj*
00:52 < petertodd> er, right
00:54 < petertodd> gmaxwell: sheesh, it's some new "risk analyzer" thing to try to analyze the risk of double-spends - I should submit a patch that replaces all that stupid code with a single simple calculation that always returns NaN
00:55 < gmaxwell> the logic in the commit message sounds like the bitcoin-qt wallet behavior, its not insane.
00:56 < petertodd> gmaxwell: my point is the thinking behind it
00:56 < petertodd> gmaxwell: anyway, it's probably just that the API changed and somehow it ended up with default off - there's no reference to any of it in bitcoin-wallet
05:18 < TD> gmaxwell: the android wallet? sure. it was multibit that was the problem, right? jim said he fixed that a couple of weeks ago but i didn't try building it since
05:18 < TD> gmaxwell: i had to spend time trying to make bitcoin-qt compile again
05:18 < TD> compiling sucks
05:20 < TD> i guess we should try and keep normal dev stuff in #bitcoin-dev though
05:20 < warren> TD: you use mac?
05:21 < TD> otherwise all we managed is to split one dev channel into two. let's keep #wizards for researchy stuff
05:51  * Luke-Jr facepalms
13:57 < adam3us> amiller: yes... well and by a public constant multiplication
13:57 < adam3us> amiller: so you can actually do ratios also from that
13:58 < amiller> help me understand the range proof
13:58 < amiller> start with notation for like, one input and two outputs
13:59 < adam3us> amiller: its knarly :) the basic idea is you need to prove v from vG+xH with v < 2^m
14:00 < amiller> i'll be happy if i can understand that a) ZK proof that the sum of outputs = sum of inputs, without overflow, b) the receiver learns one of the output values, but not the other output or the input, and c) both outputs are in a form suitable to be used in subsequent transactions
14:00 < adam3us> amiller: its schoenmakers protocol, I just optimize the application of it
14:00 < adam3us> amiller: yes
14:00 < adam3us> amiller: so call the bits of v = v_m ... v_1
14:01 < adam3us> now you prove separately that v_i is either 0 or 1 using generic ZKP of OR which is to introduce a degree of flexibility where the prover can intentionally forge one of the two proofs (but not both) as c=H(params), c1 = random, c2 = c xor c1 prove wrt those 2 challenges
14:03 < amiller> ahhhhh
14:04 < adam3us> amiller: and the rest is basically to obscure it and then there's a verification relation involving 2^j and the random values committed to and showing sum xi = x and you're good to go :)
14:04 < amiller> i think i remember how to do ZK of OR...
14:04 < adam3us> amiller: then i optimized the heck out of the serialization, and what needs to be unique, can be derived from a seed, reused, computed (pub key from sig with schnorr) etc
14:05 < adam3us> yeah you just forge the one that is wrong and choose c1 as a result of that computation then set c2 = c-c1 mod n and do a real proof on that ne
14:08 < adam3us> amiller: the way you avoid the sender knowing too much about the receivers secrets is you create a null value 0G+x0*H aka x0*H (and prove that is true using a schnorr sig) and then the sener adds the payment to it, and yet the sender does not know x0
14:09 < adam3us> amiller: so eg the sender could send 5*G+x1*H and the result is 5*G+(x1+x0)*H and the sender doesnt know x0; sender has to send 5, x1 to recipient out of band or encrypted
14:11 < adam3us> amiller: you can also do proofs of equivalence of discrete log and auditable encryptin so I think you could probably validate that E(5),E(x1) matched the coin, though I didnt work out the details on that and it doesnt seem necessary because the recipient doesnt have to use the input
14:13 < adam3us> petertodd: "is that linear with the number of txouts?" yes; you do a range proof on each output, but you dont need to when you use teh output as the input to a following transaction as its already done
14:14 < adam3us> petertodd: "does it handle any combination of # of txins and # of txouts?" yes, and some of them can be unencrypted optionally (eg the fee)
14:16 < petertodd> adam3us: ok, sounds like this is a bit of an issue with large transactions, as there's a trade-off between "publish the whole tx" as your fraud proof, and having more complex merkle trees
14:16 < petertodd> see, we were thinking of doing merkle sum trees extending into the transaction txins and txouts, which is cheap with un-hidden values, not so cheap with a homeomorphic system
14:19 < adam3us> petertodd: "yes, but the only thing stopping it is that it's possible to mine outside of government control! Reality is with the current system, even with TXO commitments and fraud proofs, at some point a large blocksize will lead to that scenario." i think we have problems like that, and seemingly a number of people dont recognize it yet; I am also not
sure such an asic friendly mining function is good either
14:20 < adam3us> petertodd: in an ideal world one could remove miners, and everyone with whatever power can direct mine for their respective tiny reward
14:20 < petertodd> yes, ASICs are very much the other part of that problem....
14:22 < adam3us> petertodd: you can do better than scrypt(iter=1) - I saw some folks on the forum were proposing a mix of 16 aes and 16 sha3 finalists to increase chip layout; also something dynamic could help; apparently dan kaminsky has some idea about a x86 proof of work which would be inefficient on non x86
14:23 < petertodd> adam3us: If I were to design bitcoin 2.0, I'd design a system where you lose 1% of the value of your coins every year to pay for security, mining can't be outsourced via some type of scheme where rewards can be stolen by whomever did the mining, mining could be done on a small scale, (aka what p2pool does for bitcoin, though probably not that mechanism)
and the pow function was commodity hardware friendly (hopefully no worse than 2x or 3x less cost effective than custom asics)
14:23 < adam3us> petertodd: so about that (no mining pools) is there some way to rely only on a time-stamp server or beacon without having miners validate anything
14:23 < petertodd> yeah, I'm dubious about anythign that targets a chip architecture, too easy to just make an asic that optimizes the architecture, and archs change over time anyway
14:23 < petertodd> I think only mem-hard mining has any hope of working
14:24 < adam3us> petertodd: yes - i think the people who defend hashcash-sha256^2 have some point which is that hardware ALWAYs wins, and if its  complicated or dynamic algorithm the only people with the hw will be people with $100m+ to play with
14:25 < adam3us> petertodd: then we'll see centralization in an even harder to combat form - anther idea is to kick start a not-for-profit open hardware sha256 asic mining manufacturer
14:26 < petertodd> adam3us: see, I strongly disagree on principle because computer ram is stupidly optimized for it's task; design a good ram-hard pow and the custom part of a potential asic will be small enough that at worst it becomes a cottage industry where the custom parts are relatively easy parts like custom pcbs
14:26 < petertodd> adam3us: problem is I haven't figured out how to actually do that...
14:26 < adam3us> petertodd: i dont know much about hw but that seems like a good idea, as butterfly et al are suspected of premining or fatal incompetence
14:26 < adam3us> petertodd: apparently thre's another one called ROMix by the Scrypt author
14:26 < petertodd> adam3us: you mean an open hardware asic mining designer... we're probably never goign to have decentralized IC manufacturing due to the nature of the business
14:26 < petertodd> adam3us: having open designs doesn't help
14:27 < petertodd> *much
14:27 < adam3us> petertodd: Scrypt itself is time-memory tradeable as it was a non-requirement to fix it
14:27 < petertodd> adam3us: yup
14:27 < adam3us> petertodd: yes i agree its not so uch the openness as the ready availability shipped on payment (not 1 year later when its barely profitable)
14:28 < petertodd> See, at a high level, we can do interactive proof-of-storage, but we can't do non-interactive proof-of-storage. (specifically I mean you had some ram that was dedicated to a task for a given amount of time)
14:29 < petertodd> We can do proof-of-memory-bandwidth, but that doesn't appear to be ASIC hard: commodity ram *does* have various trade-offs between total storage, and bank bandwidth, and if you proof bandwidth * time, you can make an ASIC targetting that. (or your algorithm's constants become obsolete over time)
14:29 < petertodd> proof-of-memory-bandwidth also has the annoying habit of being symmetric, computation and validation are both expensive. (litecoin's been optimizing their scrypt implementation to speed up block header validation)
14:30 < adam3us> petertodd: i was wondering if many-ported ram could be a problem too (eg dual ported gfx ram to its logical conclusion eg 16-ports, 128ports)
14:31 < petertodd> adam3us: that's exactly what I mean! for instance I had a scheme for an asymmetricly validatable proof-of-work function with merkle trees where the size of the proofs was directly related to the parallelism possible, and commodity ram had way less parallelism than optimal
14:31 < adam3us> more high level though is there a way to base transaction ordering on a distributed timestamp server or distributed beacon without so much having the miners digging into the tx details
14:32 < petertodd> sure, but how do we keep the timestamp/beacon system secure?
14:32 < adam3us> yes; again hardware ALWAYS does better - its like a rule of physics or something
14:33 < adam3us> petertodd: well for example everyone mines timestamp commitments for reward
14:33 < adam3us> petertodd: thats nearly what committed tx looks like really
14:33 < petertodd> adam3us: no it's not! not pragmatically anyway, sure it'll always be at least some epsilon better, but we can live with ASICs being, say, 2x or 3x more cost efficient - basically that just makes tx's that people want to censor some reasonable amount more expensive. Not perfect, but we can live with that.
14:33 < adam3us> petertodd: the miner doesnt learn much except its ordering something opaque
14:34 < petertodd> As I've said over and over, those schemes are nice, but there is no way they can fully prevent censorship.
14:34 < petertodd> They're plausible deniability really.
14:34 < adam3us> petertodd: agree the scale is critical, 2-3x as you say would be fantastic compared to where we are now
14:34 < petertodd> adam3us: yes, right now we've got more like 1000x
14:36 < adam3us> petertodd: i was thinking one stepping stone towards reducing need for mining pools and miner understanding eg is that you could mine to get voting rights and then use the voting rights to vote on transactions
14:36 < petertodd> Also, keep in mind there's variations of this stuff too: assuming FPGA's are always available as commodity is a weaker assumption, but it's better than nothing. On that basis it might be a lot easier to make mem-hard work.
14:36 < adam3us> petertodd: eg you mine your public key repeatedly for 10mins, everyone does
13:08 < adam3us> musing about organizing private keys as some kind of merkle-tree, if I had Q=dG where d is the root of the tree, then Q=Q1+Q2 where Q1=d1G, Q2=d2G d=d1+d2 mod n, and so on for Q1..Qk for some number.  now say leaf nodes in this tree are worth some standardized unit, 1uBTC.  now you can combine public keys to form a new public key Q0=Q1+Q1' (from Q1 prime another users input)
13:09 < adam3us> to prove authority to sign you must show a merkle path from a public key to the root, and sign it, the depth of the path and the number of leaves you can control proves the amount you are spending
13:10 < adam3us> maybe a block can add all the public keys in it, and then all transactions in it are implicitly mixed
13:11 < adam3us> maybe even all utxo public keys can be implicitly mixed analogously
14:22 < maaku> adam3us: isn't that similar to how lamport signatures work?
14:22 < adam3us> yes kind of but with hashes
14:23 < maaku> adam3us: the problem is bitcoin doesn't use ecdsa sigs, it uses scripts (which have, among other things, ecdsa opcodes)
14:46 < adam3us> maaku: yes its a bit of a blue sky thought
14:47 < adam3us> maaku: wondering if bitcoin used a key per unit like zerocoin, what you could do, it seems that if there is a unique key per unit, there is less meaning to the linking - its meaningless to the network
14:47 < adam3us> maaku: so then i was wondering can you combine lots of keys efficiently into a signature
14:49 < adam3us> maaku: where the verifier cant tell which input signature to the whole block  (or even whole utxo) it came from
14:52 < adam3us> seems to me like you need 1 thread per hyperthread
14:52 < adam3us> eg 4 core i7, then 8 threads
14:53 < adam3us> wow m512 is quite a bit faster
14:54 < adam3us> sorry wrong window on the cores and threads
14:56 < gmaxwell> maaku: yea, I've wagged my finger at adam3us with ugly optimizations that layer violate and special case for specific cryptosystems.	but man, they can be very attractive.
14:56 < petertodd> adam3us: some of my blue-sky blockchain proposals work well with single-sized coin values too
14:57 < gmaxwell> careful that you don't dance back into the space of academic cryptography that isn't actually pratically useful due to limits like that. :)
14:57 < petertodd> gmaxwell: heh, well, if such a limit enables something else, the tradeoff may be worth it...
14:58 < adam3us> petertodd: my thought experiment started hmm maybe zerocoin is silly - its one coin size, if bitcoin had that there would be no change and no meaningful linkage from the network analysis perspective either
14:58 < petertodd> adam3us: yup, it's a good idea - basically what you are doing is making it more bandwidth efficient
14:58 < adam3us> petertodd, gmaxwell: and that seems to be true no? the only person who knows which coin set is linked is the sender & recipient, other than like timing of sending them
14:59 < petertodd> adam3us: thing is, so maybe the trade-off is less bandwidth efficient per tx, but more scalable, in which case the single-sized coin values actually has a very attractive side-effect I hadn't thought of
14:59 < adam3us> petertodd: yes so then i thought ok so going the other way can you represent a big batch of sigs extremely compactly
14:59 < gmaxwell> adam3us: it's correct. if there is no splitting, merging, or address reuse, bitcoin is an anonymous currency upto timing analysis.
15:00 < adam3us> gmaxwell: that would actually meet my idealized definition almost: that only the sender & recipient could link (via subpoena etc)
15:00 < gmaxwell> and even timing analysis is .. meh, it's not like the time someone sends to you implies you are online.
15:00 < adam3us> gmaxwell: community policing
15:00 < adam3us> gmaxwell: exactly - "good enough"
15:00 < adam3us> gmaxwell: if you're not in a hurry spray them out a bit
15:01 < gmaxwell> News at 11: Mixmaster has a purpose again!
15:01 < petertodd> heh
15:01 < gmaxwell> adam3us: but yea, this isn't lost on me, but ISTM I'd never convince anyone of it.
15:01 < gmaxwell> Even the coinjoin stuff I was yabbering about that forever but couldn't get anyone to talk about it until I had a _name_ for it (thanks Peter)
15:02 < petertodd> it's too bad we don't have a "numerical addition" signature type, so you could just make multiple SIGHASH_ANYONECANPAY | SIGHASH_ADDITIVE txin signatures and gradually combine them e.g. for donations
15:02 < adam3us> gmaxwell: bah - let the people who understand jgarzik triangle deal with that
15:02 < petertodd> gmaxwell: heh, and they never thought I'd do anything useful with that art degree...
15:02 < sipa> ISTM?
15:02 < gmaxwell> it seems to me
15:02 < adam3us> petertodd: yes the schnorr sig and it turns out bernsteins EdDSA *is* ec schnorr (thanks gmaxwell for pushing me to read it)
15:03 < adam3us> petertodd: schnorr you can add sigs and keys
15:03 < petertodd> adam3us: right, I was actually thinking of something a lot simpler!
15:05 < gmaxwell> petertodd: did you see my lament about multisig and anonymity groups?
15:05 < petertodd> gmaxwell: nope
15:05 < gmaxwell> petertodd: if we used schnorr than 2 of 2 multisig txn would be indistingushable from regular transactions.
15:05 < adam3us> gmaxwell: re layering violations - when you're out of luck, bend the rules :) we can patch it up best we can afterwards
15:05 < petertodd> gmaxwell: ah, yeah that'd be a good thing...
15:05 < gmaxwell> so the anonymity set for protocols based on them (e.g. coinswaps) would be basically all txn.
15:06 < gmaxwell> adam3us: well, of course, things snapping togeather nicely is sometimes a sign that you understand the problem space...
15:06 < petertodd> gmaxwell: the one good thing about multisig is that at least it's conceivable that what gets actually used will be a relatively small set of versions of it, 2-of-2's, 2-of-3's etc.
15:06 < adam3us> gmaxwell: i love elegance, and bitcoin has a huge amount of it
15:07 < gmaxwell> petertodd: sure sure, still, kinda sad that they're distinguishable.
15:07 < adam3us> petertodd: see also there's a leakage with multisig it tells you how many sigs there are and if its k of n or n of n, with schnorr you have no idea
15:07 < adam3us> petertodd: and it takes the space of 1 sig also
15:07 < petertodd> adam3us: yup, like a fine hyper-optimized sports car - though I feel bad for the mechanic trying to change the oil filter...
15:08 < gmaxwell> in any case, I only brought it up because while the size and flexiblity advantages were old news to me, I hadn't considered the privacy impact.
15:08 < adam3us> petertodd: it also has simple efficient blind sigs
15:08 < TD> good evening
15:09 < adam3us> petertodd: blind sig with EC DSA is not efficiently possible afaik, even with DSA blind sig is horrendous (damgard jurik homomorphic adition in n^5)
15:10 < petertodd> adam3us: I'll pretend I understood what you said :P
15:10 < petertodd> adam3us: by n^5 you mean O(n^5)?
15:10 < adam3us> TD: 'evening we re musing about blue-sky crypto, and lastly aout the wonderful things you could do with schnorr (instead of dsa) adn it turns out which i didnt realize that djb's EdDSA actually is schnorr
15:11 < TD> i haven't looked at EdDSA
15:11 < TD> it's not the same as ed25519?
15:11 < adam3us> petertodd: no i mean the calculations need to be done in a group of size n^5 where n is a like 3072 bit RSA key so like 15360 bit ops
15:11 < adam3us> TD: yes it is
15:11 < petertodd> adam3us: ah, so it's a size issue?
15:12 < adam3us> TD: i mean i always assumed without reading the paper, that it was a diff curve for DSA, but its actually a tweaked verion of EC schnorr sigs which s cool
15:12 < TD> oh
15:12 < TD> interesting
15:12 < TD> yeah i thought that too
15:12 < TD> although they're quite similar aren't they
15:12 < adam3us> petertodd: the intermediate results between the two users, the final result is a normal dsa sig
15:13 < TD> re-reading the schmorr wiki page, it's still based on discrete log and a group of prime order
15:13 < adam3us> TD: yes very, i think dsa wouldn't have existed if not for schnorr's patent (expired 2008)
15:13 < petertodd> adam3us: ah ok, so final sig size is reasonable, but the intermediate state isn't?
15:13 < adam3us> TD: but schnorr has many flexibility, security, size, advantaages
15:13 < TD> sigh. patents.
15:13 < TD> is there anything they can't screw up
15:13 < adam3us> petertodd: yes, the intermediate uses a ton of experimental rade stuff
15:13 < TD> looks like to understand schnorr i will have to learn more maths first
15:13 < adam3us> petertodd: and probably moderately cpu heavy too
15:14 < petertodd> adam3us: right - I was gonna say I think I've got a possible solution to the "data hiding" problem in my txin commitments scheme
15:14 < adam3us> TD: if you understand DSA you'll get it... just djb papers are hard to decipher look at
15:15 < petertodd> adam3us: again, trade-off bandwidth for scalability
15:15 < TD> yeah i'm reading that but i need to [re] learn the definitions of things like "set of congruence classes modulo q"
15:15 < adam3us> TD: basically the only diff is you dont need to invert k
15:15 < TD> this rings bells from a-level maths but i forgot it
15:16 < TD> ed25519 is definitely on my hard-fork wishlist
15:16 < TD> the performance improvement is immense
15:18 < petertodd> adam3us: basically, remember how I was talking about "sharding" the txin space in the scheme with a binary tree? you could make the mining protocol be such that there's a way to force a lower part of the tree to either be revealed, or that part of the chain would backtrack. *If* the data is actually available, the chain shouldn't backtrack, so it's still
secure. If on the other hand the data isn't, well, that was the txout owners ...
15:18 < petertodd> ... responsibility so tough luck. :)
15:18 < petertodd> adam3us: Not exactly a fully-fleshed out idea, but the approach could work.
02:22 < gmaxwell> but I don't think an obvious greedy algorithim exists.
02:23 < andytoshi> so, for the joiner's calculation, it needs to know if certain inputs are obviously linked
02:23 < andytoshi> and "obviously linked" does not sound well-defined to me
02:24 < andytoshi> would it suffice to assume the inputs are independent, and just look at the entropy of the mixer's input-to-output mapping
02:24 < andytoshi> ?
02:25 < andytoshi> that's nice because it's context-independent -- you give me any rawtx and i can compute that without even a network
02:26 < gmaxwell> andytoshi: you can assume the inputs are independant after doing the trivial preprocessing to merge ones with duplicate scriptpubkeys.
02:27 < gmaxwell> if that raw tx is signed you can still do it by looking at the scriptsigs ... most of the time.
02:28 < gmaxwell> andytoshi: the other weird thing is that this 'plausable' metric is kinda odd in that any funnybusiness at all results in a misestimation of 0 entropy.
02:29 < gmaxwell> which actually suggests that it's worth thinking about how we can enable that kind of funny business because
 just like the argument for CJ existing
 if the funny business exists with enough frequency, an attacker is forced to assume any txn might involve funny bussiness.
02:29 < andytoshi> can you give an example of this?
02:30 < gmaxwell> andytoshi: yea, sure, say you and I do a coinjoin. But I actually happened to owe you money, and so the real mapping isn't a 'plausable' one because it transers some of my coin to you.
02:30 < andytoshi> oh, i get what you mean
02:31 < gmaxwell> concretly  e.g. you put in 1 and I put in 5,	 and then you get out 2 and I get out 4.  all that we've discussed above would decide the maximal users there was 1.
02:31 < andytoshi> right, that's great, and it's not at all hard to do now .. if you owe me money, i'd say "let's get in on the next join session"
02:31 < andytoshi> (and with me personally you could even use the donation output
02:32 < andytoshi> )
02:32 < gmaxwell> yea, even outside of the context of a specific coinjoin:  you can do this generally for payments as a way to consoldate change. E.g. if I want you to pay me, I could give you some extra inputs to include.. then you sign and give me the half signed txn.
02:32 < andytoshi> ah, that would require better tool support
02:32 < gmaxwell> Yea, but it could just be an addon in the payment protocol pretty easily.
02:33 < gmaxwell> "Add these extra inputs to the transaction and pay them to me, thanks"
02:34 < gmaxwell> the interesting question is that once you've relaxed the defintiion of 'plausable' to include the possiblity of payments.. I think _any_ mapping is possible.
02:34 < gmaxwell> and the entropy of the coinjoin is basically log2(inputs*outputs)
02:35 < andytoshi> yeah, i think that's correct, which is pretty cool
02:35 < gmaxwell> as there is an auxiliary table of users paying other users.
02:35 < andytoshi> now, perhaps nsa with its psychologists can get information out that we can't
02:35 < gmaxwell> but the problem is that if no one ever does this
 then it doesn't matter. An attacker isn't really constrained to consider corner cases.
02:35 < andytoshi> but that's probably not a threat model we can do anything about
02:35 < andytoshi> right, exactly
02:36 < andytoshi> for now our definition of 'plausible' is good, so let's work with that
02:36 < gmaxwell> oh sure, not all payments are equally likely. For example, I can say that as a prior that auxliary payment table is probably _sparse_ e.g. that it has a low l_0 norm.
02:36 < gmaxwell> and that non-sparse payment tables are very much less likely than sparse ones.
02:36 < gmaxwell> even in a world where people use this frequently.
02:37 < andytoshi> that seems plausible, though it's hard to say in the presence of fees
02:37 < andytoshi> maybe people only want to do transactions if they need to do transactions
02:37 < gmaxwell> well, its just unlikely that you could find N people who all want to pay a bit to each other, for N>2 :P
02:38 < andytoshi> oh, yeah :P
02:38 < gmaxwell> cut-throughs also add some interesting analysis wrinkles, again
 if they actually existed.
02:39 < andytoshi> now, here's a silly question: our definition of coinjoin entropy as "entropy of the mixer's knowledge" .. is it monotonic?
02:39 < andytoshi> monotonic wrt the number of transactions
02:39 < gmaxwell> you mean the number of contributors to a mix?
02:39 < andytoshi> so if my joiner says "there's a 10-bit transaction in here", can somebody put in a transaction which reduces the entropy?
02:39 < gmaxwell> No, it must go up.
02:39 < andytoshi> yeah
02:39 < gmaxwell> (or stay the same)
02:39 < andytoshi> is that obvious?
02:41 < gmaxwell> I think so, otherwise I could just grab a random unrelated txn, add it to a transaction I was analyizing "assume this was joined in" and magically know more about the original transaction. :P
02:41 < andytoshi> i like that argument :)
02:42 < gmaxwell> The understanding that it was monotonic is why I've favored including poorly mixing transactions too, if thats all thats available.
02:43 < gmaxwell> likewise it would be useful to join coinjoins. e.g. if you had a 1 BTC mix and a 0.5 btc mix going on, might as well make the final txn contain both of them.  Maybe you'll get lucky and some change will be ambigious.
02:43 < gmaxwell> And if the attacker is forced to the N^2 model (where people are paying people) then the entropy increases enormously.
02:44 < andytoshi> cool, this all sounds good
02:45 < andytoshi> i'll spend some time trying to compute this entropy
02:45 < andytoshi> maybe i can compute the entropy of output values, and say "the highest-entropy output is XXX" rather than "the most popular output is XXX"
02:46 < andytoshi> i'm not sure if there's a good way to define such a thing..
02:46 < gmaxwell> hm. I wonder what the entropy impact is if you limit the aux matrix to a maximum column L_0 norm of 2. uhh. like "You can may at yourself and at most one other party", or futher "optionally yourself and optionally one other party, and if you are paying that other party, that other party pays no one else"
02:46 < andytoshi> it'd be awesome if i could make the transaction entropy be the sum of the output values' entropy
02:47 < andytoshi> my guess is, it'd reduce the attacker's search space from N^2 to 2N
02:47 < andytoshi> or somethin
02:47 < andytoshi> something drastic*
02:48 < gmaxwell> e.g. a realistic use of the non-admissable coinjoins is one where at most half the participants are each paying up to one additional other participant (who isn't paying anyone but themselves)
02:49 < gmaxwell> I guess one interesting thing when you allow payments is, in fact, that you add up to 'outputs' worth of 'shadow' inputs that provide 0 in.
02:49 < andytoshi> yeah, my guess is that this would be the most common case, after admissable coinjoins, by -far-
02:50 < gmaxwell> well it generalizes all transactions too..  e.g. a regular payment to you with change fits this model now.
02:50 < andytoshi> oh yeah
02:52 < gmaxwell> in any case, a whole bunch of neat papers could come out of this, but I think so long as coinjoins are more acadmic than reality any attacker will just go "lets assume that never happens and we'll sort it out if we do ever find a case where it did"
02:52 < andytoshi> agreed, for now i will compute the entropy assuming no funny business
02:53 < andytoshi> link to a short document explaining the calculation and how to do funny business which makes the tx safer than claimed
02:57 < gmaxwell> BlueMatt: will the pulltester still run if I close a pull?
03:10 < BlueMatt> gmaxwell: no
03:12 < gmaxwell> BlueMatt: seeing things like this pass is always not a happy moment:
03:12 < gmaxwell> but as expected since regtest overrides.
03:13 < gmaxwell> but ... reasons I don't love regtest being a seperate mode
03:15 < BlueMatt> true, though pull-tester is designed to test subtle bugs, not head-smacking bugs
03:16 < BlueMatt> it fails at both, but still
03:18 < gmaxwell> Ideally we should be able to test pulltester by inserting head-smacking bugs though, and making sure that every possible headsmacking bug we can think to insert fails... (The reason being that headsmacking bugs are easy to insert and be sure that they're actually bugs and not equally okay changes)
03:18 < BlueMatt> agreed
03:18 < BlueMatt> feel free to code it :p
03:37 < sipa> dang:
03:39 < warren> sipa: we need someone to actually write the clonecoin generator that we all threatened to write.
03:39 < sipa> yeah
03:39 < warren> option: Set exchange bribe amount [minimum 100 BTC]
03:40 < warren> checkboxes for various bad ideas
03:49 < warren> sipa: would others fund this? I can get one of my students to do this.
03:49 < warren> I can throw in some money.
03:50 < gmaxwell> heck, if done right (costs a small bitcoin payment to make it build) it can be revenue producing.
03:50 < warren> hahah
03:51 < warren> don't release source for the generator.  make it a web app that outputs everything.
03:51 < gmaxwell> oh absolutely.
03:51 < gmaxwell> heck, you could even charge more to get source out with your binaries (take care not to violate the LGPL, it needs to be relinkable) :P
03:52 < warren> checkbox: "Steal sunnyking's proprietary source for centralized broadcast checkpoints.	Will he sue?"
03:52 < warren> haha
03:54 < gmaxwell> [ ] set your own alert key [....]  {+.1 BTC}
03:56 < midnightmagic> lol
03:56 < midnightmagic> that would be so much win
03:56 < midnightmagic> + seednode code generator
03:56 < gmaxwell> yea, it needs to also provide a standalone miner and pool setup. which is kinda a pita.
03:57 < gmaxwell> the miner isn't so bad so long as it uses sha256 / scrypt / primecoin   but the pool setup is more of a pain.
16:18 < gmaxwell> let y = x as uint works in rust.  I'm not sure why you would do let y: uint = x as uint; .. but I don't know that much about rust and haven't written anything other than total toyes in it.
16:19 < HM> well i pulled the example from the tutorial on the site
16:19 < gmaxwell> HM: it's very likely that each of these things has a reason that someone considers good... or
 if you really believe they don't
 then hell: post to the list! they are still _actively_ changing the syntax in a way that breaks code. And if crap like that is actual oversight then they would fix it.
16:20 < HM> Nah
16:21 < HM> It's too established to change now
16:21 < HM> that's the style they've chosen
16:21 < gmaxwell> If nothing else they should write a FWTFS that explains these things that apparently offend some on first blush.
16:21 < HM> I'm not talking about quirks, i dislike the overall style
16:23 < gmaxwell> well, many of the things you've complained about here are outright quarks, and I know some are well justified, e.g. the function syntax prevents type ambiguity and the AA BB(CC) problem.
16:24 < HM> ok
16:24 < HM> riddle me this
16:25 < HM> if the Rust function declaration syntax looks a lot like a C++11 lambda
16:25 < HM> why does the Rust closure syntax look completely different?
16:26 < HM> I guess because "fn" is an abbreviation for "function name"
16:26 < HM> seems more like a hint to the compiler than to make it more readable for the programmer
16:27 < HM> let square = |x: int| -> uint { x * x as uint };
16:27 < HM> i would probably expect this to be
16:28 < HM> they use the ||'s for the for each syntax
16:28 < HM> it's just weird
16:29  * HM goes to watch GoT
16:33 < HM> apologies for flooding :S
--- Log closed Tue Apr 09 00:00:18 2013
--- Log opened Tue Apr 09 00:00:18 2013
--- Log opened Tue Apr 09 03:13:39 2013
08:28 < HM> Just gone through a paper gmaxwell posted on bitcointalk
08:29 < HM> double blinded ECC signatures - 2010 paper by some folks at Tunghai University
08:29 < HM> i'm glad to say I followed all the algebra
08:30 < HM> it's very cool
08:33 < HM> one of the few papers i read where too much algebraic detail made it harder to follow. kept expanding terms instead of grouping them :S
09:12 < HM> hmm
09:12 < HM> this scheme doesn't prevent colusion between requester and signer
09:20 < HM> also if the signer ever sees a copy of the message it can use its database to discover who requested the signature
09:30 < HM> unless I'm mistaken Chaum's "BLIND SIGNATURES FOR UNTRACEABLE PAYMENTS" proposal doesn't protect you against colusion between payer and signer either
09:31 < HM> "Wei Dai" has a proposal that prevents colusion, but a third party can't verify tokens
09:31 < HM> I haven't seem a scheme that prevents both colusion and allows 3rd party verification
10:26 < gmaxwell> HM: for some protocols you can just have ALL of the participants blind sign.
10:26 < gmaxwell> e.g. for a vote.
10:29 < HM> i'm obviously thinking about digital cash
10:30 < HM> the simplest scheme i've seen has the issuer multiply a random point on a curve by their private key, for a fee. That's easy to blind but a payee can't verify the 'signature' (not really a signature) is legit
10:32 < HM> the 2010 paper you linked to on bitcointalk from Tunghai uni allows that but the signer can never be allowed to see the message again or they can figure out who asked for it to be signed.. and of course to verify the signature you need the message (or a hash of it)
10:33 < HM> so the question, how do you create a signature a 3rd party can verify but you can be sure hasn't been watermarked?
22:03 < warren> jgarzik: gmaxwell: Litecoin-0.8 might easily cut down its UXTO set from the week of spam in November 2011 because the attacker used the same addresses repeatedly.  Just declare all those addresses unspendable.
22:04 < warren> (yes, there is no similar simple solution for bitcoin)
22:09 < gmaxwell> warren: uh didn't the litecoin attacker send 1e-8 litecoin to like every litecoin address?
22:13 < warren> gmaxwell: perhaps in a different part of the attack, I will find out.  I will scan it thoroughly to make sure declared unspendable UXTO are the right ones.  there appear to be a great many that are concentrated in a small number of addresses now.
22:15 < gmaxwell> warren: if you're going to do that in litecoin, why not add utxo aging?
22:15 < warren> gmaxwell: is that written anywhere?
22:15 < amiller> add a utxo rental price
22:15 < amiller> when the parking meter runs out of time, kick out the utxo
22:16 < warren> amiller: more like a purchase price, which I've been suggesting for weeks now.
22:16 < warren> oh ... time limit, I like it.
22:16 < gmaxwell> warren: meh, it's not a purchase price if you can't redeem it.
22:16 < amiller> rental vs purchase
22:16 < warren> I see, rental.
22:16 < amiller> also like a parking meter, you (anyone) can put more coins in
22:16 < amiller> to keep it around longer
22:16 < warren> by spending it
22:16 < amiller> you can have a bitcoin parking meter fairy
22:16 < amiller> that fixes other peoples coins that are about to expire
22:16 < warren> uh
22:17 < gmaxwell> amiller is on the moon right now, leave a message after the beep
22:17 < amiller> just follow your nose starting at 'rental price' and you'll get mostly good ideas.
22:18 < warren> Everyone has to reindex with 0.8.x anyway.  a tiny proportion of those users will have 1e-8 disappear
22:19 < gmaxwell> warren: and then one of those gets spent and the network forks forever.
22:19 < warren> gmaxwell: the network is hardforking anyway
22:19 < gmaxwell> For what?
22:19 < gmaxwell> warren: in any case, it's stupid to solve it one time,
22:19 < warren> (mainly because they don't understand that an immediate fork isn't needed)
22:19 < amiller> people hate the idea of their bitcoins getting forgotten, or getting 'inflated' by demurrage but they'll come around to the idea of safety deposit boxes - those are reasonable
22:20 < gmaxwell> And the, as I illuded to in #bitcoin
 people involved in the project will have a weaker position when some authority _orders_ them to edit the utxo set in the future.
22:20 < gmaxwell> alluded*
22:21 < warren> It's an agnostic UXTO change.  If txo < tiny number, just declare it gone.
22:22 < gmaxwell> warren: so generalize that and say a UTXO lives for 51840*ceil(log10(value)) blocks or something like that.
22:22 < warren> rather: If txo < tiny number prior to block X, just declare it gone.  When <mumble>coin is worth $10 million dollars each in the future it will be usable again.
22:23 < gmaxwell> uh. then all nodes still have to retain the data forever
22:23 < warren> at least it won't be in the UXTO set?
22:25 < amiller> how about when the 'value' changes, then previous utxos are credited proportionally for their time
22:26 < warren> gmaxwell: This might not be needed anyway, literally all of the litecoin spam is in a week during November 2011.  I suspect the simplest and least risky plan is just to figure out which addresses concentrate the most spam UXTO and just eject that.
22:26 < warren> (scanning to be damn sure it effects nobody else)
22:27 < gmaxwell> warren: so you do that and then shortly there after someone just floods you again.
22:28 < warren> gmaxwell: they're welcome to pay the ridiculously high fees
22:28 < gmaxwell> Hell, it would be worth doing that just to make you feel stupid. :P
22:28 < warren> litecoin has two fees, a regular high fee, and an added fee for dust values
22:30  * warren still doesn't have <any>coins.  This is just interesting to think about.
23:03 < gmaxwell> So P2SH^2 am I awesome or what? Best idea I've had all month.
23:14 < BlueMatt> is it really worth implementing though?
23:17 < gmaxwell> I .. think! so.
--- Log closed Wed Apr 10 00:00:06 2013
--- Log opened Wed Apr 10 00:00:06 2013
02:14 < warren> gmaxwell: the super high fees are not an adequate deterrent?  (genuinely confused)
08:28 < HM> Bitcoins Law: when hashing doesn't solve your technical problem, you're not hashing hard enough
13:38 < warren> HM: I'm running the hamster wheel as hard as I can.
14:17 < HM> warren: ?
14:17 < warren> <HM> [02:28:38] Bitcoins Law: when hashing doesn't solve your technical problem, you're not hashing hard enough
14:18 < HM> oh right
14:38 < warren> gmaxwell: how do I obtain voice in -otc?
14:38 < gmaxwell> warren: ask gribble to voice you
14:39 < warren> <gribble> Error: You don't have the #bitcoin-otc,voice capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
14:41 < gmaxwell> be sure that you are identified
14:42 < warren> I did
14:42 < warren> ;;everify right?
14:42 < gmaxwell> Yes.
14:42 < warren> yes, verified
14:43 < warren> assuming ";;voice #bitcoin-otc warren" is the right command
14:44 < gmaxwell> no, ;;voiceme
14:44 < gmaxwell> IIRC
14:44 < gmaxwell> voice is to voice other people.
14:45 < warren> ah, thanks
16:53 < warren> during the panic "/mode +q $~a" was quite useful.
16:54 < warren> Mute everyone who isn't logged into nickserv.
17:55 < gmaxwell> well any method that stops people from talking lowers volume...
17:57 < gmaxwell> Though I boggle that people who'd been in the channel for an hour were still "SELL SELL SELL" as I was kicking people at a rate of about 0.5-1 per _second_ for doing that crap, I really do wonder if some of these people aren't bots.
18:05 < warren> One guy in the channel was encouraging people to change to a safer currency like Terracoin.
18:06  * warren facepalm
18:12 < gmaxwell> I am hans and this is frans and we are here to PUMP YOU UP.
23:28 < jrmithdobbs> does anyone have any idea how to get a CVE reserved for something not in debian or redhat?
23:28 < jrmithdobbs> I emailed this morning but no response
23:34 < warren> jrmithdobbs: it isn't in Fedora either?
23:34 < jrmithdobbs> nope
17:10 < adam3us> gavinandresen: "but my lesson learned was "don't mine"" yeah i wasnt expecting to get much more than recoup cost out of it, but i for one missed the GPU mining fun era completely - despite receiving email from satoshi in sep 2008 and feb 2009 saying go check out the client, so this is my variant of that
17:11 < gmaxwell> Mining has done well for me. ::shrugs::
17:12 < gavinandresen> adam3us: if it is any consolation, I did the math in
 2010 and found it was less expensive to buy bitcoins than mine on my CPU.
17:12 < sipa> i think i profited moderately from both gpu and asics
17:13 < sipa> though never large scale
17:13 < sipa> and now i've stopped
17:13 < gmaxwell> wuss. :P
17:14 < adam3us> yes so its just an amusing thing to try, mining, and if i slightly help decentralization so its fine to just leave it on at elec break even
17:15 < gmaxwell> even at break even, it's a nice highly anonymous way to buy coins from the power company, assuming you have the hardware. :P
17:16 < adam3us> gmaxwell: well in fact i was thinking you might earn enough to pay fees on hidden (aka committed) tx which are perfectly unlinkable ;)
17:16 < gmaxwell> though it's still nowhere near break even now..  at current diff and $350 exchange your power would have to cost $1.1578/kwh to make avalons merely break even for power costs.
17:17 < phantomcircuit> gmaxwell, assuming what daily increase in network hash rate?
17:17 < adam3us> gmaxwell: that was partly why i was thinking it'd be interesting to have lower gpu self-mine without pools ie some kind of part-block payout
17:17 < gmaxwell> phantomcircuit: thats _right now_. I mean, I can turn them off in under a minute...
17:17 < phantomcircuit> gmaxwell, right
17:18 < phantomcircuit> you're already made capital costs right?
17:18 < gmaxwell> phantomcircuit: yea, they paid back their initial price in usd on the third day, and the initial price in bitcoin in about 2 weeks.
17:19 < phantomcircuit> gmaxwell, yeah people buying now are going to have a much harder time doing that
17:19 < phantomcircuit> even if you can get delivery tomorrow
17:19 < gmaxwell> indeed, people ask me if they should buy mining hardware and I dunno, the future is hard to predict.
17:19 < gmaxwell> There are optimistic predictions which are nuts, and pessimistic predictions which are slightly less nuts but still nuts. The truth, who knows?
17:20 < MC1984> youd have had to have junked them by now if the price didnt keep skyrocketing
17:20 < adam3us> right - i guess if its cheaper to buy coins just buy coins however
17:20 < phantomcircuit> yeah i mean the knc boxes are entirely sold out i think for months
17:20 < gmaxwell> MC1984: they's still be profitable over power costs at $100/btc, though not very much.
17:21 < adam3us> so i wonder - if the supply problems with asics do finally get resolved
17:21 < adam3us> difficulty will spike, and profitability will sink to electricity cost
17:21 < gmaxwell> adam3us: I dunno miners are different now than in the past, in the gpu days when my (at 6.5cts/kwh power) operation was 2:1 return on power cost hashrate was dropping.
17:21 < MC1984> gmaxwell, i think that just goes to show how ridiculously stinking profitable they were at the beginning
17:22 < adam3us> wonder if that will cause miners to switch off, or bitcoin exchange rate to go up
17:22 < gmaxwell> MC1984: there was a guy who had a chart showing how much money a batch 1 avalon has made, I'm glad he's taken it down.
17:22 < adam3us> (switch off and stop buying more)
17:23 < gmaxwell> adam3us: well, I'm planning on moving my avalons someplace where the power is cheaper.
17:23 < adam3us> see there are two parameters to network hash rate: speed/energy efficiency per unit, and availabiity of units, seems like the asic so far have improved the speed a lot, but the availability is thin
17:24 < gmaxwell> adam3us: availablity has always been ~0 when the profitablity has been high.
17:25 < MC1984> gonna put your boxes into hosting?
17:25 < adam3us> gmaxwell: in theory more availability is good for decentralization (now the litecoin argument) and the counter-argument was sha256 is easy lots of people will make tem
17:26 < adam3us> gmaxwell: not happening that well so far, though i live in hope
17:26 < gmaxwell> it has been happening, but the demand is pretty awesome when the devices are spitting out a ton of coin...
17:26 < MC1984> havent heard a peep out of asicminer for ages though
17:26 < MC1984> i bet they are hiding thier power level
17:30 < gmaxwell> if they're not crazy they've sold their first gen hardware to other suckers^wpeople by now... but who knows.
17:30 < gmaxwell> That whole model was really crappy. I mean, good for them at suckering people to finance them but .. ::shrugs::
17:30 < MC1984> the pie charts says 1%
17:30 < MC1984> and a nice chunk of unknown too
17:31 < MC1984> im actually more pleased that p2pool is holding at 1%
17:31 < MC1984> its not quite oblivion
17:32 < gmaxwell> p2pool is pretty much where its always been. it sagged a bit when the avalons didn't initially work on it..
17:32 < maaku> MC1984: as long as its not decreasing
17:33 < MC1984> i wonder if that more or less represents a percentage of people who give a shit about mining consolidation
17:33 < MC1984> whats the ratio for altruists to stop a system turning to poop?
17:33 < gmaxwell> MC1984: or more like some mixture of that and paranoid about pool op theft,  and who are willing to go through the trouble.
17:34 < MC1984> hm yeah
17:34 < MC1984> its not too much trouble though. i set up a p2pool node once
17:34 < MC1984> i just didnt have anything to mine against it
17:35 < adam3us> why doesnt everyone p2pool?
17:36 < gmaxwell> Some number of people are convinced that all the pool operators are theives... e.g. cypherdoc on the forums.	He claims to solo-mine, though based on his comments I would be a little surprised if it were true.
17:36 < gmaxwell> so you don't have to care about decenteralization to prefer to not use the centeralized pools.
17:36 < MC1984> they could be thieves
17:36 < gmaxwell> they could be, in fact I'm sure some have been.
17:36 < gmaxwell> but you can't tell.
17:37 < MC1984> why so much trust around still
17:37 < maaku> adam3us: it's a hog, you can lose more than the average pool fee on a high-latency connection, variance is super-high, etc.
17:37 < adam3us> help centralization, spread rumors about miners
17:37 < MC1984> some pool ops have been straight guys though
17:37 < adam3us> decentralization i meant
17:37 < midnightmagic> maaku: Mm..  that's not quite true.
17:38 < gmaxwell> For some definition of high, though you also lose pool income on high latency connections too.
17:38 < gmaxwell> though p2pool somewhat more.
17:38 < midnightmagic> adam3us: The statistics as shown make it easier to infer that p2pool is *wasting* mining effort up to 16% or so.
17:38 < gmaxwell> Which isn't the case, but that doesn't stop people from claiming it.
17:38 < maaku> midnightmagic: it's my experience running a p2pool node.. although I haven't synced with forestv's sources in some months
17:39 < gmaxwell> maaku: the time between shares was upped to 30 seconds, which greatly reduced the latency dependance. its still higher, but this isn't entirely bad.
17:39 < maaku> it was much worse under 10s shares (it's now 30s right?)
17:39 < maaku> yeah
17:39 < midnightmagic> adam3us: It requires local knowledge and setup and maintenance of a bitcoind, and a p2pool instance running on either the same machine or another one. I suspect it's mostly just misunderstandings that people don't want to clear up, and the fact that it's got a 15-hour block turnaround time.
17:40 < midnightmagic> there was a spike a few times where the orphan rate just shot right up like crazy with a huge influx of hashrate. I don't know what was going on there. It looked as though someone was trying to mine with smoething big and gave up on it.
17:40 < amiller> i've been thinking about mining and asics and for the moment, equipment costs totally dominate power costs
17:40 < adam3us> as i recall i tried it once and it was like really nothing just just p2pool instead of eligius
17:40 < gmaxwell> P2Pool has roughly 1/10th the orphaning rate of eligius, for example. ... why? beyond the relaying advantages, ... it makes miners fix their latency (or drives away slow miners)
17:41 < adam3us> and my reactin was woah why doesnt everyone do that!
17:41 < amiller> but we alos aren't at the full curve of the chip development cycle, the 65nm chips are coming out now, but once we get to like 20 or whatever intel does, it totally levels off and then there's going to be hardly anymore improvement in hashes per second per dollar-spent-on-chips
17:42 < gmaxwell> adam3us: if you're already running bitcoin-qt / bitcoind  and have a reasonable host.. it's easy.  Otherwise, its actually a lot of work.  People show up in #p2pool	"halp on my atom with drum memory I get 60% effiency!"
17:42 < maaku> lol drum memory
17:42 < gmaxwell> amiller: well, KNC is 28nm but its using structured asic.
17:42 < MC1984> structured?
17:42 < sipa> aka glorified fpga
17:43 < amiller> structured cell arrays are sort of gateway asic, much cheaper than fpga, but still sort of general purpose and less efficient than standard cell array
17:43 < gmaxwell> yea, it's in between a hardcopy fpga and a real asic.
17:43 < MC1984> whats the point of that
17:43 < gmaxwell> lower upfront costs, potentially faster time to market.
17:43 < gmaxwell> The downside is higher marginal costs (per hashrate ... but this is actually really low in any case) and higher power consumption.
17:44 < MC1984> isuppose right now the time to mrket thing makes it worth it
17:45 < MC1984> whats that nifty state about how long it would take current hashrate to recreate the whole chain
17:45 < MC1984> i bet its down to like a week now
13:30 < petertodd> sipa: like, imagine if the payment protocol is widely deployed, and merchants use out-of-band payments extensively to get their zero-fee payments from their customers mined: p2pool wouldn't be able to earn fees at all
13:31 < adam3us> petertodd, sipa: i was noticing when playing with committed transactions, that you dont need to send the values, nor recipients to the miners; only a commitment to them (hash) and a commitment to the senders address
13:31 < petertodd> sipa: I've got what appears to be a pretty good way to do decentralized out-of-band payments though, but it's way more complex than the centralized way :(
13:31 < amiller> jgarzik, uh, well i'm not exactly sure i understand what you mean by oracles / agents there
13:32 < amiller> jgarzik, i guess you just mean semi-trusted parties that aren't the end-users who the protocol actually benefits, but like a server with limited capabilities
13:32 < adam3us> petertodd, sipa: reduces attacks if the miners know as little as possible about what is going on
13:32 < jgarzik> amiller, pretty much
13:34 < amiller> i still feel like calling them autonomous agents or oracles is misleading language that deliberately conveys some kind of additionally trustworthiness that isn't warranted
13:34 < amiller> </monthlyscheduledrant>
13:34 < petertodd> adam3us: ooh, reminds me re: commited txs: I've got an idea where you'd make transactions have commitments of previous ones with a merkle-mountain-range-like scheme so you could efficiently reference any previous transaction up to the genesis block. This is easiest to understand if transactions can only have linear history, but a dag history is doable
too. Anyway, wallet software would receive that history to know the coins are valid, thus pushing validation directly to the users. Obviously some way of pruning that history is important, SCIP is heavy-weight and complex but could work.
13:35 < sipa> thus pushing v[...]
13:35 < petertodd> adam3us: yes, but nothing other than intertia prevents miners from demanding that users reveal enough info to let them know what transactions actually are; again, it's easy to imagine governments regulating mining pools and forcing them to do this.
13:37 < petertodd> adam3us: you really need to keep it possible to mine by small parties to keep that balance towards decentralization - helps the larger pools resist regulation too if they can point out that the smaller miners that can't easily be regulated will just out-compete them if the government forces the larger ones to do things like 51% attack the non-censoring miners
13:37 < petertodd> *government tries to force
13:38 < adam3us> petertodd: it reduces bandwidth if you can send commitments only to the block chain, because ok to send previous tx history back to the last snapshot (or to genesis) is a bit of a privacy leak, its still better than now; and its more efficient to send that to each recipient than broadcast it to everyone
13:38 < adam3us> petertodd: yep, that was exactly the motivation for committed tx - users can yank a 51% miners chain causing him to lose money all day long
13:38 < petertodd> adam3us: yup, commitments with compact proofs of any part of the previous tx history are one form of sharding validation effort.
13:39  * petertodd needs to come up with a good directed acyclic graph version of merkle mountain ranges
13:41 < petertodd> adam3us: wait, explain to me how users "yank a 51% miners chain"?
13:41 < adam3us> petertodd; y'know with homomorphic encrypted values & committed transactions combined, at least the privacy invasion of the full tx history revealed to each recipient is less - you dont see how much money each user has
13:41 < petertodd> adam3us: good point
13:41 < adam3us> petertodd: ah so lets see how did that go, ah yes so you want to make a payment and you're wikileaks (canonical example of unpopular extra-legal blocking)
13:42 < adam3us> petertodd: so you make your payment, wait a few blocks, reveal it; now the 51% miner has to discard 2 blocks of profit and compete against himself; rinse & repeat
13:43 < petertodd> right, and my point is always the government response is to target public bitcoin users and first demand that even though the system is private, they use this new modification of the bitcoin protocol that also sends enough information along-side a transaction to always reveal the contents
13:43 < adam3us> petertodd: that assumes you ever reveal the tx to the network, you could let them circulate in committed form in which case no one not in the tx history knows who paid who
13:44 < amiller> adam3us, suppose you had aribtrary zero knowledge and two party computation or whatever
13:44 < amiller> can we come up with an idealized definition for a private public ledger?
13:44 < amiller> i've been trying to think of a good way to explain this, regardless of the actual implementation efficiency
13:44 < petertodd> then you start getting the pools you can control to apply preferential treatment to non-anonymous transactions, for isntance you only mine ones like that, but still extend blocks otherwise. rinse and repeat, until you get to the point where the pools can do direct 51% attacks on the ones that don't.
13:44 < amiller> no one should need to know anyone's transaction balances
13:44 < adam3us> petertodd: well its not that private in the sense that anyone in the payment chain can reveal stuff that came before, so they are free to make a subpoena, most random merchants and users have no incentive to protect privacy of an actual crime with victims
13:44 < petertodd> it's only the inability of government to control at least 50% of the hashing power that prevents that stuff
13:44 < amiller> a transaction between two people should change their balances in a way that both know, but neither should learn the balances of the other
13:45 < amiller> but everyone should learn the transaction is valid
13:45 < amiller> can you do that even abstractly?
13:45 < petertodd> adam3us: yup. the unhiding data could be done by requiring it to be broadcast encrypted to a government controlled pubkey
13:46 < petertodd> adam3us: "Nothing to fear! You're tx's are private unless a court-order is served and the priv-key is used to decrypt them."
13:46 < adam3us> amiller: maybe zerocoin with homomorphic values? (with fixed value is stupidly inefficient send 1,000,000 1c coins to send $10k?)
13:46 < amiller> btw there's a fully open source alternative to pinocchio/tinyram out
13:46 < adam3us> petertodd: screw that :)
13:47 < amiller> adam3us, well homomorphic values isn't enough i don't think
13:47 < amiller> because homomorphic encryption uses a single key
13:47 < adam3us> petertodd: we see where that ends, apriori wire tap and data fishing on everyone on the planet in utah; even the EU is right now voted to block SWIFT data sharing
13:48 < petertodd> adam3us: yes, but the only thing stopping it is that it's possible to mine outside of government control! Reality is with the current system, even with TXO commitments and fraud proofs, at some point a large blocksize will lead to that scenario.
13:48 < amiller> perhaps if i want to send you some money and we want ot prove it's valid to everyone else but we don't want to reveal our balances to each other, we could use a two-party computation that computes the homomorphic function or something
13:48 < adam3us> amiller: yes you can do that (encrypted values add up, without learning other balance) see thread on homomorphic value using schoenmakers range proof
13:49 < adam3us> amiller: it works because there are two values in a pederson commitment c1 = v1*G + x1*H
13:49 < adam3us> v1 is the value, x1 is a key that is not revealed
13:49 < adam3us> amiller: no one knows DL(G,H)
13:50 < adam3us>
13:51 < petertodd> adam3us: so how much larger would transactions be with this homeomorphic stuff?
13:51 < adam3us> its not really encrypted as such, just committed in a extened-schnorr provable form (bi DH form)
13:51 < adam3us> petertodd: well like I said on the thread best I got so far was 1K-2K per value depending n the precision of the coin vaue
13:52 < amiller> i still don't see how you get the range proof
13:52 < petertodd> petertodd: ok, so that's 1K-2K per txout then basically right? is that linear with the number of txouts?
13:52 < amiller> but i'll read more and try to undersatnd it
13:52 < petertodd> does it handle any combination of # of txins and # of txouts?
13:53 < adam3us> its 3+2m values where m is the number of bits of mantissa (precision) of the bitcoin value and a value is 256-bit/32-byte
13:53 < petertodd> (although I guess you could use a merkle-sum-tree to combine txin values and split txout values)
13:53 < adam3us> so I suggested eg 20-bits (1665bytes) or 27-bits 2016bytes
13:54 < amiller> ok so you do a range proof with roughly one value per bit
13:54 < adam3us> petertodd: amusingly i think you could even validate the entire ledger, add it all up and check it comes to however many coins issued so far
13:54 < adam3us> amiller: yes
13:54 < amiller> how do you communicate the value transferred to the other party?
13:54 < adam3us> no 2 values
13:55 < adam3us> 3+2m
13:55 < adam3us> just tell them
13:56 < adam3us> amiller: out-of-band or encrypted to public key if using the block as a store-and-forward channel
13:56 < amiller> okay
13:56 < adam3us> amiller: the fee is public, rest homomorphic
13:56 < amiller> (i apologize i have a hard time parsing all your posts but i think the idea works out)
13:57 < adam3us> amiller: well actually you can mix encrypted & clear values
13:57 < amiller> the pedersen commitments are only homomorphic with respect to addition aren't they
13:57 < adam3us> amiller: eg if you want to hide the value of your balance, but dont care much to hide the actual payment amount
03:48 < gmaxwell> And likewise, scorched earth is only applicable for things where the reciever would be pissed about an unconfirmed doublespend.
03:48 < gmaxwell> Its not unsolvable, but its an unfortunate complication.
03:48 < petertodd> gmaxwell: yeah, I wrote on the forum about how the payment protocol re: coinjoin should work where you actually give the merchant a non-coinjoin, and coinjoin, version of the tx
03:49 < gmaxwell> it makes me think that perhaps there really should be a signal which says "I swear on my mothers grave that I will not doublespend this transaction {within x time}"
03:49 < gmaxwell> since there are plenty of cases where doublespends are totally legit, and you don't want unconfirmed acceptance in any case.
03:50 < gmaxwell> and also cases where you want unconfirmed acceptance and any doublespend is fraud.
03:50 < petertodd> heh, well, like I say, you give the merchant the non-CJ version, the CJ version, and heck, in some cases even more versions because you've done multiple payments in a row and don't know what will get mined
03:50 < gmaxwell> and its only in the latter where scorched earth is the right strategy.
03:50 < gmaxwell> sure.
03:51 < petertodd> thing in, scorched earth has even more requirements, because the sending tx has to be basically minimal size, so that the sender can't double-spend it with a *smaller* tx
03:56 < Luke-Jr> do C++ or boost have a key-only map type?
03:56 < petertodd> Luke-Jr: you mean a set?
03:56 < Luke-Jr> maybe
03:57 < Luke-Jr> unordered set?
03:57 < petertodd> could be? not familiar with boost
03:58 < Luke-Jr> petertodd: looks like these are both standard C++, thanks
03:58 < Luke-Jr> although.. C++11
04:01 < gmaxwell> Luke-Jr: we use stl sets in varrious places in the codebase.
04:01 < Luke-Jr> but not unordered
04:01 < petertodd> Luke-Jr: does it matter?
04:01 < Luke-Jr> shrug
04:01 < Luke-Jr> I'll use unordered and see if anyone complains XD
04:02 < petertodd> behind the scenes sets get implemented in an ordered fashion often
04:03 < gmaxwell> Luke-Jr: ordered is fine here, they're not in insertion order, they're in whatever search order (based on the comparator of the underlying type) the datastructure needs to make lookups fast.
04:04 < Luke-Jr> I guess I assume std::set is going to be slower than std::unordered_set..
04:04 < petertodd> Luke-Jr: often enough it's all trees behind the scenes anyway...
04:05 < petertodd> Luke-Jr: with C++ that's quite likely because there's no obj.__hash__() like in Python
04:06 < gmaxwell> petertodd: there is actually a generic hash template thing.
04:06 < gmaxwell> petertodd: and I think the unordered set template needs it to work on your type.
04:07 < petertodd> gmaxwell: oh cool, guess I'm wrong
04:19 < Luke-Jr> well, my compiler doesn't have it :<
04:20  * Luke-Jr can't wait for autoconf_pt3 to get merged so the warning on every compile goes away
05:06 < adam3us> y'know the aim of bytemaster birthday hash is amusing - i briefly looked at it in 1997 for hashcash, i actually started my thought process by looking at birthday hashes, but that lasted all of 10min :); it is not progress free so cant fairly be used in a first past the post race
05:07 < adam3us> (his aim is to have fast verify (3 hashes, though he could've easily done it with 2) and yet memory hardness - however he has killed progress freedom, and other more simple issues)
05:09 < adam3us> so its not quite true that it doesnt achieve anything that scrypt does - it achieves memoryless verification, however it has tmto with n^2 advantage, and progress so its broken
05:10 < adam3us> also because of the n^2 advantage custom hardware could dominate it way worse than asic, triple fail :)
05:10 < gmaxwell> adam3us: Their earlier stuff was not a collision problem, I wasn't aware that they switched to that in their latest incarnation as their response on the first one I broke convinced me to never look at their stuff again.
05:11 < gmaxwell> and yea, we had a conversation at collision's for memory hardness in here before, and indeed the advantage for faster miners was brought up, also that you can eliminate the memory hardness with a tradeoff for more computation.
05:11 < adam3us> gmaxwell: someone mining pts got me to look at it
05:11 < adam3us> gmaxwell: yes the problem is the n^2 advantage for memory
05:12 < adam3us> gmaxwell: and the progress, and the tmto they mistakenly thought didnt exist
05:15 < adam3us> u can see it someone using 50 GHz cores (cores x ghz) got bday 180H/min, vs 30 Ghz cores got 50H/min -fast enough processor, for RAM
05:15 < sipa> adam3us: i cannot parse your last sentence
05:16 < adam3us> sipa: because its birthday attack, if your cpus can fill your RAM within the 5mins block interval, the more ram you have the more birthday hashrate n^2 to amount ofram
05:18 < adam3us> what its computing i think is H(cb, a) for random a, coinbase cb; where H finds a 26-bit hashcash (like bitcoin but small difficulty as a pre-screen)
05:18 < adam3us> then they store those values (h1,...h_n) = {H(cb,a),H(cb,b),...}
05:19 < adam3us> and look for 50bit birthday collisions on h_i values, (using a hashtable rather than memory scan)
05:20 < adam3us> finally for each H(cb,a)==H(cb,b) the test if H(cb,a,b) < target
05:21 < adam3us> (the code i found unreadable, the paper vague and stale... talking about scrypt and other ideas; its actually using hashcash-sha512-26 ie partial preimage wth 26-bits of leading 0 using sha512 hash function)
05:21 < gmaxwell> adam3us: if you have super fast logic but gates for memory are costly you can also run near memoryless (like pollard rho w/ period finding), so if you really believe the argument that needing lots of memory is a great enhancement, well, not so much.
05:21 < adam3us> for the H function
05:22 < adam3us> gmaxwell: yes i agree - i said 3 problems, tmto (2 types actually), progress, and n^2 memory advantage
05:23 < gmaxwell> but besides that it's awesome!
05:23 < adam3us> the other tmto is to use a hashtable which is unreliable but more compact
05:23 < adam3us> gmaxwell: lets not mince words - its triply broken :)
05:23 < gmaxwell> I hadn't decoded tmto to time memory trade off for some reason.
05:24 < gmaxwell> I'm waiting for them to think you can use hamming distance instead of prefix matching to prevent that.
05:24 < adam3us> gmaxwell: but the usual cycle method doesnt work i think on partial birthday, only on full birthday, because the cycled finds are almost cetainly of unrelated values
05:24 < gmaxwell> (you can't)
05:25 < gmaxwell> adam3us: sure it does, you just need a function that reads only from the partial chunk for the next step.
05:25 < gmaxwell> (whats even more awesome is you can make this work well for hamming distinct thresholds too... with some mild complication)
05:26 < adam3us> gmaxwell: i dont think so, some proposed the cycle method on the bitshares forum and it got shotdown (not that they know much), but I dont think you can define a meaningful cycle
05:27 < adam3us> gmaxwell: he was forced to py out his $5000 bounty to to forum people, i held off saying anything :)
05:28 < adam3us> (mostly for the unreliable hashtable so it fits in gpu unit L2 cache)
05:28 < gmaxwell> well I haven't looked at their thing, but this does generally work for finding n-bit prefix matches in hash functions. There is a paper I like on it that also goes into the hamming threshold case.
05:30 < adam3us> gmaxwell: its possible i am wrong but what i am thinking is if you find cycle one of r_1, ... r_k, ... and another cycle r'_1,... r'_k the problem i see is that r_{k-1} is unrelated to r'_{k-1} and so on
05:30 < adam3us> (where r_k == r'_k)
05:34 < adam3us> the objective isnt stupid though - i thought of that too - to find an scrypt variant where you can verify without memory.  i believe its challenging without introducing progress
06:31 < adam3us> btw TD: something else wrong with uploading batches of deterministc addresses, they are uncertified.  the payment protocol certifies them, but with an SSL key in server memory.  Obvious attack point
06:35 < adam3us> TD: if the base address is static it can be certified by an offline X509 key, or simply verified with out of band static information
06:42 < TD> no
06:42 < TD> the payment protocol does not specify any kind of "server" or "client". whoever generates the payment request can sign it. SSL or not is irrelevant.
06:42 < TD> so if you have a private key, your wallet would just upload pre-signed payment requests
06:42 < TD> however most individuals do not have a certificate. so, i suspect we'll end up with a different PKI for end users.
06:42 < TD> (and to start with, none at all)
07:23 < adam3us> TD: i imagine any business web site accepting payments has an x509 cert (for SSL associated with the server domain), so if they bother to sign the payment requests, they wold probably reuse the one they already have.  you are right though that they could sign it with en x509 email cert, or a sub-domain cert
07:23 < TD> yes, business websites don't need to batch upload anything. they can generate them on the fly with the ssl key indeed. sorry i thought we were still talking about personal usage
07:23 < adam3us> TD: but there may be expectation issues - surey the relying party should expect a signature from, not from
07:25 < adam3us> TD: yes.  i am not saying i have a solution, eg the bloombait so far seems to likely have issues but will see what it can do; however at requirements level mostly i am saying it would be nice if were static, then it could be on a business card, brochure, shop window, with zero possibility for web site hacking address redirection
07:26 < TD> people can have their wallets be compromised as well. then it's impossible to recover
07:26 < adam3us> TD: (because signing with the site SSL key is also vulnerable to address hacking)
07:26 < TD> if a web site gets hacked, it can be re-sealed
22:39 < amiller> i actually think that higher variance mining makes more sense here
22:39 < gmaxwell> GIGAVPS, asicminer, "cloud mining" are all examples of hosted mining, and there will be many more. Buzzdave (megabigpower) and BFL have their own hosted mining offerings, etc.
22:40 < amiller> a mining operation that has a lottery interface on one side to its clients and does bitcoin mining on its other would really want low variance
22:40 < amiller> because it could easily promise more money than it can afford to payout
22:40 < gmaxwell> Basically even though the current technical scaling factors strongly discourage big datacenter operations, there are social factors that encourage them.  "derp derp I'm too dumb to run a miner, but I have money and want to make profit mining!"
22:40 < gmaxwell> amiller: you can just make your customers take the mining risk.
22:41 < amiller> right
22:41 < amiller> so that's where the trapdoor thing comes in
22:41 < amiller> i should make it so that any attempt to tie a customer's outcome to the outcome of a particular attempt at mining on the chain
22:42 < HM> the startup risk is large, if you get no customers then you've invested a lot for buggar all
22:42 < amiller> involves a trapdoor that makes it really easy to obscure the actual probability distribution of the chain's payout
22:43 < gmaxwell> HM: sadly preorders in the bitcoin world are ubiquitous, asicminer was entirely funded by selling hundreds of thousands of dollars in shares on the bct forum. They then rigged it up so they'd continue to own a ~majority of the shares. used the funds they raised to fab asics.. and put them online.
22:43 < HM> heh
22:43 < gmaxwell> HM: a lot of the other hosted offerings leave it to the customers responsibility for the mining hardware to show up at their door. Once its their they rack and stack and configure and start sending the user coins.
22:44 < gmaxwell> amiller: okay so your solution is basically to make it so that the hosting company can very easily hide their income, so they can steal from the miners.
22:44 < amiller> yes that's right
22:45 < gmaxwell> amiller: the challenge I see here is that the mining has an expected income, so the amount they can steal is bounded by that probability distribution model. I would also point out that _none_ of these services do any kind of proof at all that they aren't stealing, even though they could today, people don't ask for it.
22:45 < gmaxwell> E.g. ASICMINER could have easily built 50% more chips than they claim to have, and could be running them not as asicminer and no one would know.
22:46 < amiller> sure, i guess they only have shares
22:46 < amiller> my assumption is that a client pays a fixed price for a certain payoff distirbution
22:46 < amiller> like i pay for 10 shares some fraction of them should win
22:46 < amiller> but suppose there is a high variance option
22:47 < amiller> like one out of every hundred blocks wins an extra large amount of bonus or something like that
22:47 < amiller> then you can steal that bonus without raising much suspicion
22:47 < amiller> because it happens very infrequently anyway
22:48 < gmaxwell> Yea, I mean you could send shares to the cutomers to prove that their device was trying to mine in a publically validatable way. But no one asks for that today.  And yes, shares + high variance would make the miner's secure against cheating. (make the shares frequent enough that if the host was stealing more than a tiny amount of work it would be obvious)
22:48 < amiller> i agree no one asks for that today, but they should, perhaps in the future they will
22:48 < gmaxwell> but okay I get the idea. So if there were big bonus blocks periodically... that were blinded.. then the users couldn't tell if they were being robbed.
22:48 < amiller> after people start implementing encryption correctly etc
22:49 < HM> Don't datacenters typically charge by the amp? or say 1 U = X amps and then charge mostly on power consumption?
22:49 < amiller> yeah that's the idea
22:49 < gmaxwell> amiller: I'm ... very concerned they won't. but thats an aside. We can't cure humanity, lets fix the technology at least.
22:50 < amiller> yeah. also etc etc it helps promote general confidence in cryptocurrency to have technical answers especially to the big questions, like, does rational behavior inevitably trend towards centralization, etc.
22:50 < amiller> even if the technical answers to that involve things that aren't even close to implemented yet
22:50 < gmaxwell> (in particular, miners could be using BFGminer with their centeralized pools and BFGminer will prevent a pool from ever "eating its own tail": it will refuse to mine a fork against work the pool had it previously do. Totally kills a broad class of pool-op network attack. But basically no miners deploy bfg for this purpose (many use it but for other reasons))
22:51 < gmaxwell> amiller: a lot of users really have absolutely no clue about the security model, or they're wrong about it in frightening ways. E.g. they think that only the miners validate transactions, and that the miners can pay to whomever they want, however much they want.  E.g. a model where there would be no incentive alignment at all.
22:51 < gmaxwell> And I think this kind of misunderstanding is nearly the majority understanding or not too far from it. Yet they use bitcoin anyways because of, presumably, social proof.
22:52 < gmaxwell> (they also use other altcoins like ppcoin where the developer broadcasts checkpoints that select the network state)
22:52 < gmaxwell> (ppcoin is nominally POS but for "extra security" it has checkpoints broadcast in the network by its creator for ~every block which ultimately dominates the consensus)
22:54 < amiller> people also trust service providers unconditionally for all sorts of stuff
22:54 < HM> amiller, example?
22:54 < amiller> passwords in google docs?
22:55 < gmaxwell> right, part of the problem there is that you can get away with trusting paypal or ebay like that, they have conspicious assets you can send to jail if they cheat and regulation. But people also trust $anonymous_pool_operator because they don't reason about why it's okay to trust ebay.
22:55 < amiller> sure, so i admit that this is a construction of theoretical interest mostly
22:55 < gmaxwell> worse, since even when everything is vulnerable attacks tend to be somewhat rare.... when the shit does hit the fan they blame the specifics rather than the general practices. but oh well.
22:56 < gmaxwell> yea, sorry for the tangent.
22:56 < gmaxwell> We can't fix the social problems unless there are technical solutions in any case.
22:56 < amiller> i agree with 100% of the content of the tangent
22:56 < amiller> but yeah
22:56 < gmaxwell> I just get a bit depressed because even where the technical solutions exist we're not using them yet.. if ever.
22:56 < HM> amiller, the kind of people who put passwords in google docs are likely ignorant of the risk
22:57 < HM> or dismissive of the consequences
22:57 < HM> i wouldn't call that trust
22:58 < amiller> HM the way i think of it is that everyone who ignorantly or whatever is willing to make themselves fully vulnerable to a cloud provider or whatever, i just assume they've already done so
22:58 < amiller> and i effectively treat that as one wealthy entity
22:59 < amiller> the thing to aim for is people who are making rational risk-aware decisions
22:59 < gmaxwell> HM: people leave large amounts of bitcoin in mywallet, which is protected only by the users password, which can be bruteforced by bc.i (or anyone with access to the user's email), at >10 million passwords per second per gpu (and there is no salt, so bc.i or their hacker could attack all customers at once)
22:59 < gmaxwell> and BC.i wallets could be stolen at login time by anyone who injects JS in the pages.
22:59 < amiller> who will take the offer if it's cheaper and they have a good guarantee, in particular regardless of the 'systemic' risk of centralization which affects bitcoin as a whole but doesn't make you earn less
22:59 < gmaxwell> And yet they have hundreds of thousands of users.
22:59 < HM> bc.i don't need to bruteforce the wallets
22:59 < HM> they can just take them
23:00 < gmaxwell> HM: BC.i is a bit misleading about the threat model there, because the private keys are "only in the browser" ... until they give you some JS injection and take them or attack the password.  I mention the password attacks because even if you believe their misleading claims the password stuff is upheld.
23:01 < HM> yes, it's the same with MEGA with files
23:01 < HM> but tangents...
23:01 < gmaxwell> I mean I can go on all day there is countless amounts of misplaced trust.
23:02 < HM> well that's why the financial system being full of systemic risk is a *good* thing
23:02 < HM> everyone knows when it reaaally gets bad, something will be done
23:03 < HM> and nobody cares if it's good as long as everybody suffers
23:04 < HM> if the majority of people use then the impact on Bitcoin as a whole if the entire site vanished would be so huge as to effect us all anyway
23:08 < HM> It's kinda like email. Gmail has something like half a billion monthly active gmail accounts
23:09 < HM> some people don't even realise that email is a decentralised thing anymore
23:09 < gmaxwell> it's not even decentralised so much anymore. if you host your own email you have major major problems with anti-spam filters.
23:10 < HM> right
23:10 < gmaxwell> a lot of corporations have been moving to having msft or google host their domains for this reason alone... the other savings are just a perk.
23:11 < gmaxwell> (amusingly, I understand that Mike Hearn may have some personal culpability in this outcome ... :P )
23:11  * sipa whistles
23:11 < HM> lol what?
23:12 < gmaxwell> another googler. Though I don't know that sipa works on anti-spam. :P
23:12 < HM> ah bitcoin and are both Gapps
12:54 < adam3us> petertodd: bitcoin already has a signing system, and a key to do the signing, i am just saying use it
12:55 < petertodd> adam3us: anything less means users who *don't* have any reason to dick around manually checking bullshit just because they want to buy a tee-shirt will end up with a less secure system
12:55 < petertodd> adam3us: and a signing system is useless without gobs of infrastructure
12:55 < adam3us> petertodd: the web app level is far less dangerous if the worst you can do is pay money ot the wrong merchant address (as opposed to the attacker direct)
12:56 < petertodd> adam3us: huh? the attacker swaps out the addresses after crackng the site and steals a million bucks from 10,000 users
12:56 < adam3us> petertodd: i am not saying people who are buying t-shirts will care to check it
12:56 < petertodd> adam3us: right, which means you have to have that code in the trezor... so use it
12:56 < adam3us> petertodd: no because the addresses are signed, and users who bother to check, can see hey something is wrong with tshirtsrus
12:56 < petertodd> adam3us: paranoid level gets to have the PGP fingerprints displayed prominently
12:56 < adam3us> petertodd: their TOFU account number just changed??
12:57 < adam3us> petertodd: even a browser plugin handling payment requests could check that
12:57 < petertodd> adam3us: there is no difference between checking "signed addresses" and "CA fingerprint matches up", zero.
12:57 < adam3us> petertodd: you realize how tricky it is to get any sense out of pgp wot? latest version of gpg is all but unintelligible to me
12:58 < adam3us> petertodd: screw wot, i just mean a self-certified tofu hd wallet base key and expecting transaction numbers (one-use addresses) to be signed with it
12:58 < petertodd> adam3us: where did I say you'd be using WoT for this? most paranoid users would want to verify fingerprints with manual mechanisms, some could use WoT, but we're *much better* if we encourage an ecosystem that doesn't fragment things
12:59 < petertodd> adam3us: and like I keep sayng, making it PGP lets you do useful things like have known ways to send your merchant an encrypted email
12:59 < petertodd> adam3us: you are *not* thinking about second order effects here
12:59 < adam3us> petertodd: i just think its more useful to the careful user to have a tofu account number to read off and compare. than a string of (to him) uncorrelated random one-use addresses - that tell shim precisely nothing
13:00 < adam3us> petertodd: and the web level browser level and client machines are like swiss cheese and will get rampantly exploited
13:00 < petertodd> adam3us: yes, and using a PGP code-path for that use-case is better and encourages good practices across the board, rather than a bunch of highly specific shit that doesn't do anyone any good
13:00 < adam3us> petertodd: there are no second order effects - if you're buying t-shirts and you dont care dont look at the account number alright
13:01 < adam3us> petertodd: bullshit - how is throwing pgp at the poor user going to help anything
13:01 < petertodd> adam3us: damn right there is, now there's no transition path between low, medium, and high security, that's very bad
13:01 < adam3us> petertodd: so i think the low to medium level is done via payment request as is
13:02 < petertodd> adam3us: we want a system where the average user goes and gets the green CA-certified box saying "TeeShirt Company", then when they become a distributor of said company is told "Hey, go check that the fingerprint matched up ok? Just to be safe." now you've gone from low to high security seemlessly.
13:02 < adam3us> petertodd: problem is if the server is compromised someone can undetectably to users swap out the pool of one-use addresses
13:02 < gmaxwell> petertodd: so what we need to do is introduce the things pgp lacks to pgp and to fix it, rather than go off seperately or pretend that pgp as is .. is a solution.
13:02 < petertodd> adam3us: No, as I said before, you add a mechanism *to the payment protocol* to have a separate CA key (as a subdomain) sign a root address under the hood
13:02 < adam3us> petertodd: the web site will happily sign them with its SSL key (or subdomain key) and facilitate robbing itself
13:03 < petertodd> adam3us: and that's why it's a fucking subdomain, so you *don't* need to keep it online!
13:04 < petertodd> adam3us: you're not getting the payment request from that subdomain, the software just expects the request to be signed by that magic subdomain, and shows the user the address one level up
13:04 < adam3us> petertodd: well wait the payment request includes a description of what ou're buying and amount it cant be offline
13:05 < adam3us> petertodd: whereas one use addresses in the hd wallet derivation method can be pre-generated offline and uploaded as a batch, they could be signed offline, but there is currently a missing part to do that (thats basically all i was trying to say)
13:05 < petertodd> adam3us: sure it can, as I said before, you have two payment protocol-related certs here: one to sign requests semi-online, another to sign long-term root keys
13:06 < petertodd> adam3us: now you have a system that has pretty good security in the default case, *and* can be easily upgraded to paranoid level by a manual check
13:06 < adam3us> petertodd: but the message to be signed is different: one is a one-use address (offline) and the other is a description of your order (online)
13:06 < petertodd> adam3us: rather than creating balkanized shit
13:07 < petertodd> adam3us: yes, and what's wrong with that? users wallet is programmed to expect both, and barfs if it doesn't see what it expects
13:07 < adam3us> petertodd: so then you're saying teh same thing except ou like x509 and i dont.  i think for something as compact, simple, direct nd bitcion meaningful as a proof of hd wallet ownership should be a 64 byte thing on the one use address, not a few KB of asn1
13:07 < petertodd> adam3us: if not all merchants use this, just make the UI in the wallets have a silly golden shield or something for the extra-high-security version, and make it easy to check fingerprints manually
13:08 < petertodd> adam3us: sure, but the code *has to be implemented on the wallet anyway*, so use a mechanism that allows for nice user-friendly transparent upgrades
13:08 < adam3us> petertodd: yeah i think e have some ux and naming to fix up, but i would call the merchant HD wallet base address the merchant account number, and the one-use address the invoice number
13:09 < adam3us> petertodd: seems a bit ugly to say oh yeah, and that account number, bitcion has a key, but it chose to delegate that to a web app, a untrusted third party (CA) and browser to tinker with
13:09 < petertodd> adam3us: heck, you see what I'm doing here? what I'm really doing is extending the merchant's identity that you usually transact with to verify a HD wallet base - you're strongly arguing to only do the latter which is silly
13:10 < petertodd> adam3us: we're not delegating it to anything - hardware wallets and offline wallet software *has* to implement CA certs for the 95% use-case
13:11 < adam3us> petertodd: i dont think CA are good model, ca infrastructure is rooted, 100s of dodgy CAs, hacked CAs, hostile govt operated CAs by govts of various shades .	that way lies account seizure
13:11 < petertodd> adam3us: who cares? CAs are a better model than nothing. Reality is 95% of users will outsouce their security - there is nothing we can do about that.
13:11 < adam3us> petertodd: you can sign extra stuff with x509 while you're signing the payent request - why not, but i think its simpler to also independently and natively sign the one-use addresses
13:12 < adam3us> petertodd: its not either or.	sign the account numbers with the hd wallet master.  and sign everything best effort on the web app layer with the payment request
13:12 < adam3us> petertodd: what i am saying is like a checksum on a credit card digit
13:13 < petertodd> adam3us: no it's not - a hd wallet seed signed once by a long-term identity cert means that some theif can't do anything more interesting than blackhole funds in the worst case - in the better case you use a derivation system that's deterministic enough to always recreate the key(s)
13:13 < adam3us> petertodd: what you are saying is like maybe SET (doomed credit card web security protocol)
13:14 < petertodd> adam3us: nah, it's silly to be signing shit, remind yourself how HD wallets work... you don't need to sign addresses derived from them, spendability only with the HD seed is guaranteed anyway
13:14 < adam3us> petertodd: i think this is an instructive analog: banks do not use third party auth (openid, CA issued certs without pinning, or site enrolment) becaus tehy want to control their own security
13:15 < petertodd> also if you are signing stuff, then that encourages you to keep your keys online, which is bad...
13:15 < petertodd> adam3us: yes, and then they can tell their customers their PGP fingerprint and do it that way...
13:15 < adam3us> petertodd: not signing data just the one-use address
13:15 < petertodd> adam3us: yes, and given HD seed S and nonce n S+n is a one-use address that only S' can spend
13:22 < adam3us> petertodd: yes this is true, but only if the site and user share a sub-wallet & chain code (which they can do, and maybe should do for recurring biz)
13:22 < adam3us> petertodd: but i was thinking maybe with a signature on the one-use address, whch the user can strip before using on the network, you get that kind of spender simple tofu verification
13:25 < petertodd> adam3us: timo's pay-to-contract makes a lot of sense there you know... yeah, now maybe you really do what a address that can't be proven to have anything to do with the hd seed, but why not extend that initial thing to sign a bunch in advance? again, you don't want to encourage keeping that long-term-id key online often
16:39 < nanotube> to soon? :P
16:43 < nanotube> ... slowly getting my connection count back after node restart. up to 88 now.
16:57 < HM3> why aren't node addresses stored persistently?
16:57 < sipa> they are
16:57 < sipa> peers.dat
16:59 < HM3> ah
17:54 < nanotube> what's the default expiration of errors? i'm still seeing the 'check date and time' error in getinfo, though my timeoffset has settled to 0. (probably initially caused by my initial peer set being significantly off, i recall gmax mentioning something about there being some mistimed peers out there.)
18:00 < gmaxwell> nanotube: some error never go away (unless replaced by another one), thats one of them.
18:01 < nanotube> doh
18:02  * nanotube thinks it should go away once timeoffset drops below some threshold
18:02 < nanotube> though... it's rather immaterial.
18:07 < nanotube> well would you lookit this, a live bitcoin node counter:
18:08 < HM3> cool site
18:08 < gmaxwell> yea, except the numbers on the front page are pure bullshit.
18:08 < gmaxwell> (they're counting addr messages)
18:08 < gmaxwell> if you click through to the report, e.g.
18:09 < gmaxwell> the field "nodes_version (version)" is how many they actually connected to.
18:09 < HM3> i don't know why that is bad
18:09 < HM3> what is nodes_getaddr?
18:10 < gmaxwell> how many unique IPs they got from address messages.
18:10 < gmaxwell> which includes scads and scads of never-reachable addresses, due to god knows what.
18:11 < HM3> but those nodes may be connected out right?
18:11 < gmaxwell> Some, but most? Unlikely, considering the addresses include e.g. huge ranges of sequential numbers.
18:11 < nanotube> gmaxwell: oh... crap. and there i was being happy we have 100knodes.
18:12 < HM3> so probably people with dynamic IPs
18:12 < gmaxwell> HM3: out only nodes don't announce themselves in any case.
18:12 < HM3> stale messages
18:12 < HM3> ah
18:12 < gmaxwell> HM3: and moronic dos attacks, and misconfigured firewalls, and who knows what.
18:13 < sipa> my crawler tracks 66k addresses now
18:13 < sipa> of which it considers 3.8k "good"
18:13 < nanotube> what's 'good', how many have been reachable within the past 30days?
18:13 < sipa> it has also banned 730k addresses for being consistently bad :p
18:13 < nanotube> heh
18:13 < sipa> the rules are fuzzy and too complex
18:14 < sipa> go read the source :p
18:15 < nanotube> haha well, 'really roughly'
18:16 < HM3> so probably bigger than Tor in terms of relay nodes, but probably smaller than the number of skype users who signed off in the time it took me to type this.
18:16 < nanotube> lol yea
18:16 < gmaxwell> well, in particular, it means we're dangerously close to runing out of sockets.
18:17 < gmaxwell> (even absent an attack)
18:17 < HM3> what?
18:17 < gmaxwell> as 4000*125/8 = 62500 ... so it means that we can only support 62500 nodes with good listeners (including bitcoinj nodes and such that would never announce)
18:18 < nanotube> hm well, it seems we're not /that/ close. after a day-ish of uptime, i'm only at 83 connections out of 512.
18:18 < gmaxwell> nanotube: 83 is 66% of the normal capacity.
18:18 < nanotube> if we were really close, i presume my slots would fill up much faster.
18:18 < gmaxwell> (I think 2/3 is not super comfortable)
18:19 < gmaxwell> (and the /16 limitation means that we're not very equally distributed)
18:19 < sipa> nanotube:
18:19 < nanotube> sure, i dig.
18:19 < gmaxwell> It's not urgent yet, but it seems we have a trend that isn't good either.
18:19 < HM3> what's this socket limit about?
18:20 < nanotube> HM3: listener nodes allow 125 max inbound connections by default.
18:20 < gmaxwell> HM3: we have memory usage per peer, so there is a limit to the number of concurrent peers. Right now the default limit is 125 (and few nodes adjust that)
18:20 < nanotube> non-listener nodes try to make 8 outbound.
18:21 < HM3> oh i see
18:22 < gmaxwell> Obviously one path is to try to really get the per peer resources down so we could have nodes with a thousand peers or whatever... but thats resource heavy, and still leaves the network more DOS vulnerable than one with just more nodes.
18:22 < HM3> so you need a listening node to out node ratio of 125:8
18:22 < nanotube> though 4k listening nodes at 125 each suggests that we should have 500k open slots.
18:22 < HM3> with perfect meshing
18:23 < gmaxwell> nanotube: yes, but nodes use 8 slots... sooooo. at 62k we start to saturate.
18:23 < HM3> err 8 : 125
18:24 < gmaxwell> of course, this is absent attacks. One issue with this model is that an attacker with a single IP can use 1/slots of the whole network's capacity, even if we implement kicking off duplicate connections. (thus conversations about things like proof of storage and private bloom queries)
18:24 < nanotube> gmaxwell: yea, but if we put in your logic about randomly dumping peers based on some scoring criteria, thus ensuring node churn, being at 62k nodes won't be a big problem.
18:25 < nanotube> but yes, certainly it's something we need to think about before it becomes a problem.
18:25 < gmaxwell> nanotube: or at least less of one, if the order of nodes drops too far the risk of partitioning increases. (though thats a reason e.g. to priortize peers that give you novel transactions and blocks)
18:26 < nanotube> mm
18:26 < nanotube> anyway.. foodtime. o/
18:26 < HM3> Why is there a high memory cost to a connection?
18:26 < sipa> buffers
18:27 < HM3> I mean I have a Bittorrent client that maintains hundreds of connections
18:27 < sipa> and quite some state
18:27 < HM3> still uses less memory than bitcoind
18:27 < gmaxwell> HM3: most of bitcoinds memory is not connections right now.
18:29 < HM3> any thoughts on how you'll solve it?
18:30 < sipa> adding a builtin solitaire in bitcoin-qt may increase the number of fullnodes?
18:30 < gmaxwell> We need more nodes regardless, we could do things to scale up the connection count... but I think thats less important simply because if we have only a couple thousand nodes its too trivial to dos them regardless of their max connection counts.
18:30 < gmaxwell> Once we have headers first and pruning there should be less disavantage to running full nodes.
18:31 < gmaxwell> It may also be that we can't solve it before a major outage happens, because right now users don't think they have any personal reason to take the costs of running a full node. :(
18:32 < HM3> bundling. integrate bitcoind in to a popular torrent client so people can tip seeders :P you'll have millions overnight
18:33 < gmaxwell> and then someone implements another version that uses a SPV node instead, and you'll lose millions overnight.
18:34 < HM3> well then you play the starving hacker card and say serving "Linux ISOs" is a team sport
18:34 < gmaxwell> If that worked, then we could use Bitcoin users
 who presumably already have more skin in keeping bitcoin running.
18:35 < sipa> fancy graphs!
18:35 < sipa> and some animations
18:35 < sipa> how the chain is being built
18:35 < sipa> matrix-style
18:35 < HM3> defrag style
18:35 < HM3> coloured blocks
18:36 < sipa> yeeeees
18:39 < HM3> how many fullnode implementations are there out there now?
18:40 < gmaxwell> correct ones? who the fuck knows. I have very little confidence in the other teams, most of them have not even run and passed the block tester.
18:40 < gmaxwell> It's a very hard task.
18:40 < sipa> bitcoinj has one (certainly incomplete), btcd, bitsofproof, ...
18:40 < sipa> no idea how correct they are
18:40 < sipa> i'm sure there are a ton other attempts
18:40 < HM3> i think btcd guy said he had passed some of your tests?
18:40 < gmaxwell> btcd talked a good talk but was trivially forked.
18:40 < sipa> but those are certainly near-complete
18:41 < HM3> ah
18:41 < sipa> gmaxwell: which rule did they miss?
18:41 < gmaxwell> sipa: they were evaluating validity in untaken branches in scripts.
18:41 < sipa> ah
18:41 < gmaxwell> (and their response was to try to report it as a bug and suggest we fix it)
18:42 < HM3> lol
18:42 < gmaxwell> ::shrugs::
18:42 < HM3> please do, i might be richer on that fork :P
18:42 < sipa> do they even understand the concept of a hardfork?
18:42 < sipa> or rather, the distinction between soft and hard forks
18:42 < gmaxwell> I don't know. I can't tell. They're eager to please.
18:42 < gmaxwell> So everything I say they agree with.
18:44 < gmaxwell> (which I suppose is better than arguing with everything)  But I just don't know how hard they're working at it. They've not discovered any surprising behavior on their own, which is my normal benchmark, but that only works for so long.
18:44 < gmaxwell> (eventually I become all knowing and so no implementations can tell me something I didn't know. :P)
18:45 < sipa> which, ironically, makes you the #1 person capable of writing an alt fullnode
18:45 < jgarzik> maxcoin?
18:45 < sipa> i wonder how well i'd do implementing bitcoin from scratch, only looking up constants and opcodes and stuff
18:47 < sipa> BlueMatt: seems the comparisontool jar you gave me doesn't even accept current bitcoind...
18:47 < sipa> as in git head, pre-headersfirst
18:48 < gmaxwell> There are degrees of knowing. I knew how the evaluation logic worked, but I might have made the same evaluation mistake even though I "knew" better.
18:49 < HM3> it's probably easier to make a specification for the post-hardfork version
18:50 < sipa> HM3: i've been wanting to write a bitcoin-like thing from scratch for a while, with all sillyness (in my opinion, of course) fixed :p
18:50 < gmaxwell> well, don't think a good spec magically makes this stuff easy. It just makes it slightly less awful.
18:50 < HM3> sure, and nobody follows specs anyway
18:50 < sipa> finding time for that is obviously a joke
18:51 < jgarzik> a good spec is simply Knuth's semantic programming
13:59 < gmaxwell> HM_: yea, I'd like to think of some examples that don't involve breaking the law. But I don't know that there really are any: if your trade is not likely to bring fire, you can use a trust public mediator for an escrow.
13:59 < HM_> if it's expensive to verify it has to be expensive to generate as well though
13:59 < HM_> otherwise you can flood the network with candidate solutions and DDoS the whole thing?
14:00 < gmaxwell> HM_: you can use hashcash to solve that. (or make candidates pay you a small amount of bitcoin) no problem.
14:00 < HM_> hmm yeah
14:01 < HM_> so it's a C subset?
14:01 < gmaxwell> The validation is actually cheap for this kind of thing... but still slower than ecdsa in practice.. which would keep us from putting the validator directly in bitcoin,
14:02 < gmaxwell> they invented a mips like register based machine language, and made GCC (dragonegg/llvm) able to compile to it. It doesn't have floating point IIRC.
14:02 < realazthat> mmm
14:02 < realazthat> fp can be done on top
14:02 < gmaxwell> sure.
14:02 < realazthat> thats really cool hehe
14:03 < realazthat> mmm I'd want to play with that
14:03 < gmaxwell> Or you just write fixed point code. No biggie.  The bigger problems is that it's not fast and needs lots of ram on the prover side.
14:03 < gmaxwell> But it sounds efficient enough to be actually usable for _something_ now.
14:03 < gmaxwell> And they've actually implemented it.
14:04 < realazthat> yeah, I just wanna play with it external to bitcoin
14:04 < realazthat> are they to release the codes?
14:04 < realazthat> I hope so
14:11 < gmaxwell> Yes. They were talking about setting up a github page and such.
14:11 < gmaxwell> and, it sounded like they were willing to make it available in advance to bitcoin wizard types interested in working with it.
14:12 < gmaxwell> I haven't asked for it yet simply because I do not have enough bandwidth to do something with it in the next few days....
14:12 < gmaxwell> But I'd really like to actually execute that protocol I described, and make a zero knoweldge contingent payment. Just need to figure out something to buy thats sexier than a cracked password.
14:13 < gmaxwell> (I wish the xkcd thing were ongoing, I could buy a solution to that! :P )
14:15 < realazthat> lol
14:18 < gmaxwell> Ah. Perhaps I could buy the infinitely good solution from Randall Munroe. (and get him to reopen submissions, so that 'Bitcoin' could be the top of the list)
14:19 < realazthat> mmm
14:19 < realazthat> can you explain the xkcd reference?
14:22 < gmaxwell>
14:26 < gmaxwell>  (I'm with the 392 score)
14:27 < gmaxwell> Only tied with stanford :(
14:27 < realazthat> oh the hashing competition :D
14:28 < gmaxwell> Randall actually knows the preimage. (or at least, he indicated that he did in IRC)
14:29 < realazthat> haha
14:29 < realazthat> do you need that to use it as a challenge?
14:30 < gmaxwell> 'that'?
14:30 < realazthat> the preimage
14:31 < gmaxwell> No, he could have made a challenge with a random target (or a target of all zeros). The fact that the target had 'high entropy' suggests that he knows the preimage... and as I said, he said that he did.
15:17 < BlueMatt> gmaxwell: or...just make it so no one has to download the chain ever again...
15:17 < BlueMatt> "but the chain is 100GB" go fuck yourself, just use computational integrity
15:19 < gmaxwell> I said that " for example, you could use these techniques to produce checkpoints that can't cheat."
15:19 < BlueMatt> well, you dont expect me to read the whole scrollback, do you?
15:20 < gmaxwell> BlueMatt: it's not realastic yet... well, I joked that if we got all of google's computing power for a week perhaps we could compute a CI signature. :P
15:20 < gmaxwell> er realistic.
15:20 < BlueMatt> yea, I know, I just keep hoping
15:20 < gmaxwell> At least the naive way of doing it... really the biggest problem is all the state needed in validation to track unspent coins.
15:25 < BlueMatt> yea, maybe when we all have 512GB ram in every machine...
15:25 < gmaxwell> BlueMatt: not even 'every' ... the validation side doesn't sound terrible.
15:26 < BlueMatt> ahh, well then we just need to find a computer to do the original signing...
15:26 < BlueMatt> lets get TD/sipa to do it...
15:29 < BlueMatt> I wonder how much it has to go back over the data during the signing (or if swapping it out to an ssd would actually work)
15:30 < gmaxwell> Right. TD had mentioned some unrelated work on garbled circuits was intractable until some software engineers had a go at it and reorged the algorithim to work in a streaming-from-disk manner.
15:31 < gmaxwell> The other problem with this stuff is that getting people convinced that the process is sound might be hard. Apparently their work has something like 400 pages of dense mathmatical proofs behind it.
15:31 < BlueMatt> ahhhh
15:32 < BlueMatt> well, I dont know that I would really trust it immediately (or for the next few years) anyway...
15:32 < gmaxwell> But of course, actually _using_ it for something would make good incentives to attack it!
15:32 < BlueMatt> still, the idea that it will clearly be possible in the immediate future means the argument that the chain is growing too fast (and not the utxo set) is invalid
15:33 < sipa> gmaxwell: but will verifying the proof be cheaper than just verifying the chain?
15:34 < gmaxwell> For some size of the chain it should be. The complexity is polynomial on the size of the program (the rules) you're validating.
15:34 < gmaxwell> (complexity of validating)
15:34 < sipa> ic
15:34 < sipa> magic :S
15:34 < BlueMatt> as long as its similar and you can throw out the chain data itself instead of still having to distribute the chain in the form of input data
15:35 < gmaxwell> BlueMatt: I don't agree. You're streaching. You still need the bandwidth to recieve blocks to actually use the network in real time. It just means the history bloat will be less of an issue perhaps.
15:35 < gmaxwell> stretching*.
15:35 < BlueMatt> yes, thats my point
15:35 < BlueMatt> its just blocks/time instead of total blocks
15:35 < BlueMatt> (in data)
15:35 < gmaxwell> I don't think anyone has argued that the history is an issue. Mostly people are willing to ignore the bootstrap time/cost. (maybe thats unwise too)
15:36 < BlueMatt> Ive heard it once or twice
15:37 < gmaxwell> well you've heard me say it wrt pruning and needing to be really careful about how we handle it (e.g. that I want to have addr message signal that nodes have random subsets of the chain in addition to just the most recent few thousand blocks).. but thats still true, since this stuff probably won't be pratical for bootstrap for a couple years at best.
15:37 < gmaxwell> But thats not a scaling concern... it's a pruning concern specifically.
15:38 < BlueMatt> meh
15:39 < gmaxwell> I don't want the network to depend on having archive nodes to bootstrap. Esp when there will be plenty of users happy to donate more disk space but not as much as a full archive.  Archive nodes, if thats all we have, will be quite costly to operate... and I can reliably predict people will start saying "more people should use SPV nodes" as an answer to
archive nodes being totally saturated.
15:40 < gmaxwell> People should be able to pick the disk space they donate to the network continuously from utxo only all the way up to archive.
15:41 < BlueMatt> not sure we need /that/ much flexibility, but chunks of tens of thousands of blocks yea
15:42 < BlueMatt> would be interesting to split that off into a separate bootstrap network
15:44 < gmaxwell> yea, I just want node to be able to signal a single range in addition to a range from top.
15:44 < gmaxwell> More ranges would be nice but I don't think they're important.
15:46 < gmaxwell> e.g. a service flag that says it keeps the last 2016, and a range that it has 120000-160000.
15:47 < petertodd> warren:
15:48  * BlueMatt :(
15:48  * BlueMatt isnt opposed to making most bootstrap on some 3rd party network
15:48 < petertodd> BlueMatt: btw you may want to argue over email with me - I won't be on irc much in the next week
15:49 < BlueMatt> meh, we clearly fundamentally disagree
15:49 < BlueMatt> not sure arguing helps any there
15:49 < petertodd> not surprising
15:49 < petertodd> after all, it's not a technical decision, it's about what you value in bitcoin
15:49 < BlueMatt> not really
15:49 < BlueMatt> well, at least not the way that video presented it
15:49 < BlueMatt> in the extreme, sure
15:50 < gmaxwell> BlueMatt: just be really careful that you're not treating "other network" as magic. There are reasons why you can do this better with integration with our network, as well as by knowing about the data you're working with.
15:50 < BlueMatt> gmaxwell: meh, its easier to treat it as magic...
15:50 < petertodd> it was really interesting being at the developer round table, talking about scalability stuff, and when it was over a half dozen argentinian investors surrounded me with questions - they were extremely concerned about centralization and anonymity
15:50 < BlueMatt> but, no, yea it makes more sense on our network, but it would have to be half-separated
15:51 < BlueMatt> petertodd: I have no doubt that scare-videos scare people...
15:51 < gmaxwell> BlueMatt: our trackerless torrent hardly works
 requires a weakly trusted party to give you the torrent ID (and wastes your time/bandwidth if its wrong). External network doesn't make it trivial for bitcoin participants to turn a knob to control their contribution level, unless we bundled the third party network software and increase our attack surface.
File trading protocols get people banned from some networks for reasons unrelated t
15:52 < BlueMatt> gmaxwell: yes, this is why it does actually make more sense to put it on a standard bitcoin p2p network
03:43 < Taek42> I was wondering if it would be possible to build a higher-level lanugage on bitcoin script
03:43 < Taek42> right
03:43 < Taek42> Image a C-like that output bitcoin-script instead of assembly
03:43 < stonecoldpat> michagogo|cloud: jesuscoin i love it
03:43 < justanotheruser> Yes, it wouldn't be turing complete, but it would allow for turing complete scripts that get cut off if they run too long (so pseudo-turing-complete)
03:44 < justanotheruser> well not cut off, but only be accepted if they have a limited run time
03:44 < Taek42> As long as you have a reliable way of measuring where the scripts get cut off
03:44 < Taek42> because all hosts would need to agree if a script took too long to terminate
03:44 < justanotheruser> Taek42: it would be like measuring where transactions get cut off. The miners determined it
03:44 < justanotheruser> (in terms of size)
03:45 < Taek42> hmmm
03:47 < justanotheruser> The transactor could say how many cycles the script should take in the header. If it takes more than that, then the miner can spend the transaction themselves maybe? (This is the best way I can think of preventing DoSing miners with large scripts
03:47 < justanotheruser> I suppose that would limit the ability to give people scripts that they can spend later though
03:48 < justanotheruser> well actually nvm the statement directly above this
03:48 < justanotheruser> you should build these scripts so they can't run arbitrarily longly, otherwise someone will donate the tx to miners
03:49 < justanotheruser> nsh: Are you saying this system would hurt stability of the price?
03:50 < nsh> not necessarily, just that things tend toward instability as the degrees of freedom increase
03:51 < justanotheruser> nsh: when you say degrees of freedom do you mean it in the mathematical sense, or could I substitute degrees with amount?
03:51 < Taek42> nsh I'm not sure I agree with that
03:52 < nsh> mathematical, but perhaps i'm wrong
03:52 < nsh> certainly in mechanical dynamic systems you are more likely to exhibit chaotic behaviour when you have more (dynamically coupled) degrees of freedom
03:52 < justanotheruser> nsh: could you explain what a degree of freedom is in these terms then?
03:53 < nsh> "In mechanics, the degree of freedom (DOF) of a mechanical system is the number of independent parameters that define its configuration. It is the number of parameters that determine the state of a physical system"
03:53 < justanotheruser> nsh: Are you saying bitcoin price would be more stable if it didn't have p2sh?
03:53 < nsh> no
03:54 < justanotheruser> doesn't p2sh add a DOF?
03:54 < nsh> the price stability derives from the network stability, which derives from everyone's behaviours being constrained (by "enlightened self-interest") to keep things working in some defined manner
03:55 < nsh> yes, but you're making stronger assertions :)
03:55 < Taek42> depends on what you mean by network
03:56 < justanotheruser> nsh: Does another DOF hurt network stability?
03:56 < Taek42> bitcoins price instability derives from the fact that the volume in circulation can't adjust to the demand
03:56 < Taek42> and the demand has been all over the map
03:56 < nsh> justanotheruser, depends
03:56 < nsh> what i proposed was that as the number of DoFs increases then the entire system _tends_ towards more unstable behaviour
03:57 < justanotheruser> hm
03:57 < nsh> to go from that to saying adding one DoF neccessarily increase instability requires some additional evidence
03:57 < justanotheruser> I'm not sure if I agree with you. I don't think it makes in less stable unless it makes it less secure
03:57 < nsh> and anyway, i'm probably just smoking crack
04:00 < justanotheruser> Another advantage I see in this is a limit on CPU intensive scripts. No longer will we have to worry about transactions that take a long time to validate but are inexpensive because they take up little physical space
04:19 < sipa> the reason why turing complete scripts are a bad idea is because you cannot determine the cost of running without running
04:19 < sipa> even if it's not actually turing complete and limited to some high amount of cycles
04:21 < nsh> which means easy DoS attacks?
04:22 < Taek42> If you had it in a sterile environment (no malware issues), I would think that the only problem would be large scripts (too much data) or long scripts (too much runtime)
04:23 < Taek42> wouldn't limiting the cycles prevent that?
04:27 < sipa> if one transaction costs 1000 times more to validate than another, you need pretty good policying to make sure it is deincentivized
04:31 < Taek42> or you could charge each transaction equal to the theoretical limit on how expensive it is
04:31 < Taek42> then the miners will be happy
04:31 < Taek42> or you could wait to charge until you know how many clock cycles were spent validating it
04:35 < sipa> the problem is that mining is constrained by size, so will end up picking transactions with sufficient fee per byte
04:35 < sipa> if you want the same incentive for execution, you need a hard limit per block on validation cost
04:35 < sipa> which complicates optimal transaction selectiom
09:40 < petertodd> sipa: I really don't see what the big deal is; you have to execute the script anyway yourself to validate that the transaction is valid. Adding opcode counters to Eval() isn't a big deal.
09:40 < petertodd> sipa: sure there's some theoretical static analysis stuff you could do, but it's consensus critical - keep it simple and stupid
09:53 < andytoshi> petertodd: suppose i make a script which has fee for 100000 iterations, but runs for 100001, so it can't validate
09:53 < andytoshi> is there a nice way to prevent a DoS along those lines?
09:54 < petertodd> andytoshi: probably not, but at least that's a local DoS attack - lots of those
09:55 < petertodd> andytoshi: anyway, a csript can't exceed the limit for a whole block by definition, and block propagation has to be fast, thus it can't be that much of an issue
09:55 < andytoshi> yeah, fair enough, i guess people are free to make IsStandard reject anything that might take too long for their system
09:55 < andytoshi> also a good point
09:55 < petertodd> andytoshi: yup
09:56 < petertodd> andytoshi: and static analysis is all well and good, but like I say, it'd be in consensus critical codepaths...
09:57 < andytoshi> yeah, perhaps it's a meta-problem that people will try to do it if they see a benefit
09:57 < petertodd> lol!
09:58 < andytoshi> the real problem i see with turing-completeness is that the block limits you'd have to put on it are too stringent for anything cool to be done
09:58 < andytoshi> OTOH if we could do snark-validation so only one person (potentially the transactors themselves) ever have to compute it, i'd be happy with it
09:58 < petertodd> yeah, but like I say, until we get SCIP you have to have limits because you have to actually run the code to validate! turing completeness has nothing to do with that
10:22 < gmaxwell> andytoshi: certantly the block limits you'd have to have would be too stringent to do anything interesting if the instruction set weren't very high level, and if we had to assume execution via a very dumb interperter.
10:22 < gmaxwell> the latter is probably true, the former not so much.
10:23 < gmaxwell> This isn't to say I'm necessarily a fan of turing complete script. I do think getting an execution counter right is hard.
10:23 < petertodd> gmaxwell: just do a MAST design and make sure your MAST hash function is more costly than anything else...
10:24 < adam3us> btw about pegged side-chain, i think the actual spv proven side->main protocol would not need to be run.  its just a threat that it could be run.  cross chain-atomic swaps can do the actual swap.  and market makers can do it.  if volume dries up or mkt maker low on funds he can clear via side->main spv proof.
10:24 < nsh> petertodd, what's MAST?
10:24 < gmaxwell> adam3us: it needs to be run some, but perhaps not much.
10:24 < petertodd> nsh: merkleized abstract syntax tree
10:25 < nsh> ah, ty
10:25 < gmaxwell> petertodd: I don't think it would be efficient to force every branch to be mast, besides loops with unknown depth can't be seperately mast-ed.
10:25 < adam3us> gmaxwell: yes.  it depends on the willingness of mkt maker to hold btc funds  someone with big long term btc holdings anyway would be willing to mkt make all-day-long for 0.1% or whatever, its near free risk free money for executing a script.  its a form of interest for btc holdins
10:26 < petertodd> gmaxwell: which is my serious point: turing completeness often gives you more efficient code in cpu and code size
10:26 < gmaxwell> adam3us: I mean, you'd need to have at least one execution to get funds there in the first place.
10:27 < gmaxwell> petertodd: certantly low level opcodes do not.
10:27 < gmaxwell> adam3us: but yea, that was part of my point when we previously discussed. It can be expensive because it's not a primary daily mechenism.
10:27 < adam3us> gmaxwell: agreed.  mkt makers might need to do rare large tx in which ever direction is leading to a liquidity exhausting direction.  but the mkt maker spread should be tiny as anyone holding btc can do it, and they can do it with airgap security if they want trezor/armory so there should be lots of security
10:28 < adam3us> gmaxwell: agreed.  i think everything i just said was in the original thread.	just emphasizing how cool that is :)
10:29 < gmaxwell> sipa: I think you could perhaps resolve the selection complication by just counting each byte as one instruction too, and have only an instruction limit. Then at least the optimization can remain in one dimension.
10:29 < gmaxwell> I still think implementors will totally screw up their instruction counting, esp when slower scripts start driving them ot JIT.
10:30 < gmaxwell> it might help if every signature needed to have its final instruction count with it, and they're forced to match exactly.
05:02 < maaku> by reorg attack you mean 51% / 100% attack?
05:02 < petertodd> maaku: oh! actually, this is perfect: voting on the inflation rate naturally has an opposed set of incentives - set a minimum rate, and let people proof-of-stake vote increases in it.
05:02 < petertodd> maaku: or really s/inflation/demurrange/ to make it PR acceptable
05:02 < EasyAt> maaku: I'm curious what warren means by reorg attack
05:03 < petertodd> maaku: which is perfect because demurrange is the only sane way to fund mining long-term (+ tx fees, but never only tx fees)
05:03 < warren> maaku: lots of the little pure PoW coins seem to come under reorg attacks often
05:03 < warren> but I never hear of it happening to freicoin
05:04 < petertodd> maaku: I suspect with rates like 0.1% to 3-5% the loss per year is low enough that users may be willing to vote it up, which is fine, and gives some agility to attacks that might do soem good.
05:05 < EasyAt> petertodd: Is it still demurrange implies the value is being redstributed to miners whether the currency is tranferring or now.
05:05 < maaku> petertodd: we haven't found a way to auto-regulate demurrge rates, or voting scheme which doesn't assume the electorate is alturistic macroeconomics professionals
05:05 < EasyAt> As in you have a tax just for holding and not moving currency
05:06 < EasyAt> inflation essentially
05:06 < maaku> hence the fixed 4.9% ... a fluctuating rate would actually be ideal, but I don't know how to do that securely and safely
05:06 < maaku> EasyAt: no, it's a fee on all money, fullstop. moving or hoarding doesn't make a difference.
05:06 < EasyAt> intersting
05:06 < EasyAt> So no penalty whether you move or hold
05:07 < maaku> well, the same penalty i guess
05:07 < maaku> warren: we've not really been subject to such attacks
05:07  * maaku knocks on wood
05:07 < maaku> but really it makes no difference what pow algorithm you use
05:07 < warren> I know
05:07 < maaku> i assume you're talking about 51% attacks
05:07 < warren> yes
05:07 < petertodd> maaku: right, but my point being, the worst outcome is the rate drops down to some low minimum value hopefuily high enough to keep attackers at bay indefinitely. The best outcome is that if it looks like miners do need more incentive, human alturism can do some good. Will that happen? Who knows, but the downside is just technical risk.
05:07 < EasyAt> Is a reorg attack a 51% attack? or something very similar
05:08 < maaku> warren: long term, we're moving to merged mining
05:08 < EasyAt> maybe less hash stake then 51% but getting lucky and reoring in your favor?
05:08 < warren> EasyAt: You don't need 51% to do a "51%" attack.
05:08 < EasyAt> warren: that's what i mean
05:09 < EasyAt> maybe less hash stake then 51% but getting lucky and reoring in your favor?
05:09 < EasyAt> is what i said
05:09 < maaku> petertodd: if the goal is just to provide limited income to miners, that's a good strategy. i could see it reaching steady-state at the security & profit  break-even point (but maybe there are some game dynamics at play too)
05:09 < maaku> but with freicoin, the desire is 0% basic interest, which I don't believe such a scheme would achieve
05:11 < maaku> warren: we have done the easy stuff (fix time traveller bug, no asymmetrical diff adjustment, etc.), but also we have a much faster acting (but stable!) FIR-filter difficulty adjustment algorithm
05:11 < maaku> so that also helps
05:13 < petertodd> maaku: thing is you don't care about profit, you just care that a given % of the total value of the coin goes to paying for hashing power guaranteed.
05:13 < petertodd> maaku: I'm not seeing how that turns into game dynamics assuming reasonable decentralization
05:16 < maaku> petertodd: so in freicoin there are two knobs to tweak: (1) the demurrage rate, and (2) how much of that goes to the miners (vs other distribution mechanisms, such as the above-mentioned 'republicoin' proof-of-stake voting)
05:17 < petertodd> maaku: right, where I'm proposing a system with just knob #1
05:17 < maaku> i can see how a secure voting mechanism could lead to the latter (although I don't have such a protocol, yet), but not the former
05:17 < maaku> yeah i figured you don't care about the other aspect, but that's the context in which I'm working on this
05:17 < petertodd> no, I think it's the other way around, because the former have opposite incentives than the latter, guaranteed. (assuming no external attack threat)
05:18 < petertodd> after all, miners can always refuse to mine a transaction due to too-low fees - refusing to mine because of too-low % vote is not much different
05:18 < petertodd> and if anything, that's much less likely to be gamed in many senses
05:18 < maaku> i think that's what I meant - it's late here, i must have switched them in my mind
05:18 < petertodd> ah good
05:19 < petertodd> speaking of, I proof-of-stake vote all the demurrange to myself
05:20 < maaku> i expect you could construct a voting scheme for regulating the rate of income given to miners, I don't think a voting scheme would work to set demurrage rate at what is necessary to achieve 0% basic interest
05:20 < petertodd> "0% basic interest"?
05:21 < maaku> petertodd: do you have majority stakeholder vote?
05:21 < petertodd> maaku: not yet, but the moment I do it's a tipping point...
05:21 < maaku> we're anticipating that if we structure the elections properly, we will have competing factions that form governments, and the real-world outcome is that you won't get 51% votes to "pay ourselves"
05:22 < maaku> i'd like to formalize that argument before we deploy though
05:22 < petertodd> yeah, probably true enough
05:22 < maaku> hence the name "republicoin"
05:22 < petertodd> I'd sure as hell formalize it - just look at all the screwy things with incentives that have been found lately
05:22 < maaku> yeah
05:23 < maaku> basic interest == liquidity preemium, when we're talking about currency
05:23 < petertodd> rght
05:23 < petertodd> *right
05:27 < maaku> Gesell wrote several monographs showing how the parasitic behavior of the financial industry and government, and the ruinous effect that has on society is due to the liquidity preemium
05:27 < maaku>
05:28 < maaku> so the experiment of freicoin is: set the liquidity preemium = 0%, and see if that helps create positive economic incentives, as predicted
05:29 < petertodd> ...and the experiment you actually have wound up running, is will cryptocoin people ever adopt anything with demurrange?
05:30 < maaku> haha, suprisingly the answer is a mild yes
05:30 < maaku> but no, we've been targetting groups outside of bitcoind
05:30 < petertodd> indeed, and I wasn't saying that in a negative way! I'm quite happy to see *that* experiment happen even if I don't give a damn about economic theory :)
05:31 < maaku> while most freicoin users may have heard of, downloaded, and maybe used bitcoin, most of them did not become active until they got involved with freicoin
05:31 < maaku> and we've mainly been reaching out to monetary reform groups, which suprisingly haven't heard of or done anything with bitcoin either
05:31 < petertodd> there were some occupy types adopting it or something similar IIRC?
05:32 < petertodd> and agreeing to use a decentralized demurrange cryptocurrency is wonderfully democratic
05:32 < maaku> we framed the original crowdfund campaign in the language of occupy, but suprisingly there was very little interest
05:32 < maaku> we've seen interest peak the most in the regional/community currency movement
05:32 < petertodd> huh, too abstract maybe
05:33 < maaku> possibly, or maybe even too concrete. the problem with occupy is that they all have agreement on the problems, but 100 protestors have 101 different solutions in mind
05:33 < maaku> this wasn't the solution any of the occupy people we talked to had in mind ;)
05:34 < petertodd> did they add it to their mental solutions list? because if so you added to the problem :P
05:35 < petertodd> you know, one of the annoying things about crypto-currencies is how the basic dynamics of proof-of-foo make experimentation hard - normally a small currency experiment might be worthless, but it is secure
05:36 < maaku> you'd think it'd be a perfect match though - occupy prime problem is the banks that contol directly or indirectly so much of our society. gesell's basic thesis is that ilquidity preemium is the root cause of that. problem identified, solution provided...
05:36 < petertodd> "wtf is liquidity preemium? sounds like something a banker would talk about"
05:36 < maaku> heh
05:37 < petertodd> I'm glad that you're self-aware enough to laugh at that!
05:40 < maaku> Well I (and Gesell) are not anti-banker - gasp! Gesell is totally a free-market capitalist, and so am I.
05:40 < maaku> What Gesell is against is the unfair advantage banks have, and how they naturally use that advantage to ill gain
05:41 < maaku> He then goes to considerable length in showing how that advantage is exactly equal to "basic interest" - that interest which remains after you subtract out the risk preemiums, time preference, etc.
05:41 < petertodd> yeah, of course, monetary issues aside, understanding credit risk is something where scales leads to bigger profits
05:41 < maaku> So neutralize that, and you've got a level playing field - banks want to loan to you just as much as you need them
05:42 < petertodd> rick preemiums aren't easy to measure after all
05:42 < petertodd> *risk
05:42 < maaku> yeah they're not
05:43 < maaku> but people who have money should be entitled to the reward of taking that risk
05:43 < maaku> they just shouldn't be entitled to that reward... + 5% for absolutely no  reason
05:44 < petertodd> right, otoh if the cost of figuring out that premium works out to be 5%, well, what's the diference exactly?
05:44 < petertodd> real world-will be somewhere in between, but it might not make such a big difference is my point
03:27 < petertodd> I had a scar for ages myself on my thumb due to a photoflash circuit...
11:19 < jgarzik> petertodd, random note, perhaps obvious: USB and PCI traffic may be observed, just like ethernet traffic
11:19 < jgarzik> (recalling conversation a while ago)
19:57 < petertodd> So I think you can do compact NI proofs of colored coins: suppose I have a tx with two colored coin inputs, each worth 1BTC.
19:58 < petertodd> I just need to select one of those txins randomly, and prove (via a proof back to genesis) that it's a real colored coin txin.
19:58 < petertodd> Now if I try to make a false tx proof, with only one real input, I have a 50:50 chance of destroying my colored coin output by spending it to an invalid transaction that doesn't have a valid proof, so when you add it all up I can't get ahead.
19:59 < petertodd> The same applies for n inputs, and equally inputs that aren't equal in value provided I select the inputs in a weighted random fashion.
20:00 < petertodd> As for the random number, the best I can think of is to take the next n blockshashes, computer hash % n, and take the mode to select the input I prove.
20:00 < gmaxwell> meh, it's 50:50 for the cheater though. He doesn't care if four steps down the new NI proof catches the cheating.
20:01 < petertodd> Well, this is the thing: every proof is a full path all the way to genesis of one txin - I don't think I can do better than that. But at least it's just one path, O(n) size.
20:02 < gmaxwell> right but the cheater has 50/50 odds of winning in their cheat.
20:02 < petertodd> Sure, but their expected return is still zero.
20:02 < petertodd> slightly negative including fees
20:03 < gmaxwell> oh because it destroys their coin if they lose.
20:03 < petertodd> exactly
20:08 < petertodd> Now, see this works especially well with mastercoin, because every tx sends a fee to the exodus address.... :/
20:10 < gmaxwell> I think it only does that because ... thats basically the only mental tool that they have available to identify the mastercoin transactions.
20:11 < petertodd> yeah.... as you may have guessed I'm the guy who offered to write them a proper spec
20:11 < petertodd> I don't have high hopes :/
20:15 < gmaxwell> Well, I think you hurt their feelings, since I got a PM saying asking for feedback on their crazy checkmultisig stuff saying that you were demanding a lot of money to tell them the flaws in it. :P
20:15 < sipa> heh, i got the same mail :)
20:15 < petertodd> I'm not exactly surprised. Though he's remarkably friendly to me.
20:15 < sipa> they told me it was you
20:16 < petertodd> Lol, technically I haven't talked about money yet...
20:17 < petertodd> I'm *really* not happy with how he's going about it all, on the other hand, I don't think he's a bad guy, just naive and clueless.
20:17 < petertodd> Not his fault the community is crazy.
20:17 < sipa> he certainly doesn't strike me as a scammer
20:18 < petertodd> Me neither, but I also don't think he's going to wind up making something worth a half million...
20:24 < gmaxwell> sipa: they told you it was me? or that it was peter?
20:24 < sipa> peter
20:25 < sipa> they didn't tell you?
20:25 < gmaxwell> oh yea, sure, and I didn't disbelieve it. I think I said that I wasn't super inclined to give them free consulting as I viewed what they were doing was harmful to and competative with bitcoin.
20:28 < petertodd> gmaxwell: I told him I wasn't as worried about UTXO harm, as I was about the whole thing blowing up and going no-where because it's a bad idea.
20:29 < gmaxwell> That was also my conclusion after it was mentioned they were using a bc.i wallet... I dunno if I said that on the forum. I feel really bad, I suspect everyone involved is just hopeful but misguided.
20:30 < petertodd> Yup. I was pretty harsh in my first post - I wouldn't have in another situation - but given the money involved it deserved bluntness I think.
20:30 < midnightmagic> International journal of network security & its applications is the shittiest online journal I've ever had the displeasure of grovelling through.
20:30 < midnightmagic> (sorry for the interruption)
20:37 < gmaxwell> Yea, indeed, that fact that they were solicitcing (and recieved) a ton of money also reduced my typically overwhelming level of charm.
20:38 < petertodd> And amount of money that makes me more than happy to ask for some too.
21:03 < gavinandresen> "give me money and I'll tell you why your idea sucks" is never going to make friends, though.
21:04 < petertodd> Meh, what I was offering to design wasn't his idea actually. (the tx encoding)
21:26 < jgarzik> hah
21:26 < petertodd> jgarzik: ...says a lot about the project...
22:06 < warren> didn't ecocoin offer money for a security audit?
23:31 < amiller> hm.
23:34 < amiller> you know, my approach would basically end pooled mining
23:34 < amiller> anyway, i have been struggling with this zero knowledge proof of work signature thing
23:34 < amiller> all the straightforward things i came up with just using discrete log tricks don't really work
23:35 < amiller> the ones you can do zero knowledge over directly aren't good crypto hash functions
23:35 < jgarzik> amiller, ending pooled mining would be fine, though it will never happen due to intertia ;p
23:36 < amiller> jgarzik, well if my doom&gloom prediction comes true and hosted mining starts to catch on...
23:36 < amiller> it would be good to have a solution in store!
23:36 < amiller> anyway so i know i can use Pinocchio (or TinyRAM) to do zero knowledge proofs of work generically
23:36 < amiller> the downside is it takes a long ass time to construct the proof, even if verification is pretty efficient
23:37 < amiller> so...
23:37 < amiller> the clever way out is that the use of this zk proof of work is really only needed as a special device to prevent hosted mining
23:37 < amiller> you have to have the "option" of doing a zk PoW, but ordinary users wouldn't actualy have to take that option
23:37 < amiller> you can decide after the fact
23:38 < amiller> empirically it would take about 1 minute to produce the zk PoW for 2xSHA256 using pinocchio
23:38 < amiller> it could be parallelized too
23:38 < amiller> if it's only meant to prevent cloud mining, then it only has to be plausible for a cloud service provider to take that option!
23:40 < nanotube> people already trust pools not to skim/steal. what people /won't/ trust is other miners not to steal. so to really end pooled mining you have to enable other miners to appropriate more than their fair share (or steal entire blocks)
23:41 < amiller> stealing entire blocks is exactly what i'm suggesting
23:41 < nanotube> stealing by pool operator, or by fellow peer miners?
23:41 < amiller> by fellow peer miners
23:41 < nanotube> ah, in that case... carry on. :)
23:42 < nanotube> i just saw you said that a "cloud service provider" can do something, so i assumed that wouldn't include a random fellow miner.
23:42  * nanotube hasn't really been reading this discussion :)
23:43 < amiller> normally you commit to your transactions before you do the mining
23:43 < amiller> but to prevent outsourcing, i want to make it possible to bind to transactions after the fact
23:44 < amiller> also to use the proof of work without revealing anything about the nonce or extranonce you used, all of which might make the work 'detectable'
23:44 < amiller> to prevent outsourcing, there has to be a "perfect temptation" for the miner to claim the work for itself without any risk of getting caught!
23:45 < amiller> basically i'm recommending using the TinyRAM or Pinocchio zero-knowledge-proofs-for-C things
23:45 < amiller> as an alternate way of claiming the work
23:45 < warren> nanotube: solution withholding attacks already happen on pools
23:45 < amiller> warren, solution withholding isn't as good a threat as solution-stealing
23:47 < nanotube> warren: yes, but you don't get any money if you withhold.
23:47 < nanotube> and griefing with no profit (or even a small monetary loss) is practically speaking not a realistic threat.
23:48 < warren> nanotube: it works on competing PPS pools
23:49 < nanotube> well, define 'works'. does anyone actually make any money out of it? :)
23:49 < nanotube> sure you can drive a pool out of business with this. but that's about it.
23:50 < nanotube> amiller: yea, miner being able to grab a solution for himself by ex-post attaching himself as payout would be just right. :)
23:50 < warren> nanotube: I'm just saying that's what happens
23:51 < nanotube> well sure, but as an individual miner, i don't have to care about it. if my pool goes out of business, i just move on.
23:51 < nanotube> (as long as i set up autopayouts to be relatively frequent :) )
23:52 < warren> an interesting phenomenon now is "switch mining"
23:52 < warren> all the coins using the same hash have pools that transparently switch to a different chain that is more "profitable" at that moment
23:52 < warren> causes huge swings of strip mining and stagnation
23:53 < nanotube> hehe nice
23:54 < warren> forget about "51%".... 5000% can be pointed at a target
23:55 < warren> that's why you see them deploying centralized broadcast checkpoints now
23:56 < nanotube> so in other words, being a latecomer with the same hash, you can no longer be decentralized like bitcoin eh
23:56 < nanotube> talk about first mover advantage eh
23:57 < warren> there's a great many scrypt clones based on 0.6.3 now
23:58 < nanotube> hmm
23:58 < warren> and others are deploying with scrypt-jane or other hashes
23:58 < nanotube> the floodgates have opened
--- Log closed Tue Sep 17 00:00:46 2013
--- Log opened Tue Sep 17 00:00:46 2013
00:04 < amiller> the sad thing is i'd like to actually support pooled mining
00:04 < amiller> like if people's motivation is to lower their variance, there's nothing bad about that
00:04 < amiller> especially if they have their own hashpower
00:04 < amiller> it actually supports decentralization to support something like that
05:37 < gmaxwell> mappum: not at all, in fact. go try fetching the bitcoin blockchain torrent with no trackers.
05:37 < petertodd> gmaxwell: I've got enough older friends to be scared shitless in an exestential way already...
05:39 < mappum> interesting
05:42 < gmaxwell> mappum: bittorrent dht is mostly fail, it works .. kinda.. for very large swarms that can also do peer exchange, but mostly it just ends up helping people find other trackers. For small swarms it'll often spin finding nothing even when its not getting attacked.
05:42 < gmaxwell> It made sense in the bittorrent model because it was just enough more to make it so that you couldn't kill one (or a couple) original trackers and take out a swarm.
05:43 < midnightmagic> lol
05:43 < midnightmagic> you're never getting away from dhts are you
05:43 < gmaxwell>
05:44 < mappum> sorry, i didn't know it was such a hot button D:
05:44 < midnightmagic> haha
05:45 < gmaxwell> meh, it's not a hot button, it's just .. common. Well, not in #wizards.
05:45 < gmaxwell> But there was a period of time when we couldn't go days without someone joing #bitcoin-dev and responding to the very first thing they heard with USE A DHT.
05:45 < midnightmagic> mappum: the endless, endless stream of users who come in to #bitcoin and insist we adopt dht rather than dns/irc for initial peer discovery is really astounding. it's jsut a running joke is all. no worries man.
05:46 < petertodd> mappum: pro-tip: suggest fidelity bonds instead, like a fidelity-bonded DHT
05:46 < gmaxwell> or instead of *, you name a technical challenge we've had in the bitcoin ecosystem and someone has suggested a DHT to solve it.
05:46 < gmaxwell> Signature validation slow?  Use a DHT.   etc.
05:47 < mappum> well i'm glad, i hadn't thought about the vulnerabilities. i'll have to think about making mine sybil-proof and manipulated-hash-proof
05:48 < gmaxwell> in your case, I don't see how a dht ID helps you. the pool would just store all the data for all the dht IDs. and could just produce work for any of them (assuming there was even an incentive in the system to not just have one ID)
05:48 < mappum> right, i realized that's not the solution, i'm just too tired to do the thinking right now
05:48 < gmaxwell> The nearest thing I've seen to a strong DHT system is cjdns.
05:48 < gmaxwell> and it uses the 'dht' only for routing.
05:49 < gmaxwell> maybe freenet, though freenet is ... uh.. really lossy.
05:49 < petertodd> gmaxwell: yeah, though being lossy is part of how they handle spam
05:49 < gmaxwell> and freenet opennet is not secure, while freenet darknet and cjdns are rather similar in many respects.
05:50 < gmaxwell> right, freenet works, but mostly because it doesn't promise very much. :P
05:50 < petertodd> gmaxwell: though freenet opennet is not secure in the same sense that tor isn't all that secure either...
05:50 < petertodd> gmaxwell: underpromise and... deliver
05:51 < gmaxwell> petertodd: I mean, opennet has some trivial sybil vulnerabilties. Tor doesn't but only because of the centeralized directory authorities.
05:51 < gmaxwell> darknet freenet loses the sybil risk for the same reason cjdns does. the users are expected to not select sybil peers.
05:52 < petertodd> gmaxwell: right, although I'm not sure the directory authorities actually help that much - they can't know if someone is logging
05:52 < petertodd> gmaxwell: they are only able to keep the system safe from sybils attempting to make Tor not function
05:57 < petertodd> gmaxwell: oh, speaking of, i2p has hashcash on their todo list:
05:58 < gmaxwell> hashcash, in java, tm.
05:59 < petertodd> gmaxwell: heh, Bitcoin sacrifice is the only sane way to do it
06:10 < adam3us> btw sdl (sergio damien lerner) claims to have an efficient unpublished anonymity solution which he has not published for year for "ethical reasons"??
06:11 < petertodd> SDL is weird...
06:13 < adam3us> petertodd: my response "I'd sure publish it immediately if I had figured it out and feel I did a good thing for society." and "Personally I think gambling has far more ethical worries than users being able to transact privately with something approaching the analogous already existing levels of privacy in other systems.  For some people gambling becomes a near ruining addiction."
06:13 < petertodd> adam3us: you're doing well with these responses lately you know
06:14 < gmaxwell> adam3us: s/some/many/
06:14 < gmaxwell> it's shocking.
06:14 < adam3us> petertodd: (his phd thesis is about fair poker) and i think he looked at anonymity because he wanted to reduce scope for gaming collusion where you can cheat
06:14 < gmaxwell> in any case, IIRC the appecoin thing was he basically proposes you make the entire txout set a reencryption mix and every miner reencrypts it every block or something.
06:15 < petertodd> adam3us: was eye opening a few months ago when I mentioned that satoshidice wanted to hire me for some analysis to my boss, and he thought doing so was totally unethical based on it being gambling - he wouldn't have raised an eyebrow if I'd told him DPR wanted to hire me
06:15 < gmaxwell> (which is a protocol you'd expect from a guy who did research on mental poker)
06:15 < adam3us> gmaxwell: hmm that doesnt sound so good for end2end privacy, its trust me privacy with the current random block winner?
06:16 < gmaxwell> (e.g. the same way that you shuffle in some poker schemes)
06:16 < adam3us> gmaxwell: y'know maybe i vaguely read that in something he wrote now you mention it
06:16 < gmaxwell> adam3us: well sort of, they shuffle the _whole_ utxo set, so even though each block winner knows his mix, the set of all block winners is presumably strong.
06:16 < gmaxwell> unless mining has become 100% centeralized.
06:17 < gmaxwell> (or unless people are bribing miners for permutation lists)
06:17 < petertodd> gmaxwell: needs to be some way to make releasing the permutation list risky, like if you could somehow use that info to steal the block reward
06:17 < gmaxwell> but of course, reshuffling the whole utxo every block (or even every N blocks) is completely unrealistic.
06:18 < gmaxwell> and the cut and choose proofs required to show that the shuffle was fair wouldn't be small. (well perhaps, I did post some optimizations which might help, at the cost of making them expensive to verify)
09:04 < adam3us> gmaxwell: yes i think having shuffling miners do a provable encrypted shuffle of utxo (or a subset of it) is interesting, i meant  its not as secure as blinding like zercoin which can be unconditionally secure anonymity (and doesnt rely on trust of a random, though growing over time, collection of miners)
17:07 < phantomcircuit> gmaxwell, *cough*
17:10 < gmaxwell> phantomcircuit: thanks, bleh.
17:10 < gmaxwell> I don't understand why this particular BIP got a firestorm of attention recently.
17:11 < gmaxwell> phantomcircuit: on that subject, your commentary on would be helpful.
17:11 < gmaxwell> jrmithdobbs: as would yours.
17:14 < phantomcircuit> gmaxwell, im not sure my understanding of ECDSA is strong enough to usefully comment on it but i'll give it a read anyways
17:14 < gmaxwell> phantomcircuit: it's all symetric crypto.
19:42 < midnightmagic> btw, the public domain assertion in that hd wallets-with-optional-encryption is a potential law-bomb.
20:06 < sipa> ?
20:15 < midnightmagic> sipa: there are many places where assigning something to the public domain isn't possible, and doesn't serve as a disclaimer of rights. apparently. it has to be something more, like "this work can be used for any purpose, by anybody, forever. also at your own risk blah blah. also we grant you royalty-free use of any of our applicable patents blah blah
we promise not to patent-troll you later blah blah."
20:15 < midnightmagic> it's why OSI rejected the copyright commons 0-license
20:19 < gwillen> midnightmagic: er, the whole point of the commons-0 license is to have that wording in it
20:19 < gwillen> where you put it in the public domain if you can, and if not you grant all rights to everybody forever etc. etc.
20:20 < midnightmagic> gwillen: The lack of patent language killed it.
20:20 < gwillen> midnightmagic: I'm reading the faq right now, it appears that the opposite is true
20:20 < gwillen> midnightmagic: what killed is is that there _was_ patent language
20:20 < gwillen> that specifically said patent rights are _retained
20:21 < gwillen> and apparently OSI thought that was worse than licenses that don't mention patents at all
20:22 < midnightmagic> Right.
20:22 < midnightmagic> "We retain the right to sue you into oblivion whenever we want."
20:22 < gwillen> *shrugs*
20:22 < gwillen> it seems like a minor thing to me
20:23 < gwillen> since it's very likely that patent rights are in fact retained when using an actual public domain dedication, where possible
20:23 < gwillen> or a simple open source license
20:23 < gwillen> e.g. when using the MIT license which I think has no mention of patents at all
20:28 < phantomcircuit>
20:29 < phantomcircuit> warren, gmaxwell ^
20:30 < warren> yeah
20:32 < phantomcircuit> if that's really leveldbs mmap strategy
20:32 < phantomcircuit> that is retarded
20:34 < cfields> phantomcircuit: agreed. It seems very inefficient and dangerous to me.
20:34 < phantomcircuit> tbh most everything about the implementation of leveldb seems insane to me
20:34 < phantomcircuit> such as journal entries not having sequence numbers
20:34 < gwillen> it does seem odd to me that munmap doesn't flush
20:34 < gwillen> that's really weird behavior
10:36 < pigeons> well i know a few miners who see the control they exert as protecting the network from things like spam transactions
10:36 < adam3us> jtimon: so even their reward would be lost
10:37 < pigeons> and things like the address-reuse deprioritization wouldnt be possible i suppose
10:37 < jtimon> how and why would users ignore censor miners and how they find out what blocks are censored?
10:38 < adam3us> pigeons: the fact that we have pools at all people seem to think was an unfortunate unforseen technology limitation.
10:39 < jtimon> well, my argument is the same that with the topic p2pool/eligious pools are not a problem
10:39 < adam3us> jtimon: well thats the objective, to arrange that this would happen.  for it to happen unfortunately i think only committed-tx can be considered valid.  or all clients have a button in them or a switch over mechanism that public tx can be disable in event of widescle problems
10:39 < adam3us> jtimon: its a technical insurance policy or threat.
10:40 < jtimon> I think inputs-only transactions would have a similar anonymity effect and they seem more scalable to me
10:40 < pigeons> its a shame it seems like its not technical limitations keeping p2pool adoption from increasing as much as places like ghash
10:40 < jtimon> and also more "compatible" with regular txs
10:40 < adam3us> jtimon: how does that work?  do u mean where the output is p2sh so the miner cant tell who it is being paid to?
10:41 < pigeons> and its not technical limitations why stratum is much more widepread than gbt
10:41 < pigeons> but yeah the limitations existed at the time pools emerged and grew
10:41 < adam3us> pigeons: ghash also has lots of hw in their datacenter.  but the herd mentality that gets people to give % of their mining reward to miners when it is not necessary is strange yes.
10:43 < adam3us> jtimon: if inputs-only means output addr is obscured via p2sh i think its significantly weaker mechanism.  most of the policy relates to history not static receipt address censor.  its easy to make new addresses (or sender derived address like stealth)
10:43 < jtimon> adam3us: this is ptertodd's very open design
10:44 < jtimon> but let me summarize the way I see it integrated with regular transactions
10:45 < jtimon> transactions only include inputs, not outputs, and miners only include them if none of the inputs they contain have been seen (you need expiries in the TXI set for scalability)
10:46 < jtimon> the inputs may actually be garbage, refer to outputs that don't even exist
10:46 < jtimon> and all the history of the outputs is transmitted directly between users, it doesn't touch the chain
10:46 < jtimon> makes sense?
10:47 < jtimon> well, I haven't really though much about interoperate with regular transactions (going from private back to public)
10:48 < jtimon> the main problem here seems to be: how fees are paid?
10:48 < jtimon> and the only answer seems to be pow fees
10:48 < jtimon> petertodd doesn't go beyond that
10:48 < jtimon> I think you could have a regular blockchain
10:49 < jtimon> and optional pow fees
10:49 < jtimon> which miners can somehow "add" to their per-block PoW
10:50 < jtimon> maybe you want ot combine it with the "orphan blocks count for the total pow of a given chain" thing on that academic paper
10:50 < adam3us> jtimon: btw the first half of that writeup was stuff i summarized to petertodd (the entanglement, timestamp/namespace/minimum validation required) he could've mentioned it... i didnt read the rest of it before to see the txin proposal.  it seems like a subset of comitted tx
10:51 < jtimon> yeah, seems very similar
10:53 < adam3us> jtimon: he could've alternately written "hey here's some stuff adam told me he explored, and i have another idea why dont we tweak committed tx to expose the txin" :)  i think that is a more accurate summary of what he wrote.
10:54 < adam3us> jtimon: the thing is as i said above probably the bulk of the policy risk is based on the history.  the thing about passing history around off-chain was in the committed-tx writeup
10:55 < jtimon> if he had done that I would have explained the txin proposal to you much faster ;)
10:56 < adam3us> jtimon: and to include clear txt tx-in exposes history.  or alternatively if the txin	is unlinkable because its never published (its ambiguous at the end) then what he wrote IS committed-tx
10:56 < adam3us> jtimon: (yeah sorry i was reading the post so i didnt see your explanation above until you wrote quite a bit you were writing while i was reading)
10:57 < jtimon> np
10:58 < adam3us> jtimon: i think gmaxwell said in the committed-tx thread it might nearly but not quite be implementable with script.
10:58 < jtimon> that post of him, reminded me a discussion Ryan and I had about a txid-only chain for one of our ripplecoins
10:59 < jtimon> we wanted to put the powin transactions
10:59 < jtimon> if you made the pow on top of another transaction, the pow was "summed up" (we didn't thought in detail about that PoW addition operation)
11:00 < jtimon> so people will commit their transaction on top of the longest chain they see
11:01 < jtimon> and then we needed a git-like merge
11:01 < adam3us> jtimon: yes i was wondering about something like that.  i had a PoW variant with addition, however it is very approximate addition and has variance reduction so creates mining fairness issues.
11:01 < jtimon> but we realize that didn't prevented doublespendings ;(
11:02 < jtimon> adam3us: ok, but it's good to know that it's not completely impossible
11:03 < adam3us> jtimon: well ghost protocol could reduce sensitivity to how long it takes to reach consensus (ie not so concerned about orphan rate anymore).
11:03 < jtimon> I think it started here?
11:05 < jtimon> disclaimer: we were mainly interested in ripple, so we just really wanted a minimal p2p timestamping mechanism
11:05 < adam3us> jtimon: i was thinking of something related that ideally you would like to allow users to direct mine for small reward without pools and ended up with something ghost-like.  i was thinking its too complicated and the incentives looked like they could work but wre also more complicated rules, and maybe more bandwidth a bit.  so i thought this is too inellgant.
seemingly the ghost authors thought it ok.
11:05 < jtimon> if this tx id gets into the chain before expiry, all the sub-txs in it are valid, otherwise none is valid
11:06 < adam3us> jtimon: i see in the rfugger thread u linked that you and he had a similar idea about building on non-conflicting orphans.  why not indeed, link them all in by reference.
11:06 < jtimon> sorry don't know ghost
11:07 < jtimon> my latest idea as said was that miners added the user's tx-pow to their block pow
11:07 < adam3us> jtimon: there is an academic paper.  they claim if you dont ignore orphans but hash into the coinbase non-conflicting orphans and change a few things you can have faster block interval without convegence problems
11:08 < jtimon> oh, that's ghost? yeah, that's what I meant by "" maybe you want ot combine it with the "orphan blocks count for the total pow of a given chain" thing on that academic paper "" earlier
11:09 < adam3us> jtimon: see it seems to me desirable that a user can claim anytime during the 2week retarget period any work of even small value.  then we have less centralization risk.  now a way to do that is separate reward from voting.
11:10 < jtimon> the users reward is getting their transaction into the block, why would they get anything else?
11:10 < adam3us> jtimon: so why not mine on a public key that you use to vote..  then the voting power of the public key is related to the amount of pow on it.  and you can use it with a sort of PoS like vote
11:10 < adam3us> jtimon: i mean not specifically about your per tx pow, but that i wanted to be able to solo mine say 0.01 btc and claim it relyably without needing pools
11:11 < jtimon> what's the purpose?
11:11 < adam3us> jtimon: dislike of mining pool cenrtalization risk :)
11:11 < jtimon> the purpose of mining is validation not distribution
11:12 < adam3us> jtimon: so i tried to explore how could i solo mine.  one answer is to be able to mine for smaller amounts.
11:12 < jtimon> but if you're mining old stuff, why should the network reward you?
11:12 < adam3us> jtimon: agreed.  but maybe it can be a two stage process.  stage 1 mine for small coinbase-like reward, stage 2 use PoS on the coinbase reward to vote for fee reward
11:13 < jtimon> I tend to distrust PoS
11:13 < adam3us> jtimon: u would be mining only your public key.  its a kind of micro-level PoS within the 2 week retarget interval only or something
11:14 < jtimon> in freicoin the retargetting is 9 blocks and if bitcoin ever hardforks I would suggest to update to our filter too
11:14 < adam3us> jtimon: agreed PoS is not economically attractive.  centralization of vote via money instead.	not pretty. and many PoS have actual protocol defect to allow mining on multiple candidate block sin parallel so devolve to PoW
11:15 < jtimon> "mining only your public key" how do you mine "on a public key"?
11:15 < adam3us> jtimon: my idea is not at a working stage, this was just as close as i got .
11:15 < jtimon> oh, I see
11:16 < justanotheruser> Do you think PoS could ever work in a currency?
11:16 < adam3us> jtimon: the idea is mining is like to get the right to vote on what the next block is. so i though well why cant i mine on a signature key, and then use the signature key to cast a weighted voted.  maybe i can get the same feature but with more flexibility in minimum mining contribution and minimum reward. and so less dependence on pools.
11:17 < adam3us> jtimon: but it tends to have problems.  could i sell the vote.  could i save up voting power for one transaction to double spend it etc.
11:17 < jtimon> ok, now I get the point
04:09 < adam3us> gmaxwell: i guess would could impose some sanity eg reward < 50 as fees are << reward for now - no good thing can come.  i know someone could accidentally spend > 1btc fee but that is probably a mistake
04:10 < adam3us> gmaxwell: local submission could be good for that reason
04:10 < gmaxwell> adam3us: there are blocks with subsidy >> 50
04:10 < adam3us> gmaxwell: but surely thats a costly mistake rather than anything good
04:10 < gmaxwell> I think the record holder is something like 350 or something like that.
04:10 < maaku> people have accidentally spent 100's btc fees
04:11 < adam3us> maaku: right, but its a mistake - you could usefully declare such transactions invalid (some simple heuristic)
04:11 < gmaxwell> in any case, limiting inflation to 25 BTC from space doesn't really help that much. Esp since you can create inflation against spv clients simply by spending inputs that never existed.
04:11 < maaku> adam3us: does it matter? if you don't claim it some other pool will
04:11 < adam3us> maaku: as i understand it miners were gracious enough to refund it, but they would not have to
04:12 < maaku> at least if you claim it you can be kind and offer it back
04:12 < adam3us> maaku: well if its invalid its not even forwarded, your client should reject even sending it - mistakes were people lose large amounts of money are not good
04:14 < adam3us> see its an interesting thing - many people have views and things to say in support of decentralization - maybe there are simple things that could be done to support decentralization (like get users to chose their own block) while using pools to even out luck; or just encourage p2pool if it can take the load
04:15 < gmaxwell> adam3us: well thats the "coinbase only pooling"
 user chooses their own block, pooling only for the payment.  But it needs some software work: A new GBT extension to say "send me only a coinbase", miner support to merge work from two sources, and poolserver work to accept shares.  ... plus its becoming increasingly hard to get miners to even run bitcoind/bitcoin-qt
04:17 < gmaxwell> (at least coinbase only mining would decouple the choice of policy with choice of income-pooling, even in a world where hashers were still blindly handing over their votes to quasianonymous parties on the internet)
04:17 < adam3us> gmaxwell: that latter thing i was thinking could be combated without a full node, eg get people to get a coinbase feed from somone else (anyone other than a pool)
04:19 < adam3us> gmaxwell: in principle picking a coinbase at random from non-pool entities could be better, though that is sybil attackable.  eg why not pick one from a power user you know who is running a full node, thats far better than trusting a pool; and also i like encouraging that the client locally submit to disrupt selfish stuff
04:19 < gmaxwell> it could be, yes, it's still handing over control... but without the barriers to entry where we seem to always have a mining oligarchy due to the obvious improvements to variance from being with a large pool in a world where miners really have few objective things to guide their decisions.
04:19 < adam3us> gmaxwell: i wonder if people like pools like a form of team-play, leaderboard thing
04:20 < gmaxwell> yes, to some extent, though I think that has mostly passed. It was certantly a big thing in the pre-asic times.
04:22 < gmaxwell> adam3us: I think that a lot of the hashers are basically just "mental bandwidth limited" are are picking "safe" popular choices, and that why you see them paying remarkably high fees. But I'm guessing. No one is studying this... and I'm not sure how you'd go about doing it.
04:22 < adam3us> was there ever a conclusion to investigation of the double spend attack?
04:22 < gmaxwell> adam3us: they said they'd look into it, no further comments. Subsiquently dropped their fees from 3% to 0%.
04:22 < adam3us> (on the satoshi-dice clone)
04:23 < gmaxwell> Just keeping up with the hardware vendors,
 new products and which thing is the scam of the week
 could easily be a full time job.
04:25 < gmaxwell> (and is the largest pool now, with 27.23% of the hashpower, though its impossible to know how much of that is actually public miners vs just cex itself, or how much of CEX mining power is "owned" by the public, vs internally owned)
04:26 < gmaxwell> In other news, 50btc still claims to have 3.2TH/s, and I think they stopped paying people over two months ago now.
04:27 < adam3us> gmaxwell: so is both a hosted mining (with public ownership or lease) and a publicly accessible pool?
04:27 < adam3us> gmaxwell: 50btc LOL ha ha
04:28 < gmaxwell> Yea, so the same party owns and is their mining pool which is available to the public (via a somewhat unfriendly registration process that involves making a account)
04:29 < adam3us> gmaxwell: bitcoin .. like swift, but where half federated nodes are run by people who dont care, dont read instructions, dont update software
04:30 < gmaxwell> is a large initially privately owned mining farm, which then created a trading market for selling hashpower to the public (and allowing the public to trade the hashpower between each other). In theory you can pay CEX to derack your hashpower and send you hardware, I'm not aware of anyone having done this. All hashpower is pointed at
04:31 < gmaxwell> adam3us: they might have cared but they just got scammed by three hardware vendors and are too busy rebooting their rasberry pis and praying that they'll break even.
04:31 < adam3us> gmaxwell: i am just thinking one could separate the luck pooling from the vote pooling.  then any big players keen to disavow centralization could show statistics of where the vote is being used
04:32 < gmaxwell> adam3us: yes, thats the idea behing the "coinbase only pooling" I mentioned before. It's technically simple, just needs some software development, and perhaps some bludgoning to convince pool ops that they should support it, and miners that they should use it.
04:32 < adam3us> gmaxwell: so terminology coinbase = the pools reward address?
04:33 < warren> adam3us: coinbase tx pays out to any defined address(es)
04:33 < gmaxwell> Coinbase being the reward transaction.
04:33 < adam3us> gmaxwell, warren: ok
04:34 < warren> adam3us: I think only eligius and p2pool payout directly to miners in coinbase tx
04:34 < gmaxwell> The idea is that the pool would just give you the transaction (plus flags for which modifications you were allowed to make to it), and you'd submit shares back.
04:34 < gmaxwell> Other pools have in the past, I'm not sure if any others do right now.
04:35 < adam3us> gmaxwell: well my way of thinking is to be aghast that the pool thinks it has any say - ie the block should contain the pools reward addr (the coinbase) and the rest should be chosen freely by the miner :)
04:36 < warren> gmaxwell: did you already mention the huge coinbase tx issue?
04:36 < gmaxwell> sure, and it could have been that way today, except no one thought of it in 2010. ... back then the example protocol was getwork.
04:36 < adam3us> gmaxwell: i guess its a transfer of the hashcash logic - the coinbase is the resource address, the rest is miner chosen
04:37 < gmaxwell> And a lot of miners
 even pool operators
 have only a very limited understanding of how this stuff actually works, so the idea that you could split up the decisions from the payment pooling was not obvious to people.
04:37 < adam3us> *** depressing state of affairs, tolerated with cynical dark humor by all
04:37 < gmaxwell> (or that you could make decenteralized pools)
04:37 < gmaxwell> and now we have intertia _plus_ centeralized systems are always easier.
04:39 < adam3us> i wonder if there could be an engineered dis-economy of scale, just enough to disrupt stupidity, centralized
04:39 < gmaxwell> adam3us: Well there is amiller's anti-cloud-hashing idea, but it's a bit rocket sciency, both economically and technically.
04:40 < adam3us> gmaxwell: it didnt quite work also if i recall
04:40 < nsh> (also in the sense that it uses rocket engines)
04:41 < gmaxwell> Amiller suggests that if the network would accept instead of a block you submit a zero knoweldge proof that you know of a block at this position and would like to instead pay some other address. .. so anyone running a miner can trivially steal solutions.
04:42 < gmaxwell> I think it would "work" ... but it runs into problems like right now people happily give money to cloud hasing places without any evidence at all that the cloud place isn't robbing them blind.
04:42 < adam3us> gmaxwell: i wonder if momentum could work (the proof of work based on birthday collisions) we laughed at its failures but perhaps it is fixable
04:43 < adam3us> gmaxwell: seemingly a defacto proof that technical approaches have limited effect on the stupid or careless shall we say
04:43 < gmaxwell> e.g. amiller's design would totally kill pooled mining, with a possible outcome of all hashing being cloud hashing... because at least a huge centeralzied place has a reputation to protect.
04:47 < adam3us> so about momentum briefly. i could find no proper description of it but basically the idea is the entries in the memory table are themselves small proofs of work (25-bit?), and then the task is to find H(a)=H(b) and finally H(a,b) < target now i think the thing is the target is high enough that memory is filled quickly
04:47 < adam3us> (though i see no reason restricting memory)
04:47 < adam3us> otherwise it suffers from quadratic advantage in fast cpu & ram
04:48 < adam3us> as well as compact storage
04:48 < adam3us> (eg lossy storage like bloom filter to do a tmto to fit it into a gpu)
04:48 < gmaxwell> I'm not sure how this helps anything. I follow that you can probably set the parameters so that it doesn't create an advantage for being a larger hasher.
23:48 < midnightmagic> petertodd: they measured that which was measurable: mathematics improvements between entry and exit grades for schools
23:48 < midnightmagic> .. lol now now. the research they do is better than forming opinions in a vacuum
23:48 < petertodd> midnightmagic: ah, so they measured improvements, who had the higher scores exiting?
23:49 < gmaxwell> petertodd: not all opportunities are equal to all. I mean sure, some child of some inner city gang bangers could have traveled 4 mi the the nearest library with internet access back in 2010, and joined #bitcoin and written some bad poetry for a thousand bitcoin and be a millionaire now.  But none did.
23:49 < midnightmagic> petertodd: public schools had grrater improvements when co paring identical students with identical backgrounda.
23:49 < petertodd> midnightmagic: just as easily you can explain that as private school kids started off smart and couldn't be educated much farther, or more importantly, they had better things to do with their time than focus on math improvements
23:50 < midnightmagic> petertodd: nope. they selected those ones out
23:50 < justanotheruser> midnightmagic: are you saying that schools should be segregated by income?
23:50 < gmaxwell> justanotheruser: they are already segregated by income.
23:50 < midnightmagic> as much as it's possible to know such things, there's now basically zero reason to think private schools provide a better education
23:50 < justanotheruser> gmaxwell: they bus students from poor schools to rich schools in some states
23:51 < midnightmagic> justanotheruser: nope. i'm saying private schools are lying when they claim to provide superior education
23:52 < petertodd> gmaxwell: heh, well, OTOH I know a guy from nairobi who did something not unlike that... moral of the story is raw opportunities actually don't do much in the face of culture and parents, and those are likely strongly geneticly related in many ways anyway.
23:53 < gmaxwell> okay, sure, I was also binning culture and parents in with opportunities. It's not like its your fault what parrents you had.
23:53 < midnightmagic> yes. adoptions help a lot with those kinds of studies too.
23:53 < midnightmagic> pretty fascinating how much people seem to be screwed if born to poor parents.
23:54 < petertodd> gmaxwell: yup, my point being blaming "society" for that kind of thing is misguided - we already do a tremendous amount
23:54 < gmaxwell> ::shrugs:: part of creating an optimally successful society is providing the infrastructure that helps people achieve their capability even if they're born into a dysfunctional family (and help family dysfunction not exist).
23:54 < petertodd> midnightmagic: gee, might have something fundemental going on...
23:55 < midnightmagic> petertodd: yeah, probably not straight genetics. some is, but parentage makes up for a lot of that. i.e. the success breeds overconfidence false loop
23:55 < petertodd> gmaxwell: yup, and frankly I *do* think we do a very good job of that and it's hard to figure out how to actually do a better job of it in most situations. I also think our effects, especially in schools, to further level the playing field are counter-productive - e.g. closing gifted programs in favor of yet more money at the lowest scoring percentile.
23:56 < midnightmagic> imo that kind of nonsense is b-s
23:56 < midnightmagic> closing gifted student programs?! wtf
23:57 < gmaxwell> well you are in canada. So perhaps things are better done there. :)
23:57 < midnightmagic> i'll let you know. i personally appear to be one of those weird outliers.
23:58 < gmaxwell> midnightmagic: "no child left behind" (a 2001 piece of education legislation and the resulting programs) in the US is often wryly refered to as "no child gets ahead"
23:58 < petertodd> midnightmagic: well, that's how the politics of it works. I know the people running the program where I lived then fought for years to keep it open, and always had to be very careful as to how it was portrayed - specifically they stressed heavily how the kids who were in the program statisticly did *worse* than the general population for a lot of different
metrics, such as university admissions.
23:58 < midnightmagic> lol
23:59 < petertodd> midnightmagic: basically anything to avoid looking elitist
23:59 < midnightmagic> s art kids need a challenge or their study habits are nonexistent. yeah that makes sense what you're saying.
23:59 < gmaxwell> Se also:
23:59 < gmaxwell> er see*
--- Log closed Wed Jan 15 00:00:03 2014
--- Log opened Wed Jan 15 00:00:03 2014
--- Day changed Wed Jan 15 2014
00:00 < petertodd> midnightmagic: heh, well with a challenge that was true too, but anyway :P
00:00 < andytoshi> gmaxwell: i can say from personal experience that public schools in BC are not run effectively, they are very much "no child gets ahead" and they were an absolute hell to get through
00:00 < midnightmagic> hehe
00:00 < gmaxwell> I know a number of _good_ high-school teachers who left teaching due to the effects of that legislation.
00:00 < petertodd> gmaxwell: can't blame them, that stuff is just depressing to deal with
00:00 < midnightmagic> andytoshi: you think so? i had the exact opposite experience in BC
00:01 < andytoshi> midnightmagic: i was in cloverdale, it is the cowboy town beside langley, they had no gifted programs
00:01 < midnightmagic> vancouver. interesting.
00:02 < andytoshi> midnightmagic: i finished every hs math class by the end of grade 9, then no more math. 'science' was watching bill nye videos and doing handouts, i was typically done the work for the day in about 15 minutes, then 6 hours or so of staring at walls
00:02 < midnightmagic> i was in the interior, they specifically pushes the smart kids into beneficial grade programs for university entrance.
00:02 < andytoshi> midnightmagic: eventually i found some good teachers who helped me game the system, and i got out 18 months early
00:02 < petertodd> andytoshi: ha, ironic how my highschool was a "inner city" one with a population of almost entirely recent immigrants, very pool, with significant gang violence and... I had a much better experience
00:03 < andytoshi> 2 years early* i stuck around to finish my phys. ed. requirements :P
00:03 < andytoshi> so i don't count that semester as hs
00:03 < petertodd> andytoshi: and then my brother was in a hs in one of the richest parts of the city, upper-upper-middle-class, and... actually lots of gang violence *in* the school, and shit academics.
00:03 < andytoshi> petertodd: fascinating
00:04 < andytoshi> there is a lesson here about anecdotal evidence i'm sure :)
00:04 < midnightmagic> my hs teachers did the optional calculus prep stuff. probably for my specific benefit actually, the rest of the kids were rolling their eyes.
00:04 < andytoshi> maybe we should apologise to midnightmagic for calling his sociologists stupid
00:04 < petertodd> andytoshi: hehe, toronto is not a good source of typical demographic data :)
00:04 < midnightmagic> lol a.k.a. my wife.
00:04 < midnightmagic> no apology necessary, it's a well studied ohenomena.
00:04 < midnightmagic> er.. *non
00:05 < petertodd> andytoshi: over 50% of the toronto population wasn't even born in canada
00:06 < midnightmagic> well, without immigration our pop would be shrinking. :-)
00:06 < midnightmagic> would suck if canada died.
00:06 < andytoshi> petertodd: this is true of vancouver as well, though probably not in cloverdale where i was
00:06 < gmaxwell> Oh I GEDed out of school the moment it was permitted, in florida by statute the GED is absolutely equivalent to a highschool diploma
 you even get the same paper the normal graduates get. Was kind of of no brainer. I took the test cold two days after my birthday (earliest time offered) scored a 99th percentile. It was trivial stuff. ::shrugs:: I understand
that it wasn't too uncommon to do this in the 70s but the schools fought ...
00:06 < gmaxwell> ... back against it with a bunch of FUD because it was draining them of their most academically capable students.
00:06 < andytoshi> oh, cloverdale is right above white rock, from silk road hitman fame :)
00:07 < andytoshi> so i'll stop saying 'near vancouver' here
00:07 < petertodd> andytoshi: what's the kind of immigrants that vancouver gets anyway? asia? middle-east?
00:07 < midnightmagic> andytoshi: i'm confident nobody thinks you're that guy lol
00:07 < midnightmagic> ha ha ha awesome
00:07 < midnightmagic> petertodd: asian, then east indian
00:07 < gmaxwell> I was impressed by the density of asian people in vancouver.
00:07 < andytoshi> petertodd: east asia, mostly china and phillipines, then india
00:08 < petertodd> gmaxwell: sheesh, that kinda sucks that you were in a position where that made sense
00:08 < midnightmagic> richmond doesn't even have english signage in some places.
00:08 < petertodd> andytoshi: oh, interesting, toronto seems to get much more from the middle east
00:09 < midnightmagic> gmaxwell: how old were you re: GED?
00:09 < midnightmagic> (wife is curious)
00:09 < gmaxwell> 16.
00:09 < petertodd> andytoshi: OCAD had a *tonne* of Iranians for instance
00:09 < midnightmagic> nice.
00:09 < andytoshi> gmaxwell: that's awesome, i wish i had that option
00:09 < andytoshi> maybe i did, it didn't occur to me
00:10 < midnightmagic> i skipped a grade, grad'd at 17. skipping a grade was really horrible. not recommended.
00:10 < midnightmagic> petertodd: what's OCAD?
00:10 < andytoshi> petertodd: interesting, i've only met one iranian
00:10 < petertodd> midnightmagic: I think one of the things the gifted program did a good job at was giving kids reasons not to skip grades...
00:10 < midnightmagic> I love Iranians they're awesome
00:10 < petertodd> midnightmagic: <- art school I went too
16:45 < amiller> it says that the inputs are all linked together because they're in the same wallet
16:46 < amiller> that really isnt true, coinjoin makes use of the fact that's not true, you can sign a tx if you know one of the txinputs without knowing the other keys
16:46 < amiller> nor is it the case that the output is linked to the input
16:46 < amiller> coinjoin relies on that too
16:47 < gmaxwell> Yes, this was written by someone who didn't know about CoinJoin
16:47 < amiller> the only advantage of this thing is the incrementalness and that's kind of irrelevant
16:47 < gmaxwell> As a pure anonymity tool I think this is not very helpful over coinjoin. Agreed.
16:48 < gmaxwell> it's a little helpful because its more loosly coupled.
16:48 < gmaxwell> But the anti-censorship, pro-relaying, and compression properties are potentially more interesting.
16:49 < gmaxwell> my reply points out that its not that interesting for anonymity.
16:49 < gmaxwell> "I'm glad to see someone with an aggregate signatures proposal.  From an anonymity perspective, I believe a cryptographic approach is unnecessary, and they are very difficulty to deploy, but still may useful in the future."
16:52 < gmaxwell> amiller: one sort of annoying property is that in some cases this can't achieve anonymity as good as coinjoin!
16:53 < gmaxwell> E.g. all the users for this block join a coinjoin, they use a SMPC sort to distribute their requested output addresses among each other.
16:54 < gmaxwell> There is no way to achieve that level of anonymity with this one way aggregation scheme.
16:56 < gmaxwell> amiller: you could reply to that thread and point out they got the linking stuff wrong. :)
16:56 < amiller> *am already doing so*
16:58 < gmaxwell> (I didn't even notice, I'm so used to _everyone_ getting that wrong)
17:01 < jgarzik>
17:01 < jgarzik> The problem, however, is that this new digital environment features agents that are not only making decisions faster than we can comprehend, they are also making decisions in a way that defies traditional theories of finance. In other words, it has taken on the form of a machine ecology
 one that includes virtual predators and prey.
17:01 < jgarzik> Consequently, computer scientists are taking an ecological perspective by looking at the new environment in terms of a competitive population of adaptive trading agents.
17:01 < jgarzik> "
17:03 < gmaxwell> jgarzik: did you ever see the textbook on amazon that was a billion dollars?
17:04 < jgarzik> heh, saw a screenshot
17:05 < jgarzik> one of the many Themes Garzik Harps On is that computer scientists should be looking at biology for models, theories, and correlations
17:06 < jgarzik> distributed computing, especially decentralized computing, is all about organic behaviors like herds, infections and inoculations, swarms, emergent behaviors, ...
17:07 < jgarzik> Just like human beings, they stop being purely predictable engineering systems behaving within set parameters and become organic feedback systems
17:08 < jgarzik> A really fun problem is decentralized auctions, eBay-style
17:08 < jgarzik> How to fairly handle the final few seconds of a real time auction?
17:09 < jgarzik> sniping is a DoS of sorts
17:09 < gmaxwell> yea, "don't hold that kind of auction"
17:09 < gmaxwell> if you do sealed bid auctions the problem goes away.
17:09 < jgarzik> or Dutch
17:13  * jgarzik wonders the name for this style of auction:  wait X duration after last bid, then close auction.  if someone bids, timeout clock resets to X.
17:18 < jgarzik> How to integrate bitcoin with a sealed bid auction, in a least-trust method?  Is there any way to (a) prove you will spend the funds if you are the winner while (b) not spending the failed bids?
17:18 < gmaxwell> yes, make all the bid transactions conflict a single input. Only one can make it into the blockchain.
17:18 < jgarzik> Certainly an auction robot could accept bids, then refund the losers.	Any way to avoid the robot stealing the funds from the failed bids?
17:19 < jgarzik> conflict?
17:19 < gmaxwell> They all spend input X.
17:19 < gmaxwell> (and other inputs to pay for their bid)
17:19 < jgarzik> seems vulnerable to griefing
17:20 < gmaxwell> easy to fix.
17:20 < gmaxwell> (I think).
17:21 < gmaxwell> The person selling the thing has 1 BTC. You are a bidder ... you write a transaction spending that 1 BTC and he signs for it.
17:21 < jgarzik> My naive scheme:  robot announces "private key for 1 satoshi is $this" to channel, and everyone writes a transaction that spends a satoshi + their auction bid input
17:21 < gmaxwell> if the signature is a SIGHASH_SINGLE then he doesn't have to see your bid.
17:21 < jgarzik> but a griefer might just spend the bitcoin outside of the loop
17:22 < jgarzik> ah, duh
17:22 < jgarzik> no need to give out the private key, just have auctioneer sign it. understood.
17:23 < jgarzik> neat
17:23 < jgarzik> auctioneer announces the anchor transaction for the auction (the input everyone spends), and people bid from there
17:26 < jgarzik> This would be a fun demo to write.  A little HTTP-based auction server, modeled after bittorrent trackers.  Just keep track of abstract metadata on the auction, zero content (for privacy / deniability).
17:27 < gmaxwell> now a tricker thing to do is to make it into a secure _second price_ auction.. now that I don't know how to do. :P
17:27 < gmaxwell> (thats a sealed bit auction where the highest bidder pays the next highest price)
17:29 < jgarzik> I think the "bid-extends-timeout" solves the game theory motivation to DoS in the final seconds of the auction
17:30 < jgarzik> unfortunately, IIRC, bid-extends-timeout was also used on a couple notable click-lottery "buy a plasma TV for $75!" pseudo-auction sites.
17:31 < gmaxwell> I think either sealed bids or bid extends timeout solves the dos. sealed bids also discourage self dealing. (e.g. the seller bids up the bidders to try to get them to bid more, if he accidentally wins, oh well, no biggie)
17:32 < jgarzik> petertodd, I need to get a little demo website going, that helps people timestamp their SINs
17:32 < jgarzik> for a tiny fee, of course
17:32 < jgarzik> gmaxwell, good point
17:33 < jgarzik> gmaxwell, from my reading it sounds like sealed-bid and Dutch might tend towards a slightly lower final price than eBay style
17:33 < jgarzik> so economics might pull sellers towards ebay-style / bid-extends
17:34 < jgarzik> -EFAMILY.  Might write that HTTP server tonight, hmmm :)  *poof*
17:34 < gmaxwell> The economics wanks will tell you that the sealed bid second price auction is the optimal thing. They even gave someone a nobel prize for it.
17:35 < gmaxwell> But since I dunno how to make a direct bitcoin one of those... simpler is probably better. :P
17:59 < gmaxwell> This stanford pairing based crypto library is pretty nice.
18:30 < gmaxwell> Okay, I've successfully got that signature scheme working.
18:51 < maaku> jgarzik: except for some minor warts ebay is a Vickrey auction, which is ideal for both buyer and seller (the proof won Vickrey the nobel prize gmaxwell alluded to)
18:56 < maaku> jgarzik: you might also be intersted in :
19:04 < gmaxwell> maaku: hm? how is ebay a vickrey auction? it's not sealed, the winner is the highest price and pays their offered price.
19:05 < nanotube> gmaxwell: nope. you can set a max bid of 1000, but you'll only pay a bit above second highest.
19:05 < nanotube> and nobody will learn what your sealed bid is, until you're outbid.
19:05 < gmaxwell> oh! of course, that proxy biding makes it effectively second price (plus bid increment)
19:05 < nanotube> so you /could/ use it as a plain second-price sealed bid auction - just post your maximum, walk away.
19:06 < nanotube> that people don't and try to snipe and crap is just how people are. :P you don't have to join them.
19:06 < gmaxwell> maaku: nanotube: thanks, I didn't realize that before. (You can tell I haven't used ebay much ever and not at all recently)
19:07 < nanotube> mm :)
19:07 < gmaxwell> okay, well, I dunno how to do that with bitcoin without a trusted party or non-trival multiparty computation.
19:07 < gmaxwell> a simple auction where people throw out bids and only one happens is easy however.
19:08 < nanotube> what's your scheme, briefly, for doing th latter
19:10 < gmaxwell> nanotube: Alice holds an auction, alice advises everyone of some bitcoin she holds and an address to pay to.	You want to bid. You write a transaction spending some of your coins and alice's coin that pays to alice (and if any chance back to you). You sign it and give it to alice.
19:10 < gmaxwell> all the other bidders do the same.
19:10 < gmaxwell> When alice gets bored, she signs and announce the transaction.
19:11 < nanotube> ah, cute! and obv there's no way to force alice to sign second highest bid rather than highest....
19:12 < gmaxwell> well you want the highest bidder to pay the second price. :P
19:12 < gmaxwell> it's easy to do with a semitrusted oracle.
19:13 < gmaxwell> e.g. Oscar the observer watches the bids and his signature is required for the auction to be completed.
19:13 < gmaxwell> and then oscar can enforce whatever rules he likes.
19:13 < nanotube> well, the good part is that theory says (as i recall) that the expected proceeds are the same from a second price or a first price auction
19:13 < gmaxwell> I though first price encouraged bidders to underbid?
19:13 < nanotube> in expectation, in a second price auction people have the incentive to bid their true value. in first price, bidders shade their bids
19:14 < nanotube> but "on average" they should produce the same outcome, price-wise
19:14 < nanotube> at least if i recall my auction reading correctly. been a while :)
16:11 < andytoshi> nsh: you can always study set theory if this dichotomy bothers you ;)
16:13  * nsh smiles
16:14 < nsh> (set-theoretical approches, e.g. fuzzy logic, are still fundamentally predicated upon bivalent membership identity, and can do more than concealing the dichotomy at a lower level of analysis)
16:16 < nsh> (a really non-binary system of logic has values that are qualitatively different to truth and falsity, rather than shades of the two)
16:18 < andytoshi> i meant, you can reject the law of excluded middle and do logic that way..
16:19 < andytoshi> i don't know what field those people claim to be part of
16:19 < andytoshi> without making any claims as to what's in the middle
16:20 < andytoshi> hmm, you're still right, it's either true or not --- and false or not
16:20 < andytoshi> perhaps you should study zen then
16:24 < nsh> it's not just the law of the excluded middle. that's one pillar of bivalence. the other is the law of non-contradiction. every A is A, no A is not-A
16:25 < nsh> it's difficult to imagine a system without the law of non-contradiction. whether this is a reflection of a universal truth [sic] or a result of our historical mathematical/logical/linguistic enculturation is an open question :)
16:25 < jtimon> A + 0 = A, A + 1 = 1
16:27 < andytoshi> you don't need much in the way of axioms for a single contradiction to imply every statement is true..
16:28 < andytoshi> so it's definitely baked pretty hard into historical logic
16:28 < andytoshi> i'm not familiar with the attempts to fix this non-robustness
16:29  * nsh nods
16:31 < nsh> there is a body of work due to Lukasiewicz but it's accompanied by an unfortunate tendency of later thinkers to reduce it back to bimodality
16:33 < nsh> More recently A. S. Karpenko. it's my occasional hobby to casually read up on it, but more slips past me than sticks, as with most matters
16:35 < nsh> discussed in some detail here: but unless you have predilection to wading through schizoform word salad it might not be much use to you :)
16:36 < andytoshi> 'fraid not :)
16:36 < nsh> fair enough
16:52 <@gmaxwell> pigeons: I thought beertoken was backed by some promise to deliver beer (not just one bottle, but some larger quantity as set by some kind of board or something)
16:59 <@gmaxwell> jtimon: I've seen a number of pretty concerning technical behaviors from coinbase, so I'd believe any random thing.
17:58 < pigeons> gmaxwell: there wasn't a beertokens comittee, it was just steve, and yes like all these things from silver certificates to mtgox usd it ultimately comes down to a promise
17:58 < pigeons> the promise was to redeem each beertoken for one bottle of a specific type of beer that steve liked and was common in thailand where he lived
17:59 < pigeons> but he didnt buy the beer and refrigeration and storage, he backed it with bitcoins, which brought up a problem as bitcoins decreased in value a lot from when he set them aside
17:59 < pigeons> he ended up buying more coins to make up the difference
18:01 < pigeons> and guys, BigDataBorat says "My contact at Coinbase say use of MongoDB strictly for reason of give client plausible deniability."
18:01 < pigeons>
18:01 <@gmaxwell> what the heck does that mean?
18:02 < pigeons> "Estimate of MongoDB's value vary, one replica say $700m, one replica say $1.2 billion, one replica say 1.5 billion."
18:02 <@gmaxwell> "when we stole all the coins we could plausably deny it being theft?"
18:02 < pigeons> yes that's what it means
18:03 < Luke-Jr> lol
18:04 < nsh> hi orperelman. i liked your work on the poincare conjecture
18:04 < nsh> thanks for inventing bitcoin :)
18:05 < nsh> (i'm not personally sure ricci flow with surgery is a valid technique, but i'm not a topologist)
18:48 < maaku> andytoshi: isn't that constructivist math? (removing the law of excluded middle)
19:06 < andytoshi> maaku: yeah, that's the name for doing mathematics that way (e.g. rejecting proofs by contradiction)
19:07 < andytoshi> there are subsets of logic (which i have ~0 knowledge of) which do things like fuzzy logic and try to make this concrete
19:08 < andytoshi> my girlfriend was into constructivist math for a short while, not believing in anything that wasn't computable
19:08 < andytoshi> but it's nearly impossible to do a lot of classical mathematics that way
19:22 < nsh> depends how you define "doing mathematics"
19:22 < nsh> :)
19:23 < nsh> as a pursuit of noble platonic truths, or as a means towards solving practical problems...
19:24 < nsh> i'm not sure there are many engineering artifacts that are based predominently on an existential proof
19:24 < nsh> hmm, not so sure, now i think about it a bit more
19:53 <@gmaxwell> they're not unrelated.
19:53 <@gmaxwell> if you find some totally abstract "noble platonic truth" it can be a bridge that solves a pratical problem.
19:53  * nsh nods
19:55 <@gmaxwell> e.g. there is a bunch of NP proof stuff where you can show a proof system is sound by reducing it to a 2d graph coloring problem, and then show that if the system is unsound it would contradict four coloring, which otherwise is kinda useless trivia.
19:56 < nsh> right, came across that recently in a talk, funnily enough
21:44 < maaku> but ultimately you have to reduce it to be constructivist to enter the realm of engineering
21:45 < maaku> e.g. if you look at real numbers constructively, you get this funny think called numerical analysis ...
21:47 < nsh> analysis was pretty practical when it came to aiming canon :)
21:48 < nsh> computers are still named after the art of ordinance in french...
21:55 < nsh> (philosophically, it fascinates me that the assumption of the continuum, even though actual algorithmic infinities are avoided, yields such powerful results in anaylsis. we can calculate things in continuuous sets that would suffer combinatoric explosion over discrete structures...)
21:56 <@gmaxwell> Stirling's approximation <3
21:57 < phantomcircuit> wtf
21:57 <@gmaxwell> being able to answer questions like  from an infinite distribution of 50/50 true/false how likely is it you'd draw 30 and get 5 true... answering it combinitorically is impossible.
21:57 < phantomcircuit> i just noticed google wallet is still using
22:00  * nsh nods
--- Log closed Sun Dec 22 00:00:17 2013
--- Log opened Sun Dec 22 00:00:17 2013
03:36 < Emcy> tls 1.0 1024bit rsa
03:36 < Emcy> and my browser doesnt trust the CA anyway :/
03:37 < Emcy> "Besides the usual digital infrastructure with Wifi, telephone etc., 30C3 will feature for the first time a pneumatic tube system, with the pretty name Seidenstrasse."
03:37 < Emcy> wut
03:39 <@gmaxwell> oh fun, something BIP32 like cannot be used with ed25519.
03:40 <@gmaxwell> or rather, not with standard implementations.
03:40 <@gmaxwell> they rig the multiplier so that the most significant bit must always be 1.
03:41 < Emcy> whats ed25519 again
03:50 < maaku> Emcy: DJB's crypto
03:51 < maaku> gmaxwell: can ed25519 be easily modified to make it work?
04:06 <@gmaxwell> maaku: the curve is fine, the constant time multipler implementation
04:21 <@gmaxwell> y'all see the deck of cards secret key agreement thing? brillant.
04:24 <@gmaxwell> Take a regular deck of cards. Shuffle it.  Then split the deck in half. I give you one half, I take the other. Tada. We now have a ~51 bit shared secret
 each card either ended up with you or me (we lose a bit from the definition of who is 1/0 being arbritary)
04:31 < maaku> gmaxwell: yeah i posted in the armory thread that a shuffled deck of cards makes a good inconspicous private key
04:31 < maaku> and 51 bits for a shared secret is plenty good enough for many protocols
04:33 <@gmaxwell> maaku: damn, and when I moved I think I tossed a box with like 50 decks of cards in it. (marketing swag from my prior employer, two corporate brandings old)
04:33 < maaku> if i ever worked border security, i'd shuffle any deck of cards I come across
04:33 <@gmaxwell> the shuffling isn't required!
04:33 <@gmaxwell> if you split a deck then just membership in one person's side or the other is the data! not the permutation!
04:36 <@gmaxwell> works with two decks too. e.g. take two decks shuffle and split. then membership in one side or another is the key though you lose a quite a few bits there due to dupes. (e.g. log2(3^52)=82.4 minus 1 bit for parity... three states, because both cards ended up on one side, or both on the other, or each person had a card)
04:37 <@gmaxwell> and the permutation doesn't matter.
04:39 <@gmaxwell> the bummer is that cards aren't printed on both sides. if they were inputting your key would be easy: just spew the cards out on a table and take a picture.
04:47 < maaku> gmaxwell: reverse theorientation of one deck
04:48 < maaku> or use different colored back
04:52 <@gmaxwell> yea, that gets you some more bits, but I guess it's not so hard to place all the cards face up for photographing.
04:55 < petertodd> also worth considering that there are tonnes of common games in card format that can be used for this stuff, IE magic the gathering cards have well-defined "multiverseid's" worth at least a few bits each, and a deck's contents can be turned into the key based on a sorted list of all such card ids
04:55 < petertodd> though the border guards would probably be wondering why a guy as cool looking as myself has MTG cards; I'd have to explain it was for a friend
04:56 <@gmaxwell> petertodd: the thing that I found neat was just that you could convey so many bits by which side got the card, and be completely robust to ordering
04:57 <@gmaxwell> it means that I can keep a stack of sealed cards in by bag. meet you, totally unprepapred, open the cards shuffle split, and we walk away with a relatively easily entered shared secret that doesn't look too conspicious
01:33 < andytoshi> so if we can efficiently loop through these partitions we can brute-force the problem from here ... provided we have fewer than, say, 45 inputs and 45 outputs
01:33 < gmaxwell> there is probably some trivial greedy preprocessing that can be done.
01:34 < gmaxwell> Obviously you should merge all inputs with the same scriptpubkey and all outputs with the same scriptpubkey.
01:34 < gmaxwell> and force any input/output pair with the same scripubkey to be connected, perhaps, (e.g. just remove the output and deduct the input)
01:35 < andytoshi> oh, this is true .. coinjoin already merges outputs, but it doesn't have knowledge of the inputs
01:35 < gmaxwell> well your coinjoin does, but of course I was thinking in terms of an abstract tool that could be run on any transaction.
01:36 < CodeShark> are we talking generalized coin selection optimization?
01:36 < gmaxwell> then there may be other outputs which are forced which I think can be found in a greedy way.
01:36 < gmaxwell> hm.
01:36 < CodeShark> or is this some specific problem?
01:37 < andytoshi> CodeShark: we are looking at "given some transaction, what is the maximum possible number of participants?"
01:37 < gmaxwell> CodeShark: no, talking about taking a transaction and identifying the maximum number of coinjoin participants under reasonable constraints.
01:37 < gmaxwell> (reasonable constraints like the CJ participants not giving away their money)
01:38 < gmaxwell> CodeShark: e.g. what is the largest plausable number of participants in this transaction:
01:39 < CodeShark> so the minimum is obviously one, the maximum is the number of inputs with distinct redeemscripts, yes?
01:40 < andytoshi> well, if there are fewer outputs than inputs, then the total number of outputs could be the maximum
01:40 < gmaxwell> CodeShark: nah, because there may be no plausable flow.  For example, say you had 10 distinct inputs.. and 1 output. There is only one participant (under reasonable constraints)
01:41 < CodeShark> ok, so maximum = min(distinct input scripts, output scripts)
01:41 < gmaxwell> nah, because if you constrain them to not throw away values you must look at the values.
01:42 < andytoshi> no, there still might not be a plausible flow .. eg if there are 10 inputs and 10 outputs
01:42 < gmaxwell> Say you have 50,.5,.5 in  and 25,25,1  out.
01:42 < andytoshi> and one input is massive, all the others are 0.1, and every output is 0.2
01:42 < gmaxwell> In that case you have a maximum of 2.
01:42 < CodeShark> right, my bounds were very weak
01:43 < gmaxwell> yea, you're giving loose bounds, we want the tight maximum bound. As its a measure of privacy the coinjoin provides.
01:43 < andytoshi> it would be nice if 1 wasn't always plausible :)
01:44 < andytoshi> even a lower bound would be useful if it was nontrivial
01:44 < CodeShark> what if we simply required all inputs to be the same value? then each participant would first have to create outputs of specific denominations
01:44 < CodeShark> and join a transaction of a particular denomination
01:44 < gmaxwell> 1 being plausable is good because its also what makes ordinary txn look potentially like CJs. :P
01:44 < CodeShark> yeah, ok :)
01:45 < andytoshi> CodeShark: well, that makes CJ's stand out, and it's also easy to work around by just going back one layer in the transaction dag
01:46 < gmaxwell> andytoshi: hm. interestingly, I think the maximal maximal count may not always have the highest entropy!
01:46 < andytoshi> and then you've even got free association information from the homogeonizing transactions
01:46 < andytoshi> gmaxwell: that is interesting, and that feeling is why i don't think we can do this 100% greedily
01:46 < andytoshi> but for me, for now, it is just a feeling ..
01:48 < CodeShark> I'm not even entirely clear on coin selection optimization within a single wallet, let alone coinjoin :p
01:48 < andytoshi> well, coin selection (to evade this analysis) is an even harder problem, i think
01:49 < CodeShark> if we want coinjoin to be obscure, we want it to mimic typical coin selection strategies for common wallets
01:49 < gmaxwell> can't
 goals are to different, instead wallets should mimic coinjoins. :)
01:49 < gmaxwell> s/to/too/
01:49 < gmaxwell> coinjoins can't be fully obscure simply because >2 outputs are rare.
01:51 < CodeShark> yeah, true - and while there's a good use case for sendmany from servers, for typical interactive users, these use cases are more rare
01:52 < gmaxwell> andytoshi: e.g. there may be some mapping that gives you N users but is unique, e.g. only 1 N user path between inputs and outputs.  But then there is some <N mapping where it is non-unique.
01:53 < andytoshi> oh, fascinating
01:53 < andytoshi> what on earth can we say about that?
01:53 < andytoshi> about its anonymity*
01:54 < gmaxwell> well for a coinjoin over all you could just count all plausable mappings (for all possible N) and the coinjoin's entropy is log2(that).
01:55 < gmaxwell> e.g. 50,.5,.5 in  and 25,25,1 out  has an entropy of 1 bit.
01:55 < andytoshi> hmm, if that is the most useful metric than it saves us the trouble of doing all this optimization
01:56 < gmaxwell> I dunno that it does, because you still have to reject impluausable mappings.
01:56 < andytoshi> if we loop over every possible mapping, that's easy, just a bunch of addition
01:57 < gmaxwell> Finding the maximum N is just a subset of the problem.. it's just the highest N for which there remain any plausable mappings.
01:58 < andytoshi> yeah, but we can use a weak upper bound for N in this case
01:59 < andytoshi> i wonder if we want to compute something sharper: the entropy of the individual outputs
01:59 < andytoshi> (it's really not clear to me how to define that)
02:00 < gmaxwell> the interesting thing about output entropy is that it's not independant.
02:01 < gmaxwell> e.g. output X could have come from input 2 if and only if output Y didn't.
02:02 < andytoshi> we can arrange these possibilities in a giant decision tree, and compute some sort of entropy on that..
02:03 < andytoshi> there is also something called mutual information
02:03 < gmaxwell> I guess measuring per output has some useful properties.. since in a wallet you'd want to know e.g. which of your inputs are tainted.
02:03 < andytoshi>
02:04 < gmaxwell> andytoshi: I'm trying to come up with a "conservative" version of it which isn't trivial.
02:04 < andytoshi> (this was a question my supervisor asked about whether he could apply some tool called 'diversities' (i have a single-author paper on the analytic properties of these) to computing mutual information
02:04 < gmaxwell> E.g. assume the attacker knows "a lot" about the other outputs, what is your entropy. The problem with that is that the obvious form of a lot is "knows all the other outputs" in which case the entropy is 0
02:05 < andytoshi> now, what this tells you is that "all the other outputs" is strongly coupled to your output
02:05 < andytoshi> maybe you want to know, how strongly are my various outputs coupled to each other?
02:06 < gmaxwell> andytoshi: multial infomation is just the joint entropy minus the conditional entropies.
02:07 < gmaxwell> andytoshi: well I'd like to be able to answer how tightly my keys (inputs or outputs) are coupled after a transaction. So that I can decide to group the keys and freely merge them in future txn if they are too tightly coupled.
02:07 < nsh> hmm
02:08 < andytoshi> yeah, so this is a more useful thing to wonder about than "how tightly coupled are all the outputs of this specific transaction"
02:08 < gmaxwell> interestingly, even when paying someone without coinjoin the number of players is 2 and we can talk about the coupling in the change output(s).
02:09 < gmaxwell> though the most entropy we can have in a single output when there are only two players is 1 bit.
02:10 < andytoshi> here is a selfish question: if we take the definition of diversity from page 2 of , can we describe this coupling as a diversity?
02:10 < andytoshi> (it is selfish because if the answer is yes, then i can perhaps finangle a publication while still doing something useful for bitcoin)
02:12 < andytoshi> describe some measure of coupling*
02:13 < gmaxwell> I must confess, the first sentence of the abstract triggered turboencabulator-detection for me.
02:14 < gmaxwell> ( )
02:15 < andytoshi> hahaha
02:16 < andytoshi> what is meant by that claim is, "this is used by biologists for some tree-calculation something", which is true but not anything i know anything about
02:16 < andytoshi> i admit, the core of that paper is almost cartoonishly "mathematicians inventing problems for no reason except to have fun solutions"
02:19 < andytoshi> but here is a paper relating this stuff to flow problems:
02:19 < andytoshi> so i am not blowing smoke when i suggest that it's applicable :)
02:20 < gmaxwell> I think for any of this stuff you could imagine some hypothetical 'mixer' with perfect knoweldge of the inputs to output mapping, and just measure the entropy of his knoweldge. It gets more interesting when you consider graphs with many coinjoins.
02:20 < gmaxwell> esp if the many coinjoins are not wired up like a switching network, so that the inadmissablity of multiple inputs later deanonymizes earlier coinjoins.
02:20 < andytoshi> yeah, i think that's the most useful thing for the joiner itself to output
02:21 < andytoshi> but if, for example, some output always winds up matched to a certain input, the owner of that output would like to know this
02:22 < gmaxwell> yea. indeed. though at least that can be solved purely locally.
05:59 < gmaxwell> I mean, I think I now have a mental model to predict miner behavior somewhat... which mostly seems to work. But it basically starts with the premise that miners are uninformed and somewhat lazy. When they try to get informed they get overloaded quickly.
05:59 < warren> I haven't been paying attention to the Bitcoin pools.  The first and only bitcoin pool I ever used was p2pool.	The issue preventing Litecoin pools from spreading hashrate out more is there is a tiny quantity of competent pool operators capable of keeping their software secure against exploits and robust against DDoS attacks.
06:00 < warren> There existed a few massive pools in the past who killed themselves with a payout bug
06:01 < warren> and a few just don't recover from a DDoS attack
06:01 < gmaxwell> The algorithim for selecting a pool looks like: look at the pie chart on bc.i. Compare a couple of the biggest pools. Find nothing really distinguishing between them, pick the largest.
06:01 < warren> The survivors could be behind killing their competition.  We have no way of knowing.
06:02 < adam3us> its puzzling indeed that there appears no model to get financing for core dev work that must happen for bitcoin to progress, despite there being $3b resting on it
06:02 < gmaxwell> p2pool almost doubled in size in the weeks following convincing bc.i to stop hiding p2pool on their chart.
06:02 < warren> percentage wise of global hashrate, how much did it peak at before?
06:02 < adam3us> gmaxwell: cant people run multiple independent instances of p2pool to scale it?
06:03 < gmaxwell> adam3us: sure, actually in the past some people have run it privately.  But there shouldn't /need/ to be multiple ones to scale it.
06:03 < warren> adam3us: Litecoin Dev raised $xxk in donations, we're spending a portion of that on various things, mostly security related development that could benefit Bitcoin too.
06:03 < adam3us> (you guys should be sleeping btw:)
06:03 < warren> I know =(
06:04 < adam3us> warren: esp you if youre in hawaii
06:04 < adam3us> but yeah about dev its really rubbish and disappointing the rate of progress and funding ..
06:05 < adam3us> eg colored coin i though has a lot of potential and yet the progress has been really slow; there are some people trying to get professional funding now (company, biz plan etc) so maybe that'll create something open
06:06 < gmaxwell> the people getting funding are doing mostly terrible things, see also: mastercoin
06:06 < warren>  <---- Bitcoin 0.8.5 + Litecoin 0.8 patches (minus the litecoin protocol)
06:06 < adam3us> (though coloring in a way that creates bitcoin dust is something i am not keen on; must be a better way to do it with side-chains if they just thought about it)
06:06 < gmaxwell> adam3us: thinking gets in the way of spending time on posts and fundraising. :)
06:06 < adam3us> warren: that is bitcoin omg link? yes i was hyped when i saw that
06:06 < warren> gmaxwell: omg, and quite a lot of funding with zero code
06:07 < gmaxwell> warren: I liked it when I asked them to use OP_RETURN instead of their garbage addresses and got told that they couldn't because they were currently creating all their mastercoin transactions by hand in a bc.i web wallet.
06:07 < adam3us> mastercoin, yes that was terrible, and it surely will fail because of the negative regard people will hold the premine in
06:08 < gmaxwell> (I stopped complaining in public about it at that point... "okay, this is going to fail on its own")
06:08 < TD> i concluded that ages ago
06:08 < TD> the whitepaper was nonsensical
06:08 < warren> gmaxwell: they tried to hire me to work on client software.  I told them to do the majority of their crap off-chain...
06:08 < adam3us> but they actually got money in a way which is disreputable
06:08 < adam3us> an yet the people doing reputable things seemingly do not
06:08 < gmaxwell> yea I ignored it initially because the whitepaper was nonsensical, then I suddenly started seeing lots of dust transactions on the network, and went searching for the cause.
06:09 < adam3us> so this is going to drive more disreputable things unless msc crashes and burns
06:09 < TD> it seems to hit the sweet spot where it seems technically credible enough to pull in a lot of suckers, but not quite credible enough to actually work
06:09 < warren> TD:
06:10 < TD> lol
06:10 < gmaxwell> adam3us: yea, look at all the altcoins (not even talking about ltc here, the zillions of other ones)... some of them have managed to monitize pretty well on the exchanges with patches that did little more than change the name of the software... its really depressing.
06:10 < adam3us> TD: to my reading the msc paper was a list of noble aspirations with no indication of how or even if they could be achieved technically, plus the disreputable invest now for big discount, limited time offer like say timeshare sales
06:11 < adam3us> the protoshares by bitshare is barely better
06:11 < gmaxwell> Or _usefully_ achieved technically.  E.g. "p2p replacement for mtgox!"  uhhhh..
06:11 < TD> i try to stay positive. what this shows is there's tremendous demand for cryptocurrency technology that works
06:12 < gmaxwell> s/ that works//
06:12 < TD> yes. but there's even more demand for stuff that works!
06:12 < gmaxwell> There is a tremendous demand for promises of future riches.
06:12 < adam3us> pts are not even anything, just a bitcoin alt-coin as a place holder until / if they finish coding their bitshare system, iwth a promise that you own 10% of bitshares, but they screwed up their params almost as badly as terracoin and mined 1/4 of issue in 1 week that was designed to take 3months
06:12 < gmaxwell> Something which works but due to honesty and understanding can't promise future riches... not clear there is much demand.
06:12 < TD> yeah. well. that's certainly one possibility.
06:13 < adam3us> TD: i am not sure, i had a look at the pts irc channel an it seems most of the miners had no clue why or what it is, they just wanted in early in case it went somewhere
06:13 < TD> i think people get hyped due to second order effects though. "i want this cool tech because it will make bitcoin more useful and thus more valuable:
06:13 < TD> but it's MUCH harder to build it than just promise the moon
06:13 < adam3us> the guy bytemaster? bitshares cto - was slapping out unsigned binaries on non SSL - very scary
06:13 < gmaxwell> TD: both bitshares and mastercoin have directly traded on that thinking even where it made no sense.
06:14 < gmaxwell> (claiming that they were enhancements to bitcoin, where in the case of esp bitshares I am unable to find any relationship with bitcoin at all except them exploiting the name in their marketing)
06:14 < adam3us> gmaxwell, TD: oh yes and when pts params failed, they put out misleading info saying you HAD to upgrade under somethreat to a massively revised param set; if the users had cludes they'd have forked the code and said no
06:15 < gmaxwell> adam3us: well realsolid already proved that what you can get away with is nearly boundless. An amazing history there that you missed.
06:15 < TD> yes these schemes are just ridiculous
06:15 < TD> what i mean is that whenever i go to a conference, i get mobbed by people asking "where's the contracts apps"
06:15 < adam3us> seems to me it'd be nice to get i dunno some salary equiv to what y'all can pull in industry to sit i a bitcoin lab not-for-profi
06:16 < gmaxwell> (guy created an altcoin and kept revising the rules over and over again, ... making me pretty much convinced it was an expirement in how disreputable you could make a cryptocurrency and still have users)
06:16 < TD> so i mean there's definitely a population of people that isn't just bandwagon jumping but _really_ want to see all the cool exotic features that were discussed come true
06:16 < adam3us> which'd take say $5mil/year or something to hoover up the top brains and make somewhere nice for them to work
06:16 < warren> adam3us: "slapping out unsigned binaries on non SSL - very scary" ... like cgminer!
06:16 < TD> a big part of mastercoin's marketing is claiming that the reason bitcoin doesn't have $FEATURE is that the core developers are too conservative, scared, not well funded enough, whatever
06:16 < TD> and that mastercoin resolves this problem thus bringing such features faster
06:17 < TD> warren: cgminer is AFAIK detected as a virus by now, by most AV systems :(
06:17 < gmaxwell> TD: except, you know, $FEATURE, seldom needs anything in core software.
06:17 < adam3us> TD: yes this is why i keep harping on about bitcoin staging
06:17 < TD> yes, all this stuff is obvious to us, but much less so to other people
06:17 < adam3us> and why i was psyched to see warren made a step towars it with bitcoin omg release :)
06:17 < warren> toward what?
06:17 < adam3us> bitcoin staging could keep the rapid dev within the bitcoin brand
06:17 < TD> luke used to maintain a "bitcoin next". dunno if he still does
06:17 < adam3us> bitcoin staging
06:17 < gmaxwell> And even if it did need it, you can test it without deploying it.... of course that requires writing something, or even figuring out in detail how it might work.
06:17 < adam3us> hmm link?
06:18 < gmaxwell> Luke still does.
06:18 < warren> adam3us: it isn't really staging, it was "I put all this work into litecoin, might as well make a bitcoin client"
06:18 < TD> gmaxwell: the good news is, someone stepped up to take over PayFile from me last week, and he seems to be credible - is already produced pull reqs. so I am hoping that quite soon we will have perhaps the first easy to use gui micropayments (contracts) based app
06:18 < TD> that people can actually download real binaries of, run, and use for something useful
06:18 < adam3us> i know but apart from the peg mechanism you did the work that i thought would need to be done
06:48 < TD> you mean, working on scalability, other than maintaining an entire SPV implementation ... :)
06:49 < petertodd> the real problem there is "worse is better" and things like already exist, so even incremental imrpovements become hard
06:49 < petertodd> adam3us: meh, you can audit off-chain stuff easily.
06:49 < adam3us> petertodd: right, i think its pressing problem even if bitcoin scales for a few years, because momentum "good enuf" will push everyone onto inferior centralized solution
06:49 < petertodd> adam3us: again, an auditable, decentralized base is what you build on.
06:50 < adam3us> petertodd: right, but how
06:50 < petertodd> adam3us: yes, either "good enough" will be the worst possible off-chain solutions with no auditing at all, or SPV clients with no auditing of the blockchain and a small number of centralized full-nodes/miners
06:51 < adam3us> petertodd: if coinbase and 20 more like them rule 99.99% of tx in a few years, and they settle between them on the block chain at $1mil at the end of the day.. how is that bitcoin
06:51 < petertodd> adam3us: at least with the former you can bolt-on auditng at any time
06:51 < adam3us> petertodd: they'd just as well settle with a wire transfer
06:51 < petertodd> adam3us: simple example, you can audit that backing funds exist with merkle sum trees
06:51 < adam3us> petertodd: agree, auditability is good
06:51 < petertodd> adam3us: heck, have you read any of my fidelity bonded banking stuff? not only can you audit, you can punish fraud
06:52 < petertodd> adam3us: that's bitcoin because for $10 or $100 or whatever it ends up being you can pay that tx fee too and have equal access that anyone else does.
06:53 < adam3us> petertodd: alternatively you can add auditability to banking networks, they probably will at some point as its more secure than firewall and fiat balance in a db - at that point its all the same thing
06:53 < petertodd> adam3us: Bitcoin isn't about making things *free*, it's about making barriers to entry be based on proof-of-work and nothing else.
06:53 < adam3us> petertodd: i think what you lose is the bearer / ecash property
06:53 < petertodd> adam3us: auditability is much less interesting than decentralization of control
06:53 < adam3us> petertodd: agreed
06:54 < petertodd> adam3us: the issue isn't banks committing fraud, it's banks commiting *legal* fraud. Everyone knows currencies are inflated, it's not a secret.
06:54 < adam3us> petertodd: i made a claim that ecash is not ecash unless its irrevocable and unseizeable/unfreezable
06:54 < adam3us> petertodd: and i'm more interested in ecash that ripple iou networks which are just papalizing banking networks and will revert to form in 5 years
06:55 < petertodd> Well, worst case with 1MB blocks forever and the dumbest possible off-chian solutions is that you can make your savings irrevocable and unseizable/unfreezable. That's pretty damn good.
06:55 < petertodd> With fidelity bonded banking, you're savings are much harder to revoke or seize, because the moment you do so you can prove to the world that has happened, and the world can chose to go to another bank.
06:56 < adam3us> petertodd: yes two things: digital scarcity is a new commodity class, and separately ecash is better than a claim on a balance on a server with its bitcoin denominated or usd, block chain audited or not
06:56 < petertodd> Right, but the onus is on you to figure out how you can have your cake and eat it too, because in it's current form Bitcoin is fundementally unscalable. The "solutions" to scability are all to introduce more centralization.
06:57 < adam3us> petertodd: are you sure your funds are unseizable in a $10k dust rule network with coinbase model? you dont even have your private key...
06:57 < adam3us> petertodd: what if you dont have enough funds to pay the min fee
06:58 < petertodd> adam3us: The first $10k of your funds got seized, but your other $100k didn't. That's a huge improvement over the whole lot being seized because Bitcoin mining has long sicne become a regulated activity with blacklists.
06:58 < adam3us> petertodd: "The "solutions" to scability are all to introduce more centralization." yes so far and that is a negative and worrying tren d for bitcoins meaningful continued existence
07:00 < adam3us> petertodd: i thought chris odom opentx model showed promise as a direction; his voting pool tx servers are auditable and rebuildable by users using the sum of the tx receipts they receive
07:00 < petertodd> BTW, lets suppose Bitcoin is worth 100 trillion, and 1% of that amount every year goes to miners in the form of fees. That works out to $20/kilobyte transaction fees, rather affordable!)
07:01 < adam3us> petertodd: not bd, but how many Gbps is a full node feed ;)
07:01 < petertodd> no, I'm saying we keep 1MB blocks in that example.
07:02 < adam3us> petertodd: probably need satellite network for globalbroadcast or the interwebs will melt with many full nodes
07:02 < petertodd> Why?
07:02 < adam3us> petertodd: n^2 everyone on the planets cup of 2nd cup coffee
07:03 < adam3us> petertodd: whats the famous canadian coffee shop? maybe it was timhortons ;
07:04 < adam3us> petertodd: clearly it can scale to some extent but its less interesting if its a clearing network than a direct user network
07:04 < petertodd> oops, I got that calculation wrong... lol, $20,000/kilobyte tx fees, not so affordable. However, lets say 100 billion valuation, 1 billion a year to miners, and you're at $20/KB.
07:04 < adam3us> petertodd: if it gets that large i expect the people running the show could just as well turn off their miners and sign clearing agreements
07:05 < petertodd> (right now tx's cost about $20 already in fact due to the inflation subsidy...)
07:05 < adam3us> petertodd: yeah thats kind of scarcy... hidden cost.. people say btc costs 2c but its actually 1000x worse
07:06 < petertodd> Fucking hell, who cares how "interesting" it is for your morning coffee? What's important is that we have a solid decentralized store of value with a decent way to move it around. We can improve upon that later, but don't fuck up the base.
07:06 < petertodd> Fundemetnally we have to figure out how to make validation scale.
07:06 < petertodd> Second fundemental is we have to figure out how to make transaction selection scale.
07:07 < adam3us> petertodd: u mean validation scale is reduce the broadcast bandwidth feed fr a full node? or cpu?
07:07 < petertodd> CPU isn't very interesting, don't focus on that. Bandwidth is what's interesting because censorship-resistant bandwidth is hard to come by.
07:08 < petertodd> Censorship-resistant CPU power is availble at stores around the country...
07:09 < adam3us> petertodd: yes;; so a ultra-crude what-if is say divide the n^2 into 1000 subgroups, payments are then either in-subgroup or cross subgroup, and mergemine subgroups
07:09 < adam3us> petertodd: cross subgroup takes 2 tx but thats stil smaller than 1 tx broadcast 1000x wider
07:10 < petertodd> yup, I proposed that one a few months ago
07:11 < adam3us> petertodd: yes i think multiple people proposed the same what-if
07:11 < adam3us> petertodd: I did, vitalk did also probably others... but its not clear how well that could work
07:12 < petertodd> AFAIK I was first :P The issue actually comes up with fidelity bonded banking, because you need to ensure that proof-of-fraud can be effectively published, and you need to have proof that you know about all fraud published for some given domain.
07:13 < petertodd> Anyway, I hope we agree that until a viable system for subgroups is proposed, and it's possible to mine blocks in a decentralized fashion, it's deeply dangerous to tinker with the scalability of Bitcoin.
07:15 < adam3us> petertodd: i'm not sure - you're saying dont change anything until we know the best longer term scaling approach or the scalability patches might actually make things worse?
07:15 < adam3us> petertodd: decentralized mining... yes i think that could be a nice partial win if that could be figured out
07:15 < petertodd> adam3us: remember that we've got people in this community who want to remove blocksize limits entirely while leaving the rest of the system as-is.
07:16 < petertodd> That's the idiotic opposition you're up against, not people who have a deep understanding of Bitcoin.
07:17 < adam3us> petertodd: gotcha, yes i agree with your previous arguments that upping he bw requirements aggressively is dangerous for decentrailzation (and also why i said i'm not sure i buy the "bitcoin scales to visa" type of hand-waving - oh yes, how and at what cost)
07:18 < petertodd> adam3us: With sufficient trust you can make any pig fly. :P
07:18 < adam3us> petertodd: u know i hear swift itself is nominally p2p
07:18 < petertodd> Ha, yup!
07:18 < adam3us> petertodd: so if the way we reach visa scaling is to run 50 bitcoin nodes on a closed network contrlled by big banks i am not so intereste
07:19 < petertodd> Exactly. And in between now and that, there's a lot of trade-offs.
07:19 < petertodd> 10MiB blocks aren't so, bad, 100MiB kinda iffy etc.
07:20 < adam3us> petertodd: we need something fundamental new insight .. the picture so far is moderately clear, but no clear path forward is in sight
07:20 < petertodd> Now where the "just remove the limits entirely" thing is so obnoxious is that the basic idea, just let miners chose, is such a fundemental misunderstanding of the nature of validation and trust in Bitcoin.
07:21 < petertodd> of course there's no clear path forward, every path has different costs to different people!
07:22 < adam3us> petertodd: u might wonder if there is some moderate incremental scalability gain lurking in using accumulator tree vs hashtree
07:22 < petertodd> heck, there's a decent enough chance that nothing at all will happen and Bitcoin will remain, technically, identical to it's current form for a long, long time.
15:40 < phantomcircuit> i stand corrected
15:40 < phantomcircuit> that's actually pretty huge
15:40 < petertodd> Yup, it's was also the original blocksize limit.
15:40 < petertodd> which makes me think satoshi hadn't planned for one at all...
15:44 < sipa> petertodd: gavin fixed what?
15:44 < midnightmagic> ^^ by the way, gavin, if you use as the freenode IRC server password your nickserv authentication details you don't get the changing host thing.
15:44 < petertodd> sipa: his original rejection message patch let an attacker put fake entries into your log file
15:45 < petertodd> sipa: didn't filter out newlines :/
15:45 < gavinandresen> midnightmagic: how do i "use the freenode IRC server password"
15:46 < gavinandresen> IRC passwords are still a mystery to me, is there a clear explanation of which password does what somewhere?
15:46 < midnightmagic> gavinandresen: One sec..
15:46 < MoALTz> midnightmagic: edit server, server password in xchat right?
15:47 < midnightmagic> Yes. The IRC server password. You construct it like so:	 NickName:NickservPassword
15:47 < gavinandresen> midnightmagic: okey dokey.  What is the Username then?
15:47 < midnightmagic>
15:47 < midnightmagic> No username.  There should just be a password field.
15:48 < midnightmagic>	<-- there it is.
15:49 < midnightmagic> In plain irssi, for example, you would connect with: /connect 6667 mquin:uwhY8wgzWw22-zXs.M39p    or your deets in place of..
15:49 < midnightmagic> there you go. I think that did it.
15:50 < MoALTz> midnightmagic: what happens if your zombie hasn't disconnected yet?
15:50 < gavinandresen> mmm.  Colloquy UI is confusing, it gives me Username and Password for server connection
15:50 < midnightmagic> MoALTz: It's not foolproof. In the event of a netsplit I think something weird happens then.
15:50 < gavinandresen>
 and isn't smart enough to do the nickname:password thing, I guess
15:50 < midnightmagic> nah it's a freenode-ism I think.
15:51 < gavinandresen> that was my mistake, then-- looking at IRC help instead of FREENODE help....
15:51 < midnightmagic> MoALTz: Also I don't know what happens with zombies..
15:52 < midnightmagic> gavinandresen: znc, the bouncer I use, also uses that style to authenticate individual users and log them in to a user session. In znc, the server configuration line just has something like this: 2610:150:2c68::d0:dab:1de5 +6697 midnightmagic:MyNickServPasswordItsALongOne
15:56 < warren> Luke-Jr: jgarzik: it is not only ACK'ed things, it tests not-yet-approved things if we think it's a good idea and we tested it.
15:58 < amiller> MyNickServPasswordItsALongOneAlsoHighEntropyEjKRUaOJPo
15:59 < phantomcircuit> gavinandresen, colloquy like most os x software makes it impossible
15:59 < warren> well crap, someone reports the OMG build still corrupts on macos x
16:00 < gavinandresen> warren: mmm.  I got corruption running git HEAD, so that doesn't surprise me
16:01 < petertodd> warren: sheesh, I ran a bitcoin node for months on a computer with such flaky ram I couldn't get firefox to work for more than an hour at a time and it never corrupted the blockchain once :/
16:01 < warren> gavinandresen: corrupted even after a clean shutdown of bitcoin?
16:02 < gavinandresen> warren: was probably a dirty shutdown
16:02 < petertodd> warren: maddening how some stupid fs sync crap has a bigger effect than that ram
16:04 < sipa> petertodd: i doubt the corruption problems we're seeing are related to flaky hardware
16:04 < sipa> or at least, some
16:05 < petertodd> sipa: exactly my point; hardware/os lying about syncing is more of a threat than the hardware not working at all
16:06 < warren> It isn't clear if the corruption is only on certain versions of the OS.
16:06 < warren> I've seen most reports on 10.8+
16:06 < warren> one report on 10.7
16:07 < warren> none on 10.6, which might mean nobody is using 10.6?
16:08 < petertodd> warren: any chance the people on 10.6 are using different hardware than 10.7? (dunno nuthin about macs myself)
16:08 < gavinandresen> warren: I'm running 10.7
16:09 < petertodd> FWIW I did a SSD write corruption test a few years back at work, and I did find a SSD drive brand that lied about data syncing, so it's quite possibly a hardware thing related to some choice Apple made.
16:11 < warren> indeed, some brands of SSD are notorious
16:13 < warren> gavinandresen: what hardware?  apple provided HD/SSD?
16:13 < warren> gavinandresen: FWIW, our mac dev and coblee have *never* experienced corruption
16:13 < petertodd> warren: yup, and sadly this could just be some choice Apple has made that's far from easy for us to deal with.
16:13 < gavinandresen> warren: I have no idea, I bought this mac used.	I got corruption on both the SSD and the spinning disk.
16:18 < warren> gavinandresen: at this point are we willing to post a bounty on this?  "Reproduce corruption on demand, explain why it is happening." and separately "provide a fix that passes bitcoin dev approval"?
16:18 < gavinandresen> warren: sure, if you're willing to hold the money and judge the 'approval' go for it
16:19 < petertodd> gavinandresen: re: relay first double spend, you relaying the whole double-spend tx?
16:19 < warren> gavinandresen: where can the money come from?  we can pledge some from our funds
16:20 < gavinandresen> petertodd: yes, relaying the first double-spend as if it were the first spend
16:20 < sipa> with a different message?
16:20 < petertodd> gavinandresen: what happens if the first double-spend was a 200byte tx, and the second a 100KiB tx?
16:21 < gavinandresen> petertodd: then 100,200 bytes get relayed across the network
16:21 < gavinandresen>
 assuming that both pass the IsStandard tests.
16:21 < petertodd> ugly...
16:21 < gavinandresen> simple
16:22 < petertodd> 500x cheaper to DoS the network. OTOH I like how this makes it easy to do replace-by-fee.
16:22 < gavinandresen> sipa: what do you mean, "with a different message" ?  No, just a normal inv / tx
16:22 < gavinandresen> (inv / getdata / tx)
16:22 < sipa> hmm, but without taking it into the mempool
16:23 < gavinandresen> petertodd: 500x ???  You can broadcast 100K transactions now.  This will make it at most 2x times easier to try to DoS the network.
16:23 < sipa> i'm not sure it's advisable to relay a transaction we're not considering valid ourself
16:23 < petertodd> gavinandresen: No, 500x, because I'm only paying for the bandwidth of the 200 byte tx. (or actually, even smaller than that is possible)
16:23 < gavinandresen> sipa: right, does not go into the mempool
16:24 < gavinandresen> sipa: the whole point is to broadcast it so that accepting-payment-in-person merchants will see the invalid transaction and can react
16:24 < petertodd> gavinandresen: Probably not an issue in practice, because someone will do replace-by-fee mining, but then that kinda defeats the purpose in a way...
16:24 < sipa> gavinandresen: right, which is why i'd use a different message
16:25 < warren> gavinandresen: is the foundation willing to add funds to such a bounty?
16:25 < gavinandresen> sipa: that just complicates the code unnecessarily
16:25 < warren> we can ask for public donations too
16:25 < sipa> to 1) make it clear that we're not actually considering this one valid and 2) make old nodes ignore it
16:25 < sipa> then again, nothing prevents someone from taking a faketx message and broadcasting it as a t
16:25 < sipa> as a tx
16:26 < gavinandresen> sipa: exactly, the code you'd write is exactly the same
16:26 < petertodd> sipa: Interesting thought: I can use this to broadcast a replacement, and because it's a standard inv, any miner who didn't get it the first time for some reason, and doesn't have it in their mempool, will get the second one. If the second one is a higher fee, maybe this time they'll accept it!
16:27 < sipa> yes, it may have unintended replacement effects
16:27 < sipa> giving a double spend higher chances for being mined than before
16:27 < gavinandresen> again, the reason for doing this is 0-confirmation transactions for merchants monitoring the chain.
16:27 < sipa> that's why i'd prefer not doing it the same way
16:27 < gavinandresen> err.. monitoring the network....
16:27 < sipa> i'm pretty sure it will lead to double-spends becoming easier :)
16:28 < gavinandresen> Easier-but-easier-to-detect is fine
16:28 < petertodd> sipa: Yeah, e.g. it makes it even easier to double-spend by broadcasting a, say, satoshidice tx, then waiting for my reply, then broadcasting a double-spend that doesn't involve satoshidice - I havea 10% chance of it getting mined by eligius without even needing to contact them directly.
16:28 < petertodd> Heh, funny thing I'm definitely going to ACK that patch because it's a step towards replace-by-fee and pure-profit-driven mining.
16:29 < sipa> petertodd: i'm in the middle about that, but imho the client should try to get peers to do the same
16:29 < sipa> so if you're doing replace-by-fee, i'm perfectly fine with it being the same tx message
16:29 < petertodd> sipa: get peers to what exactly?
16:30 < petertodd> sipa: ah, yeah, replace-by-fee would definitely use the same tx message
16:30 < gavinandresen> sipa: 0-confirmation double spends are pretty easy today.  I'm completely convinced early detection is more important than trying to prevent them.
16:30 < sipa> but if you're explicitly not considering a transaction valid, i don't like making it seem to others that you do
16:30 < sipa> gavinandresen: fair enough, i agree there
16:30 < gavinandresen> Lets debate replace-by-fee separately...
16:31 < warren> crap, two reports of corruption after a clean shutdown...
16:31 < warren> this makes no sense
16:31 < petertodd> gavinandresen: Well, the beauty of this is it lets miners decide for themselves given they now can easily get the replacement with no effort.
00:23 < gmaxwell> maaku: "You can spend these coins if you solve my puzzle" "psyche... I just spent them out from under you even though the code said I couldn't because I can create false proofs for this verification key."
00:24 < gmaxwell> amiller: the upside is removing the CRS the downsides are that the proofs are much larger (tens of kilobytes) and the zero-knoweldge is no longer perfect.
00:25 < amiller> i see.
00:26 < gmaxwell> amiller: well I'm glad your koolaid tap on the CRS stuff ran out. I dunno why everyone thinks its so acceptable.. it is in some cases, not others.
00:26 < gmaxwell> What they're talking about doing in zerocash I think its completely unacceptable.
00:26 < gmaxwell> then again, for that application 20kbyte signatures is probably also unacceptable.
00:27 < amiller> how far do you think they can smear around the anytrust kind of setup
00:27 < gmaxwell> (and for that matter, q-power knoweldge of exponent, bilinear pairing stuff is by itself probably unacceptable)
00:27 < amiller> that was a question someone asked, matt green answered affirmatively, i didn't seek any details
00:28 < gmaxwell> What was?
00:28 < amiller> whether you could distribute the setup among N parties
00:28 < gmaxwell> yea, I think thats half BS
00:28 < amiller> where any of the N parties has to delete their data
00:28 < amiller> okay
00:29 < gmaxwell> I don't know of any systems for _active_ secure MPC that don't themselves require a zk-snark, certantly none that are implemented.
00:29 < gmaxwell> (you can take any semi-honest-secure MPC scheme and make it active secure if you make all the players do their work under ZK-proof that they're obeying with the protocol)
00:29 < maaku> gmaxwell: i see
00:30 < gmaxwell> It's possible in theory at least. But what does N need to be? and where is even a beginning of an implementation?  even with just three parties it would be the largest MPC task ever attempted.
00:30 < amiller> yeah everything attempted in practice so far has been semi honest
00:30 < amiller> afaik
00:31 < gmaxwell> Yes, as far as I can tell.  And I think we have a chicken and egg problem here. We have almost pratically efficient snarks actually implemented but in the CRS model.
00:31 < gmaxwell> You could, in theory, make the CRS with MPC.	.. but active secure MPC that looks remotely pratical is a passive MPC + SNARKS.
00:32 < gmaxwell> and the CRS computation isn't horrible but there is a lot of it ... for zerocoin they're talking about 1.6GByte prover keys (which actually sounded small to me).
00:33 < gmaxwell> So somehow you've got N party active secure MPC and you're going to compute 1.6 gbytes of CRS in it?
00:33 < gmaxwell> And realistically I think N can't just be 3.	Start talking about 30 and thats more interesting.
00:33 < amiller> yeah. i came to that conclusion pretty quickly too
00:34 < amiller> sell tickets to the big setup phase MPC as your fundraiser gimmick!
00:35 < gmaxwell> I mean there are neat things you can do... one of the mpc nodes should be in a faraday cage in a bunker filled with C4. And you should exploide it when the computation is finished.	People would pay to see that. :P
00:36 < amiller> david blaine could do one too
00:36 < gmaxwell> the undetectable compromise part is part of what makes this so bad for ZC where it wouldn't be an issue elsewhere.
00:37 < gmaxwell> lots of room for fud.
00:37 < gmaxwell> "NSA supercomputer cracked the crypto to recover the key whole cloth, and now the US government can print unlimited coins! Prove me wrong!"
00:38 < gmaxwell> at least if it were detectable you could freeze new spends and deploy another ZK proof system (perhaps a less efficient one)
00:39 < amiller> i learned about a formalism called "covert security" that's weaker but promises detection like that...
00:39 < amiller> but i couldn't find any trace of someone actually getting any cheaper construction that way
00:40 < gmaxwell> well the GGPR12 stuff is super brittle to knowing the CRS. Its easier to compute a fake proof than validate a proof if you know the CRS.
00:41 < gmaxwell> and I think the way the perfect zero knoweldge is achieved it must be that way.
00:42 < gmaxwell> (because you can basically show that for any set of passing input group elements some CRS exists thats makes those element a valid proof, regardless of the statement being true or not)
00:44 < gmaxwell> In any case, Iddo has given me the impression that I'm not the only person who's seen the limitations of the CRS model.
00:46 < amiller> i've seen some modifications to CRSs to make them more useful and composable but not that get rid of the trusted/private state somehow
00:47 < amiller> i don't have any idea what comes next
00:52 < gmaxwell> amiller: why not post to the mailing list and whine about the CRS trust assumptions and ask what they're going to do about them? :P
00:52 < gmaxwell> As I said, I /think/ they're also working on a backend without one.  But I don't know anything about it as it's not mentioned in their papers on their tinyram work.
03:01 < nsh> gmaxwell, if it helps, didactically, you can compare the security of the CRS model to the security of DUAL_EC_DRBG....
03:06 < gmaxwell> Hm!
03:06 < gmaxwell> point.
06:17 < adam3us> gmaxwell: so while i agree that H(nonce)[rand(32)] ^ prefix is an interesting incremental improvement of raw prefix, with an example 8-bit prefix, and [] being byte index, ^=xor, it still publicly allows elimination.  ie with probability (255/256)^32=88% it eliminates you as a payee of any given reusable payment.
06:17 < adam3us> gmaxwell: (posted this and related on bitcoin-dev)
07:56 < jtimon> somebody claimed here (I don't know if it was you maaku), that some people were suspicious about scrypt being GPU mined from the beginning
07:57 < jtimon> does anybody have any reference to that?
08:04 < jtimon> hmm, is this it?
08:04 < jtimon> I'm considering mentioning rumors about it and putting a link on an article about p2p currencies I'm finishing
08:07 < jtimon> I don't know...wasn't coinhunter a scammer?
08:07 < jtimon> "Artforz publicly admitted to creating a GPU miner for litecoin numerous times" any link to this?
08:08 < jtimon> I'll keep searching, just browsing out loud in case anybody can give me some clues or a better link
09:17 < Emcy> hmm apparently GCHQ couldnt crack truecrypt with the password "$ur4ht4ub4h8"
09:17 < Emcy> they had to sling the guy in jail and sweat it out of him
09:18 < Emcy> isnt that a weak password? Is that a bit surprising.
09:18 < adam3us> jtimon: ha thats pretty interesting  the guys claim seems quite plausible.  casts coblee / artforz in a bad light if so.  i was before now supposing the failure of scrypt params chosen to be yet another alt param fail on their part.  but maybe it was a "fail" ie not real! they designed it that way and exploited it to the max until someone else figured it out
09:18 < adam3us> Emcy: yeah i saw that.. my thoughts also, we have nothign to worry about :) combined might of GCHQ cant crack that short/low entropy password.. chortle.
09:19 < adam3us> Emcy: what we dont know however is the program used.  maybe it has some memory hard stretching or something preventing fpgas or whatever gchq has
09:19 < Emcy> and yet a skilled cracker with a good custom dictionary and a handful of radeons might
09:20 < adam3us> Emcy: if it was unstretched, for sure; lot of former gpu miners coul crack that with their own cards!
09:21 < Emcy> ok i assume it was truecrypt
09:22 < Emcy> look hes got a beard so hes probably up to no good!
09:22 < adam3us> jtimon: analogously i was similarly suspicious of dan larimer with his momentum hash and protoshares.	that no GPU status fell pretty fast though he fought the claim all the way down
09:23 < Emcy> adam3us isnt it fairly common knowledge that someone was mining LTC rather faster than should have been possible early on
09:23 < tacotime_> I recall artforz had mentioned he implemented it on GPU And it was slower
09:24 < tacotime_> The algo itself is slower on GPU if you don't use the TMTO trick (only store every other value in the memory pad and look up the others on the fly)
09:25 < tacotime_> There's a little bit of reason to believe that solar designer and artforz may have been the same person, but I won't eloborate
09:25 < adam3us> Emcy:	I dont know wasnt paying attention at the time. tacotime_: the thread jtimon posted above says their programmer spent 4hrs and made something 150x faster than artforz claimed best.
09:26 < tacotime_> You honestly trust something coinhunter said?
09:26 < tacotime_> The guy who has stolen hundreds (probably thousands) of BTC from the community over the past 2 years? ;)
09:26 < adam3us> tacotime_: solar designer is pretty crypto sharp, he posts on cpunks/crypto lists a lot and seems to have clues.  seems to me if that is artforz alter ego he'd have the sharps to do a little TMTO
09:27 < adam3us> tacotime_: yeah i heard of solid coin by infamy/reputation only wasnt paying attention back then.  he's that guy?
09:27 < tacotime_> yeah
09:27 < tacotime_> RealSolid/CoinHunter, same person
09:28 < tacotime_>
09:28 < adam3us> tacotime_: apparently his antics were so stupid/evil/greedy as to remain the subject of lore 3 years later :)	thats how i heard about solid coin at all
09:28 < tacotime_> I'm not sure where mtrlt was updated to the desynchro/TMTO trick though
09:29 < tacotime_> Or if pooler had first picked it up when optimizing his LTC miner
09:30 < adam3us> tacotime_: i think i saw solar designers TMTO experiments, he mustve cross posted to one of the crypto lists
09:30 < tacotime_> yeah
09:31 < tacotime_> mtrlt also ran off with a load if bitcoins after claiming he would implement primecoin miner on gpu
17:56 < gmaxwell> jtimon: if you don't download the whole chain then miners participants in the past before you joined could have cheated and freely written themselves blank checks. Its very nice today that when people ask about this (which they frequently do) I can give them a very strong answer: No, your software audits against that, and you can audit its code (or have
someone else do so) to make sure that it does.
17:56 < adam3us> gmaxwell: committed tx would be your only remaining defense against policy, you can still do a few things, notice when they make changes etc, but with less power to do anything about it
17:56 < maaku> gmaxwell: our approach is to move more transactions off-chain onto private servers, and use the public concensus mechanism only when necessary (e.g. cross-server trade)
17:57 < gmaxwell> adam3us: sipa has a great argument that goes: At one extreme blocks are maximally small and no one can transact but everyone can validate and so the system is centeralized because so few can transact. At the other extreme the blocks are enormous and everyone can transact but no one can validate, so the system is again centeralized because we must trust
the few validators.  The ideal behavior is somewhere in between.
17:57 < adam3us> maaku: in a way thats mirroring bitcoin activity, most mtgox,bitstamp trades are in server
17:58 < adam3us> gmaxwell: sounds like sipa's block chain triangle:)
17:58 < maaku> adam3us: yes, but we'd like to do it in a way where your 'off-chain wallet' contains similar security gurantees - server can't spend your coins without your sig, and any modification of the spend history is detectable, etc.
17:58 < jtimon> gmaxwell, with maaku's UTXO index hashed on every block, it's just a matter of how long in the past you want to go
17:58 < gmaxwell> Sipa Circumflex of Centeralization.
17:59 < jtimon> back to genesis? to the last checkpoint?
17:59 < maaku> similar to OT in that regard, but using bitcoin structures for interoperability
17:59 < gmaxwell> jtimon: allow me to be offended while you lecture one of the first people to suggest committed utxo on the subject of them...
17:59 < adam3us> maaku: i agree its the holy grail of off chain transactions " we'd like to do it in a way where your 'off-chain wallet' contains similar security gurantees - server can't spend your coins without your sig, and any modification of the spend history is detectable, etc."
18:00 < maaku> ok well read the paper and give us your feedback
18:00 < gmaxwell> jtimon: regardless not validating the rules is a break in the security model, and its one that may have weird interactions with incentives. Today a miner that does a bit reorg can only reorder transactions, in an enviroment where many nodes don't validate deeply, they can write themselves a blank check.
18:01 < maaku> we're implicitly assuming some form of tx commitment though (not mentioned in the paper), which is the source of some of the security protections
18:01 < adam3us> maaku: not saying i have a solution, though like presumably many others its occupied my thoughts for some time
18:01 < gmaxwell> This isn't to say that its not a good tradeoff, but its not clear that its a free one.
18:01 < jtimon> sorry, gmaxwell, and yes, I've heard that potential problem, I think from retep
18:02 < adam3us> maaku: on loose idea is to use the bitcoin block chain to timestamp the merkle root of the offchain servers transaction log
18:02 < gmaxwell> I suppose its a change which actually could be made in bitcoin because basically none of the users have a mental model of the security that makes any sense... though its kinda sad that it wouldn't be controversial to revise the security model in such a substantial way.
18:04 < adam3us> gmaxwell: i'm with you on this one, the assurances of immutability are the strongest feature of bitcoin
18:04 < jtimon> the way I see it, it's configurable security, you can still be a full node, miners should be prepeared for very big reorgs
18:04 < gmaxwell> jtimon: moral hazard.
18:04 < gmaxwell> If you're in a minority you're actually worse off setting security higher than other people.
18:05 < jtimon> I see
18:05 < gmaxwell> And if you can reduce your costs and let some other sucker take the work of making the security promises good? oh well.
18:05 < gmaxwell> (worse off because it's a consensus system: it's often more important to agree than to be right
18:05 < maaku> ... which is why i'm staunchly against probabalistic validation
18:06 < gmaxwell> maaku: if its over old history that you wouldn't have validated anyways? and your response it to just shut down and nag the user?  I don't worry about that. It's just a backstop that means that manual intervention would kill an attack that depended on a historical rule validation.
18:06 < adam3us> gmaxwell: agree vs right; I agree: it seems to me that other than SPV, miners could indirectly facilitate consistent distributed arbitration of a random decision, so long as its immutable
18:06 < gmaxwell> Likewise, the fraud notices stuff would make probablistic validation not a consensus risk. ... (though a software engineering risk... :( )
18:08 < adam3us> gmaxwell: just based on timestamping, no other validation; full node users could do committed tx fine with that assumption
18:09 < adam3us> if there is a way to shard activity within a timestamp tree, you might be able to scale that further than a miner validated blockchain (the miners in this model would just be timestamping merkle roots)
18:10 < jtimon> so you just timestamp things and the validation comes later, no?
18:10 < gmaxwell> maaku: the other question is: if your choice is "only google does the validation" vs "lots of parties do probabalistic validation with some risk of consensus failure" I don't think that it's a hard decision. There are lots of nice centeralized systems out there, I don't think bitcoin is really competition for them.	And I do think in the long run some
compromises will be the matter of effectively centeralizing the whole ball of wax ...
18:10 < gmaxwell> ... or not.
18:10 < gmaxwell> adam3us: the incentive model is goofed up though if unfaithful validation doesn't make your 'work' wasted.
18:11 < gmaxwell> e.g. say it's constructed so you could timestamp multiple orthorgonal consensuses ... you might as well timestamp a zillion of them just in case one is preferred over another.
18:11 < gmaxwell> (this is the problem proof of stake has)
18:12 < adam3us> jtimon: yes committed tx are validated by users (including full tx history) and in this timestamping only use of it peers would need to be full nodes, but maybe it can be sharded to eg freimarket servers for the merkle root
18:14 < jtimon> it reminds me to a "crap serializer" idea I had, but mine was centralized
18:14 < adam3us> gmaxwell: so the hypothetical would be have lots of OT like servers as supernodes (but still peers) they participate in the timestamp consensus
18:14 < jtimon> how do you agree on the p2p serialization? do you have a thread?
18:15 < adam3us> gmaxwell: users transact on a given server with receipts, if anything goes wrong they switch servers; the server cant undo things because its transaction merkle root is timestamped
18:17 < gmaxwell> adam3us: how do you prevent supply doubling where users clone themselves and start transacting on two servers in parallel?
18:17 < adam3us> users, servers audit other servers ot be sure they never put conflicting statements in their tx tree
18:20 < adam3us> gmaxwell: possibly (or so i was loosely thinking) each asset has a home server that is the authority on ordering transactions involving it - the idea is distributed consensus is hard but individual consensus is trivial, and mining timestamping prevents revisionism, and audit detects problems, and then you need some migration property where you can move the
asset to a new home using receipts (but only after timestamp validates the move)
18:21 < adam3us> gmaxwell: say it costs higher fees to move via the timestamp chain to another server, so there is a disincentive to move unless actual problem; and servers cant cheat as they are audited and the system reacts to cheating
18:22 < adam3us> gmaxwell: its basically OT + blockchain timestamping for merkle root timestamping, and reward (coin mining via blockchain timestamping) and to validate the movement of an asset to a new home
18:24 < adam3us> it becomes simpler to change mining details also when it is only doing timestamping eg as its low bandwidth, doesnt deal with 0-confirm ordering, nor validation of transaction details, nor fee collection
18:25 < gmaxwell> adam3us: this is starting to tread into the space I was talking about with the coinwitness stuff (using non-interactive zero knoweldge proofs to delegate coins to external transacript producing systems and eventually pull them back)
18:25 < gmaxwell> transcript*
18:27 < maaku> gmaxwell: I think if we move a lot of things off-chain (including day-to-day payments), and start using the chain mostly for global concensus over multi-server trades, we won't have to scale bitcoin much
18:27 < adam3us> gmaxwell: have to re-read that, while i thoght scip/snark interesting i mentally put it in the 'future crypto' bucket to keep an eye on
18:28 < adam3us> maaku: yes, but a bit of an open question how that can be done while preserving the bitcoin properties
18:28 < maaku> so fears about needing "google-scale" are not yet convincing, imho
18:29 < gmaxwell> maaku: personally I hope so, but that comes with another worry. Say we jack way up the block size, and the things move off to other systems (for things like instant confirmation) ... will bitcoin be able to support itself on fees with the enormous block sizes but most txn off chains? hell
 would it be able to support adequate security with fees even with
current blocksizes?   Petertodd gave a vision of the future where those ...
16:09 < amiller> i want to talk about p2ptradex
16:09 < amiller> you guys read this post?
16:25 < gmaxwell> amiller: what about it? ... results in enormous transactions to have any real degree of cross chain proof, and even then only gets you spv security.
16:25 < amiller> i don't think any of that is necessarily true
16:25 < amiller> first of all it doesn't have to be about transaction size, proof size can be amortized for many transactions
16:26 < gmaxwell> The first is true so long as headers are a singly linked list.
16:26 < amiller> under normal conditions, two blockchains are perhaps roughly synchronized
16:26 < amiller> you could merkle tree over the headers and go down to log
16:26 < gmaxwell> The second is true so long as you don't comingle the consensus of the two chains.
16:26 < amiller> you don't have to do full validation
16:26 < gmaxwell> amiller: only by changing the headers.
16:26 < amiller> the thing is you can be asymmetric in two ways
16:26 < amiller> like if i am trading my bitcoins for your litecoins
16:27 < amiller> i don't really care if the bitcoin side gets canceled
16:27 < gmaxwell> amiller: no, but I sure do.
16:27 < amiller> i'm only concerned that the bitcoin side goes through and litecoin gets canceled
16:27 < amiller> right
16:28 < amiller> so i am happy if the bitcoin side just trusts litecoin at face value
16:28 < gmaxwell> I mean the _whole_ point of doing anything fancy there is to control the cancelation behavior, otherwise you can just do joint secret locked outputs.
16:28 < amiller> i don't care if the bitcoin chain only does spv validation of litecoin because i'm going to be just as vulnerable to litecoin anywa
16:28 < amiller> likewise you'll be happy if litecoin does only spv validation of bitcoin
16:29 < amiller> because you're going to end up with bitcoins anyway and if spv isn't good enough then something horrible has happened
16:29 < gmaxwell> amiller: say we're going to trade 1000 BTC worth of coins and I can buy computing power at near mining cost rates on the open market.
16:30 < gmaxwell> how big must the transactions be before its not cheaper to mine bogus blocks instead of completing the transaction?
16:31 < amiller> right so the tricky case is when there's a big disparity in mining power between the two chains
16:31 < amiller> but lets say we agree on the price
16:31 < amiller> it's proportionally a much bigger transaction on the tiny litecoin chain
16:31 < amiller> so i should correspondingly wait much longer before i'm sure
16:32 < gmaxwell> just assume it's 'bitcoin to bitcoin' if you will. I still think the result ends up ugly.
16:32 < amiller> the proof doesn't all have to be in the transaction, i think sdlerner's particular solution is wrong and ugly but the key idea works
16:34 < amiller> like assume you can use something like the hash-value-highway to get a concise aggregate sample of work
16:34 < gmaxwell> even a cut and choose compression of the headers ends up being quite large.
16:34 < amiller> basically since there are tiny trivial litecoin blocks so frequently, it would suck to try to say that bitcoin has to validate two weeks worth of ltc blocks before comitting the transaction
16:35 < gmaxwell> amiller: I think the bitcoin bitcoin case sucks too, as mentioned. even when you get to dozens of headers the transaction is rather enormous.
16:35 < amiller> but if i'm going to end up with litecoin anyway, i'm okay if bitcoin only does concise work-sampling validation
16:35 < amiller> if there is a lot of volume of btc to litecoin trades then we can all amortize the validation
16:35 < amiller> there's no reason each individual transaction has to repeat the whole process
16:36 < amiller> there's maybe a scheduling/batching challenge in there
16:36 < gmaxwell> and any subsetting case will still need n bits of selection where n is fairly large compared to work.
16:36 < amiller> that's not true i don't see why you'd say that?
16:36 < gmaxwell> amiller: yes if you comingle the consensus algorithim, and effectively merge the chains
 requiring all full validators to validate both, it obviously works.
16:36 < amiller> no i'm saying it doesn't require full validation
16:37 < gmaxwell> amiller: because if your sample is just one point then a single lucky block can rob all concurrent spends. and also may take forever to come, leaving the transactions stuck for a long time.
16:38 < gmaxwell> amiller: if it's not full validting that surprise its just spv security. And SPV is quite weak when you have an information hiding risk.
16:38 < gmaxwell> So you need a lot of header proof to make SPV with a hiding risk not laughably bad.
16:38 < amiller> what do you mean
16:38 < amiller> i don't follow what you mean by informtion hiding
16:38 < amiller> if you mean errors in transactions then header doesn't solve that anyway so i don't know what you mean
16:39 < gmaxwell> As I said before, consider a 1000 BTC trade  "bitcoin to bitcoin" via this mechenism.  Say you require 12 headers. I can buy that computation for about 300 BTC. A big profit to cheat. The inner validation only knows what you tell it, it can't go out and discover that there is a longer chain far ahead of that one.
16:40 < amiller> that's true of any btc transaction with the threat of double spending
16:40 < gmaxwell> No, it's not
 because you can find out that there is a longer chain, so that someone spending weeks to produce a 12 header stub does no good, as the whole world has moved along.
16:41 < gmaxwell> SPV in information isolation requires only energy. SPV when there is no isolation requires energy at high power.
16:42 < gmaxwell> I think this is a tangent in any case.
16:42 < amiller> the rules for applying include an amount of work in both chains
16:42 < amiller> so it's not just 12 headers at any time
16:42 < amiller> but 12 bitcoin headers before say 60 headers of litecoin
16:42 < amiller> 60+epsilon
16:43 < gmaxwell> you can't be guaranteed any particular processing speed
 especially for your jumbogram transaction.
16:43 < amiller> if i'm confident i'm going to learn about 60 litecoin headers before you learn about 12 bitcoin headers, then i'm okay
16:44 < amiller> the point is we are both taking bets about the rate of proof-of-work of the chain we're going to end up on
16:44 < amiller> and any substantial change in that would make us vulnerable to double spends where we end up anyway
16:44 < gmaxwell> And this accomplishes exactly what?
16:45 < gmaxwell> A _trivial_ protocol already reduces this problem to pure holdup risk.
16:45 < amiller> right so i'm solving the holdup risk for a cross-chain transaction, up to the same security guarantee we have against double-spending in an individual chain
16:46 < gmaxwell> except you're not. Because the transactions cannot be mined atomically in both.
16:47 < gmaxwell> The rates of the two chains might be a nice constant ratio, but the _start time_ has no particular reason to have a non-zero offset in the two chains.
17:26 < amiller> ok i almost worked it out
17:26 < amiller> difficult to explain, this may take a few tries
17:27 < amiller> i'm giving you my bitcoins and you're giving me your litecoins, but suppose i'm able to produce a short proof that the the litecoin chain has moved on several blocks *without* having your end of the transaction on it
17:27 < amiller> i should be able to present that proof to the bitcoin chain and use it to cancel my sending bitcoins to you
17:31 < gmaxwell> right, okay, so you need a UTXO proof, plus headers.
17:31 < amiller> not full headers, less than spv
17:31 < amiller> just a work sample
17:31 < amiller> that can be seriously small
17:32 < gmaxwell> Be concrete.  I know ways to reduce enormous amounts of work to merely large, but I'm not seeing how you actually get something compact.
17:32 < gmaxwell> and a utxo proof is log(total utxo)
17:34 < gmaxwell> (the two ways I know to reduce enormous amounts to large is the hash highway method, and hash highway I think you need a header format change or you can't show the headers are related, or non-interactive cut an choose)
17:34 < amiller> header format change yes
17:34 < amiller> the noninteractive cut and choose isn't necessary
17:35 < amiller> basically i don't need to assert that the header samples form a valid chain
17:36 < gmaxwell> you do need to assert they came after the utxo proof connected header.
17:36 < amiller> i just have to show that they are very unlikely to be constructed without the minimum amount of work, and that they all occurred after some deadline (meaning there's some path of preimages that leads to some origin point of interest)
17:36 < gmaxwell> s/came after/ are connected to.
17:39 < gmaxwell> amiller: otherwise I mine a single fake litecoin block with a fake utxo committment and give you that and a dozen real litecoin headers.
17:40 < amiller> hm, right, so i should check that the utxo commitment associated with each block couldn't have had data in it that contradicts my claim (that the transaction i care about has not shown up)
17:41 < gmaxwell> yea... so 800 bytes per block... :(
17:43 < amiller> if that's the only thing to grimace at i'm happy
17:43 < amiller> imo this is a building-block for not-necessarily-global blockchains
17:43 < gmaxwell> by per block I mean per block in your proof.
17:44 < amiller> yes i know
17:44 < amiller> if there's a lot of volume of btc to ltc transactions then we can all amortize the validation of work
17:44 < gmaxwell> well the utxo membership proofs can't really be substantially combined.
17:45 < amiller> yes but i only need it on the last one if there are canonical litecoin headers already
17:45 < gmaxwell> canonical litecoin headers implies full nodes validating litecoin blocks.
17:46 < amiller> either way this is just a possible optimization
10:26 < amiller> instead, if you built in something like this feature i'm describing, any attempt to tweak the rules to let in an extra million, even "only just this once",  would require porting over everyone's signatures to some new thing all at once
10:27 < amiller> easily?
10:28 < petertodd> amiller: yeah, just make it possible to steal block rewards given proof of fraud
10:28 < amiller> i'm more optimistic the other way around... if i have a good definition, i can find someone who can do the relevant crypto, or i can wait 5 years and pinocchio or tinyram will be fast enough
10:28 < amiller> to steal anyone's block rewards?
10:28 < amiller> i don't think that solves it
10:28 < amiller> because it's still a simple "tweak" to the rules to make one particular fraud not count
10:29 < amiller> i'm not talking about someone sneaking in a deviant block undetected
10:29 < amiller> i'm talking about publicly getting everyone to agree to tweak a rule and then just accepting it
10:29 < petertodd> ah, hmm... sounds like magic :)
10:30 < petertodd> anyway, if everyone agrees, they can just as easily agree to change the rules to turn your system off
10:31 < amiller> right but then it's all or nothing
10:31 < amiller> this is meant to prevent tiny rule changes
10:31 < amiller> that otherwise preserve the system in tact
10:31 < petertodd> they had to agree to change validation...
10:31 < amiller> which makes it more plausible that you could convince everyone to agree to go along with it
10:31 < amiller> which means the system could plausible evolve over time
10:31 < amiller> if you actually wanted to bake in certain rules permanently then you could use this technique
10:33 < petertodd> well, anyway, if you figure out how to I'll be impressed all the same
10:33 < amiller> i think the trick is to relate signatures to block validation
10:34 < amiller> the signature scheme would have to be able to use knowledge of a violated rule as an alternate way of being accepted
10:35 < amiller> this means if a miner can include a block that violates a rule, he can also sign anyone's signatures
10:35 < amiller> the point is you could still just switch to another blockchain, but you would have to leave everyone's keypairs behind
10:36 < amiller> another way of putting it is that when you generate a spending keypair, you'd be making that keypair affixed to particular set of constitutional rules
11:00 < gmaxwell> petertodd:
11:00 < petertodd> nice
11:00 < petertodd> although, I suspect the headline won't be understood as to me teleporting value...
11:08 < gmaxwell> Well, I added:
11:09 < petertodd> that looks better
12:30 < adam3us> amiller: so for example say by modifying the constitution you are allowed to add a factor of our chosing to the coin public keysand hence to know the discrete log and spend them
12:31 < amiller> i think - something like that
12:31 < adam3us> amiller: or alternatively people seem really scared of even soft forks ;P, so maybe its not essential in pracitce, but its an interesting question
12:32 < amiller> it's easier for me to think of this in terms of generic zero knowledge and circuits
12:33 < amiller> a public key is like the SNARK for a circuit that is valid if *either* the signature for the transaction is correct *or* you have evidence that the previous block hash contains an invalid rule
12:33 < adam3us> amiller: so what i mean is if the factor you add during your mining in constitutionally valid ways (no variation) are definitoinally things you cant know the discrete log of (as they are hash outputs eg)
12:33 < adam3us> amiller: gotcha actually thats sort of generic ZKP or model
12:34 < adam3us> amiller: and yet by varying u get more freedom in the factor so could chose it maliciously
12:35 < adam3us> amiller: thats not actually the same of course, what you are saying via ZKP or is that not only could you be malicious if inclined, but you definitinally create teh risk by introducing an OR zkp
12:36 < amiller> yes
12:36 < amiller> it's tricky though because
12:37 < adam3us> amiller: i could ctually see that working no?
12:37 < amiller> transactions ordinarily just refer to the transaction graph, separately from blocks
12:37 < adam3us> amiller: yes there is a block / tx mismatch, that is quite inconvenient
12:37 < amiller> so i don't see immediately how to rule out that you could still just change the protocol and keep using the same public keys
12:38 < amiller> this doesn't have the desired effect if you could just interpret the existing signing keys with a different validation circuit
12:38 < amiller> the approach should be to somehow make the signing keys totally useless except in the context of valid blocks
12:38 < adam3us> amiller: right; seems like that might need something more sophisticated concept
12:39 < adam3us> amiller: like all sigs are based on SCIP/SNARK but bound to the constitution hash so that if its varied the proofs no longer are valid
12:39 < amiller> i still think this is definable just using zero knowledge and arranging things carefully
12:39 < amiller> yeah exactly
12:39 < amiller> it would turn "small one-time-only tweaks/exceptions" into suddenly *everyone's* problem that has any coins
12:41 < adam3us> amiller: yes the use-case is clear; prevents special pleadings by governments as now - bending constitutional rules due to political expediency ina  time of financial difficulty
12:41 < amiller> right
12:41 < adam3us> amiller: if the cost is everyones money goes up in smoke, thats clearly worse; financial armageddon
12:42 < amiller> as it concerns bitcoin, i believe that currently people *overestimate* the relatively ease of convincing everyone to go along with an incrementally rule-bending change that doesn't really affect them and might as well go with the flow
12:42 < amiller> at the same time, even a tool like this isn't a perfect solution to everything
12:42 < amiller> the ability to change rules through consensus is actually a pretty positive thing so far
12:43 < adam3us> amiller: i was just talking with petertodd about even well meaning short-termism creating problems through lack of focus on the big picture (upthread)
12:43 < amiller> i can imagine having some rules baked in this way and other rules able to change like currently through hardfork
12:43 < amiller> it seems like it would be clearly a useful tool to add but it's not obvious how best to apply it
12:44 < adam3us> amiller: yes; probably the main risk is bitcoin has a quite entangled hard to modify design, and code bug could screw core value up; would be useful if there was a way to finalize core value protection and do other higher level features separately without risking it
12:45 < adam3us> amiller: 21mil coin cap & mining production rate function are good candidates
12:46 < amiller> yeah, 21mil coin cap definitely the most fun one to aim at with this
13:00 < adam3us> amiller: so what if u made each ecdsa sig instead zkp of knowledge of DL of Q (bound to H(tx) aka ECDSA(tx) OR NOT (reward ==25 || epoch==2 & reward==12.t ...)
13:01 < adam3us> amiller: if you make a soft fork on reward, suddenly everyone will be able to spend anything
13:02 < adam3us> amiller: thats even a compact proof using representation problem (extended schnorr)
13:02 < adam3us> amiller: brands stuff can prove ==, NOT (aka !=) and OR is generic
13:04 < adam3us> amiller: could be more simply referring to currentReward()
13:50 < gmaxwell> Man, dealing with users is hard:
14:47 < K1773R> gmaxwell: those ppl deserve loosing their coins S:
14:47 < gmaxwell> K1773R: we need those people happily using bitcoin to make it have a functioning economy. :)
14:48 < K1773R> gmaxwell: unfortunately yea
14:49 < amiller> adam3us, so actually.... the trick must be to allow the miner to hide the tranasction signature
14:50 < amiller> if the user submits an actual signature, then the miner can construct a ZKP that hides either (the attached signature is valid OR the prev block hash is bad)
14:50 < amiller> uh hm that still has that problem that you could give a different ZK proof for the same signature :/
14:51 < amiller> this isn't a clean change but you could require that all transactions are interactive and the tx itself requires a signature of the most recent block
15:02 < amiller> this would sort of be a general approach to having a non-reusable signature scheme
15:02 < amiller> normally signatures can be taken out of context
15:03 < amiller> i could be participating in a game where i use my gpg key to sign chess moves
15:03 < amiller> but someone else could pick some new protocol that also uses my signatures and maybe they conflict in some way
15:24 < MC1984> oh this is real.....
15:35 < sipa> is this the real life?
15:40 < gmaxwell> Or is this fantasy?
15:40 < gmaxwell>	     ^just
16:35 < gmaxwell> joining #eligius right now may be good for popcorn.  The operator of waynetbarclay is mad about eligius blocking his (SD style) 'dice' transactions and appears to be making veiled threats of DDOS attacks.
16:39 < warren> pastebin log?
17:43 < sipa> maaku: the name compactisgnature actually comes from the fact that not using DER is more compact
17:43 < maaku> ah
17:44 < sipa> adding the recovery bit was later i think
18:24 < gmaxwell> petertodd: Luke-Jr apparently wasn't aware that the DBG transaction wasn't getting mined.
18:25  * Luke-Jr figured petertodd figured out a way around it :p
--- Log closed Thu Oct 31 00:00:27 2013
--- Log opened Thu Oct 31 00:00:27 2013
--- Day changed Thu Oct 31 2013
02:47 < warren> hmm, I see next-test didn't integrate Coin Control and watch only either.
05:53 < HM2> hmm
18:37 < shesek> so I guess Satoshi is now heavily invested in Jesuscoin? :)
18:37 < shesek> he should own a pretty large chunk of it
18:39 < shesek> given his large ownership in the early bitcoin blocks
18:39 < sipa> ...?
18:40 < maaku> shesek: yes, but unfortunately he Ascended into heaven in 2010 without leaving any of his public keys to his disciples :\
18:40 < maaku> /public/private/
18:40 < sipa> someone should create a Nakamotocoin - dedicated to The Ascended One
18:41 < sipa> by mocking his Creation
20:19 < justanotheruser> thanks andytoshi
20:22 < gmaxwell> From #p2pool:
20:22 < gmaxwell> 17:20 < owowo> gmaxwell: can you explain why ppl are mining on those BIG pools?
20:22 < gmaxwell> 17:21 < owowo> I don't get it, they must get more coin there.
20:23 < gmaxwell> oh he says he was kidding now.
20:23 < gmaxwell> dude just nearly dodged getting face-stabbed.
20:27 < shesek> bigger pools could operate on lower margins, so miners could benefit from the lower fees
20:27 < shesek> I'm not really familiar with pools though, so I'm not sure if that's true in practice
20:27 < gmaxwell> shesek: except that there are smaller 0 fee options (including p2pool)
20:28 < gmaxwell> the biggest pools have historically had the highest fees.
20:29 < gmaxwell> (the exception being, and thats weird on a couple levels including the that its widely understood that the owners of own a majority of the hashpower on their pool)
20:29 < shesek> doesn't ghash's hashpower comes mostly from cex?
20:30 < gmaxwell> shesek: yes, common ownership.
20:30 < shesek> which is physically owned by them, but should be "owned" by other people
20:31 < shesek> though as long as they have physical ownership over the hardware, its really a matter of trusting them
20:31 < gmaxwell> yea, no clue how much of cex is "owned" by other people
 they don't disclose that, the prices are off the charts.
20:32 < gmaxwell> in any case, ignoring it's always been the case that the largest pools had the highest fees, almost nearly in order.
20:32 < shesek> btw, about p2pool, doesn't it have a much higher orphan rate that would really effect payouts for the worse?
20:32 < gmaxwell> wow
20:32  * gmaxwell cries
20:32 < gmaxwell> shesek: no, P2pool's orphan rate is lower than other pools by an order of magnitude.
20:32 < shesek> sorry, I'm really not familiar with p2pool and pools in general, I'm just asking to educate myself better :)
20:33 < gmaxwell> My crying is because it's just a replay of the constant fud that circulates and has no basis in reality. :( It's not your fault the whole world is dumb.
20:33 < shesek> so it seems like a lot of people are misinformed about that, I've read that in multiple places
20:34 < shesek> and I wonder how it worked out like that with the pools fees
20:34 < shesek> and why people keep joining the bigger pools if that's the case
20:35 < shesek> it might be psychological, where people think that bigger pools are better for some reason
20:35 < shesek> they face a choice paralysis when they need to pick one, and go after the largest one hoping that its somewhat better
20:35 < gmaxwell> back in early 2012 there was a span when p2pool had a somewhat high orphan rate, it's not clear if it was just bad luck or a real problem but major work was done to improve it. The end result has in the last several months had only 2 orphans against like 1627 blocks. Compared to, say, eligius which has had somewhat more than 1% orphans (also typical for other pools)
20:36 < gmaxwell> Overall p2pool has solved about 107% of the blocks you would have expected based on its observed work done.
20:37 < gmaxwell> shesek: oh a lot of people misunderstand why pooling exists, they think that mining is a race
 and in a race the fastest party always (or almost always) wins.
20:37 < gmaxwell> They talk about needing an X TH miner in order to "keep up" and things like that.
20:37 < gmaxwell> Following that logic, the biggest would be best. sooo.
20:38 < gmaxwell> also explains the inverse fee relationship. They think the biggest is best but attempt
 without the aid of math or understanding
 to balance that against fees.
20:38 < shesek> educating miners better could definitely help here, some more official resources about that could do some good
20:39 < shesek> an "introduction to mining" on or something
20:40 < shesek> I do think there's some choice paralysis in play here too. Miners don't really have any effective way to pick a pool, which makes that choice somewhat hard... I guess that some just pick the biggest by default
20:40 < gmaxwell> yes, "so many other people choose it, it has to be good"
20:41 < gmaxwell> we've also seen some "large pool cycling" where the second or third largest pool gets a lucky run and shows up at the top of the charts... and then it becomes the largest pool.
20:42 < gmaxwell> P2pool has a bunch of UX stupidity that doesn't help
 even feeds into the misunderstandings.
20:42 < shesek> perhaps something that helped pick a pool, with a weighted random based on the inverse popularity
20:42 < gmaxwell> there really is only one pool we should be recommending, p2pool. It's the only suriving pool thats a decenteralized system.
20:42 < shesek> could be marketed as "help save Bitcoin from centralization by using this!"
20:43 < gmaxwell> warren has been trying that.
20:44 < shesek> setting up an "" that simply gave one pool in a big font with a link, explaining how the selection works, could be nice
20:44 < shesek> and help overcome that choice paralysis
20:44 < shesek> but yeah, long term, p2pool is much better
20:45 < shesek> but its still somewhat inaccessible to users and requires setting up a full node
20:45 < shesek> I saw a thread about this on bitcointalk, it would really help if they setup a nice looking website with instructions and easier way to get it up and running
20:45 < gmaxwell> 'they'
20:46 < gmaxwell> it's not like there is a P2pool company.
20:47 < shesek> well, yeah, it should really be a community effort
20:47 < shesek> not really "they", more like "we"
20:47 < gmaxwell> At the moment setting up a full node is so burdensom that its sort of the long poll in the tent. Sync really needs to be fixed.
20:49 < shesek> what are your current thoughts on the best way to address this?
20:50 < gmaxwell> It's addressed by sipa's headers first sync work.
20:50 < gmaxwell> But the code is immature.
20:52 < shesek> sipa closed saying that he's working on something better, is it public yet?
20:52 < shesek> can't seem to find a newer pull request / issue
20:54 < gmaxwell> shesek: he has been pipelining the changes since it seemed to be a bit much at once.
21:02 < shesek> cool, I haven't really kept up with developments on that front, looks like a good solution
21:05 < shesek> gmaxwell, what do you think about that website I suggested? I think it could be pretty cool as a go-to solution for picking a pool
21:05 < shesek> can even be provably fair by basing the "random" choice on the user's ip and user agent
--- Log closed Wed Jan 08 21:14:13 2014
--- Log opened Wed Jan 08 21:19:30 2014
--- Log closed Thu Jan 09 00:00:17 2014
--- Log opened Thu Jan 09 00:00:17 2014
01:17 < justanotheruser> Has anyone made any proposals for anonymity networks upon which things like coinjoins and coinswaps could take place?
01:22 < michagogo|cloud> I left the Jesuscoin-killing script (replaying the Bitcoin blockchain) running overnight
01:23 < michagogo|cloud> Only gotten as far as block 234853
01:25 < justanotheruser> michagogo|cloud: nice, you actually made the magic changing thing
01:26 < michagogo|cloud> justanotheruser: I actually tweaked to do that
01:26 < justanotheruser> michagogo|cloud: does jesuscoin have a community at all?
01:26 < michagogo|cloud> But before I actually ran it, I realized that I didn't need to
01:26 < michagogo|cloud> This script also works:
01:26 < michagogo|cloud> justanotheruser: Not really, afaik
01:27 < justanotheruser> michagogo|cloud: Is this only possible because jesuscoin has all bitcoins defaults?
01:27 < michagogo|cloud> justanotheruser: Yes
01:27 < michagogo|cloud> It's a 100% clone of Bitcoin
01:27 < michagogo|cloud> Specifically the genesis block and parameters
01:29 < wyager> Oh my god
01:29 < wyager> that is so stupid
01:29 < wyager> And hilarious
01:31 < justanotheruser> heh
01:31 < justanotheruser> I wonder why no one did this for ixcoin or i0coin
01:31 < justanotheruser> well I guess ixcoin had a premine, but i0coin it might be possible
01:58 < justanotheruser> Bitcoin currently only allows turing incomplete scripts. Please tell me why an altcoin that has a limit on both block size and cycles executed to verify a blocks transaction (allowing turing complete scripts) is a bad idea.
03:35 < nsh> justanotheruser, it's not a bad idea, experimentally. it might be a foolhardy store of value
03:36 < justanotheruser> nsh: why?
03:37 < nsh> because there's no explicit incentive analysis that guarantees behaviour converges towards the subset of actions that preserve integrity
03:38 < nsh> there could be weird effects that stop people self-interestedly cooperating to keep value stable
03:38 < nsh> (there could also not)
03:38 < Taek42> technically, if you limit the number of cycles then it's not turing complete
03:41 < justanotheruser> Taek42: the scripts were never turing complete
03:42 < justanotheruser> and there can only be a limited number of scripts per block, therefore the blocks were never turing complete
03:42 < Taek42> I know that, was just knit-picking
03:43 < justanotheruser> Taek42: oh, I misunderstood. You were referring to my original statement where I said this could be turing complete.
07:26 < TD> if your addresses become compromised and they are on business cards, etc, you're hosed
07:26 < adam3us> TD: well they either need cold wallets, or air gapped armory-style deterministic wallets
07:27 < adam3us> TD: yes.  it would only make sense to publish a static address really with an offline wallet for the disaster recovery reason you gave
09:07 < phantomcircuit> TD, that's a good point
09:24 < adam3us> phantomcircuit, TD: i guess the certification model extends the other way also: if you put on your biz card the master offline business/user identity pub key address, you could have the blockchain timestamp the signed subwallet deterministic address, as an analog to certifiate transparency in x509 world, and ask any full node for SPV validation this identitys address.
09:25 < TD> i'm much more interested in ways to link keys/payreqs to social networks
09:25 < TD> as that is what people seem to use these days
09:26 < adam3us> phantomcircuit, TD: kind of complicated however.  ideally you want to be able to support scenarios where the wallet is offline, but connected to the network via the merchange only, without them getting ripped off via the unspecified change
09:26 < TD> i mean even email seems to be in its death throes for a lot of people
09:26 < TD> the number of times  i try to email someone and discover their entire online presence exists only on various social networks or via stupid online forms is .... irritating
09:26 < TD> twitter is not a replacement for a public, non-obfuscated email address!
09:26 < TD> but this is the trend of our times
09:26 < phantomcircuit> TD, people or companies?
09:26 < adam3us> TD: i share your frustrations :)
09:27 < TD> people
09:27 < phantomcircuit> TD, bizarre
09:27 < TD> companies still use it as much as ever, AFAICT
09:27 < TD> email is still the best for "serious" communication
09:27 < adam3us> there maybe some aspect of scale - if you are going to wire a company a lot of money, you want to be sure you have the right address/account number in this analog
09:27 < phantomcircuit> TD, personally i avoid email for company <-> customer communication as much as possible
09:27 < TD> but a lot of people don't really engage in a lot of serious conversation online. it's all short messages and social networks are better for that
09:27 < phantomcircuit> it's enormously difficult to keep straight who you're dealing with
09:28 < adam3us> TD: i just engaged in some research q about hashcash for udp/ip anti-DoS with a fellow who seemed to want to do it over twitter; twitter even dropped msgs, lots of htem, so i had to go search for them
09:28 < TD> ugh
09:29 < TD> yeah i can't believe anyone wants to use twitter for anything approximating work. but now i feel like i'm getting old and i'm  not yet 30
09:29 < TD> some years ago the gmail team did a lot of research that scared the crap out of the entire division
09:29 < TD> it basically said that an entire generation didn't use email at all. period.
09:29 < TD> the only reason they had an email address was to register at sites
09:29 < TD> and/or because their university/school insisted on one
09:29 < adam3us> TD: I mean i recognize the guys handle he's been on cpunks for years, and i believe he's highly competent in host security circles, but holy moly that is not a topic for twitter
09:29 < TD> it had been 100% killed by facebook
09:29 < TD> now facebook is getting killed by WhatsApp
09:30 < TD> so, trying to keep up with how people organise and communicate is a waste of time. much better to find a way to be general about this and coattail it
09:30 < TD> hence my interest in steganographically encoding short URLs where you can find a payreq into profile pictures
09:31 < TD> that's one thing all these mediums have in common (er, except email, but email has attachments)
09:31 < phantomcircuit> TD, gotta love whatsapp's security
09:31 < TD> "startup code". though i think they improved it since
09:31 < phantomcircuit> lol duplex rc4 streams with the same key
09:31 < adam3us> TD, sipa: btw re discussion yesterday about why people are confused that an address is static, i presume you may've come across living in zurich, with swiss private banks if you ask for a private payment, they send the transfer only with a transaction number, not a sending account number - its rather similar to bitcoin, but most people dont know about that or how it works
09:32 < phantomcircuit> adam3us, it would probably be easier to explain to people as a single use credit card number but for the mechant
09:32 < phantomcircuit> (maybe)
09:33 < adam3us> phantomcircuit: yes that is a good analog, just amused me that in some ways bitcoin addresses are a reinvention of swiss banking privacy technique, on use transaction numbers in place of accounts
09:34 < TD> heck i live in switzerland and have never encountered that
09:34 < TD> swiss banks are like any other bank as far as I can see. except, reasonably competent
09:34 < TD> (in terms of their user-facing stuff)
09:34 < TD> (not their investment decisions)
09:34 < BlueMatt> or their signup requirements for americans.....
09:34 < adam3us> TD: you'd have to request it, see people with swiss private bank accounts are sensitive about other people learning their account number
09:36 < TD> well that's not their fault
09:36 < TD> anyway their signup requirements are mostly very simple.   "you cannot be american". doesn't get simpler than that!
09:36 < BlueMatt> heh
09:36 < phantomcircuit> TD, well you can be american, but you have to basically allow them to give you entire account history to anybody who asks for it
09:37 < phantomcircuit> also you needs lots of money
09:37 < BlueMatt> (and prove residency)
09:37 < TD> no quite a few banks just forbid US citizens period
09:37 < TD> some will do it and handle the requirements yes
09:37 < phantomcircuit> TD, those bans are always dependent on how much you want to deposit
09:37 < adam3us> btw Ian Grigg/systemics with their sox protocol ran for a time a payments server demo with one-use, or user-controlled creation of multiple account numbers.  he was the guy who also operated egolds transaction server under contract somewhere in the caribbean - its ananlogous to the swiss private banking privacy model, and the bitcoin model
09:38 < adam3us> phantomcircuit: $500k min deposit i think
09:39 < phantomcircuit> adam3us, yeah i guess
09:39 < phantomcircuit> but i dont see why anybody would bother unless they actually lived in .ch
09:39 < adam3us> Ian Grigg actually wanted to use chaum/brands signing but couldnt get a license due to the chaum patent getting locked up in a patent holding company and other similar issues
09:41 < adam3us> phantomcircuit: well its private is the point (financial privacy) and .ch has some nice AAA rated banks (the US doesnt have any) also if you live in spain, cyrpus, much of europe its a great way to avoid getting an involuntary depositor haircut
09:41 < phantomcircuit> adam3us, for a us citizen there isn't really much more privacy
09:42 < phantomcircuit> so really what you're getting is a competent bank in the .eu
09:42 < adam3us> phantomcircuit: its orthogonal from taxes - you have to declare it or get taxed anyway if you have a european passport also.  there is also asset protection.	they do not seize funds without a swiss court seeing evidence and it passing their legal standard
09:43 < TD> it looks like there's going to be a referendum on FATCA actually
09:43 < TD> which worries me a great deal
09:43 < TD> that could lead to "interesting times" for sure ...
09:44 < adam3us> TD: grr facta, wipo etc.  i wish the chinese would just say no, hire falkvinge as advisor, and start a counter-veiling force
09:44 < TD> i quite like switzerland. i hope it doesn't end up engaged in a bloody fight it's too small to win
09:45 < TD> it's fat-ca  not facta, though the former is much harder to say
09:45 < TD> well unfortunately the nature of how fatca works mean no one country by itself can stop it. that's rather the nature of empire, see, conquered lands are forced to join the army and fight the next one
09:45 < TD> until nobody is able to stop the conquering army and you end up with rome
09:46 < TD> it takes *simultaneous* opposition
09:46 < TD> that isn't going to happen.
09:47 < phantomcircuit> adam3us, theoretically that provides some level of protection
09:48 < phantomcircuit> in practice however very few us citizens with funds in swiss banks would benefit from that in a meaningful way
09:50 < adam3us> TD: yes fatca is the equivalent of viral licensing. they are trying to take over and unify.  its a very bad trend because it precludes jurisdictional competition and societal exploration of	conventions pulls everyone down to the lowest denominator (whatever american politicans are paid by lobbyists to think)
09:50 < TD> i would put it more simply:  it is the end of independent countries and the formal start of the american empire
09:50 < BlueMatt> hah, yep, welcome to us banking regulation (and others, ie trade sanctions...)
09:50 < BlueMatt> we own the world, screw everyone else
09:51 < adam3us> TD: agreed.  the only hope I see is the rise of asia ecomic and geopolitical influence
09:51 < BlueMatt> and yet even americans have a fundamental hate for their politicians....
09:51 < BlueMatt> one would hope the eu would be large enough and willing to compete, but that clearly isnt gonna happen
09:51 < TD> yes it's quite an unstable situation, where you have a tiny number of people in washington who are despised by nearly everyone including the people they claim to represent
09:52 < adam3us> TD: and the meteoric rise of rick falkvinge & pirate party, still an outlier but growin
09:52 < TD> the only thing keeping a  lid on it, is the fact that technically they were "voted" for, but i wonder how long that will continue to placate people
09:52 < TD> BlueMatt: well, compete in what sense?
15:29 < adam3us> jtimon: so long as the contracts catalog that you consider as your benchmark are implementable in a turing completeness sense, with the current script language, maybe its better to focus on a translator from psuedo-legalese to script.  and add minimal script extensions to cover any gaps rather than going for eval like generality and trying to contain the damage
15:29 < gmaxwell> jtimon: Yes. It's not about "dumb" it's about having forced choice.
15:29 < jtimon> maybe maaku and I are too optimistic but to me it seems an exhageration
15:30  * adam3us is loathe to repeat that long thread
15:30 < jtimon> "having forced choice"? I don't understand
15:30 < gmaxwell> sure you could _choose_ to refuse to do business with this or that, or refuse to accept this or that coin. You could also choose to live in a cardboard box under the freeway.
15:30 < gmaxwell> Not all choices are meaningful, even in the presence of perfect information.
15:30 < jtimon> who forces you to accept amlcoins? who forces you to turn your btc into amlcoins?
15:30 < maaku> jtimon: well, we're also thinking about this in the context of having 5% of the monetary base refreshed annually
15:31 < adam3us> adam3us: but in summary as the regulators have much control over the gateways to banking infra, a viral amlcoin enforced at exchanges would already be enough i think
15:31 < jtimon> maaku and they think it from the perspective that deflation doesn't matter, so 1% of the current btc will be ok, and 0.1%, 0.001%...
15:32 < adam3us> jtimon: anyone who only accepts amlcoins that you have a poor choice with (no service or amlcoin, amlcoin as change because of the payment integrator they are using etc)
15:33 < jtimon> the way you talk about it, is like if btc would be dommed if bitpay and gox stopped accepting bitcoin and moved to ltc...
15:33 < andytoshi> adam3us: it occurs to me re your 'redcode' scenario that this is exactly what happened in the real global financial system in 2008
15:34 < andytoshi> ie the legalese that contracts for derivatives are written in is turing complete, and extrospection capabalities are determined by a regulatory regime that did not do cogent incentive analysis
15:34 < adam3us> andytoshi: haha yes.  the system was virus prone.  the fintech/bankster boys dreamed up viral make-money fast schemes that are doomed to crash with OPM
15:34 < andytoshi> which led to things like, eg the cds market hitting a 4 quadrillion cap :P
15:34 < jtimon> " amlcoin enforced at exchanges" you mean prohibiting bitcoin exchanges?
15:35 < adam3us> andytoshi: fascinating analogy.  and we think we can protect that by restricting the contract language? (probably not)
15:35 < gmaxwell> jtimon: it's much harder politically to shut down bitcoin exchanges when to do so you're suppressing bitcoin. Much easier where "on no bitcoin exchanges are fully permitted! they just have to comply with the law
15:36 < andytoshi> adam3us: so this is very cool, there is potential here for us to describe the horrible subtlety of financial regulation, in the context of cryptosystem currencies (which i have mentioned before, lets us do a lot of spherical-human economic analysis thanks to trustlessness)
15:36 < adam3us> jtimon: much was said upthread but yes  exchanges already comply with aml, if bitcoin supports viral aml, regulaor will say "ok so use it or shutdown" and users will say ok i want to buy $100k btc i can spend a month on bitcoin-otc (coffee shops for cash) or put u with amlcoin etc
15:36 < jtimon> adam3us: I just don't believe all countries will prohibit bitcoin exchanges
15:36 < andytoshi> and have a very simple-to-describe but very precise "here is where the thinking went wrong" explanation of that whole situation
15:37 < jtimon> " users will say ok i want to buy $100k btc " wasn't your assumption that the users weren't able to get btc out of the exchange anymore, just amlcoins?
15:37 < adam3us> jtimon: i think if the world was as sure as you are about financial regulation and bitcoin the price would be $100k/coin already :D  i thnk oneof the main things holding bitcoin back is just that - uncertaintly about regulation! its not that there havent been multiple non-basket case jurisdictions that have behaved erratically with bt regulation
15:38 < andytoshi> adam3us: re "restricting language", maybe that is exactly what we want to do, combined with maaku's "provably nonviral" ideas
15:38 < adam3us> jtimon: right.  thats what would happen to any exchange that was forced by regulation to use amlcoin covenants
15:38 < andytoshi> because we've seen in real life that pasting "don't act in bad faith" policies onto a turing complete system lets people do weird destructive things
15:39 < adam3us> andytoshi: i dunno sounds like halting problem^2 in hardness
15:39 < gmaxwell> adam3us: no, because as maaku pointed out, you can fail-safe.
15:39 < gmaxwell> If the static analysis can't prove your transaction sufficiently non-viral, its just not valid.
15:39 < andytoshi> adam3us: the result would be basically a whitelist of policies, and if people can prove that new things are safe maybe they could post a SNARK showing that or something, so the hard analysis is on them
15:39 < adam3us> andytoshi: BUT what we can do and i pushed this thought to a few offline people, is have auditable insurance coverage through the insurer, the reinsurer, the assets, the companies balance sheet, revenue, dividendes etc.
15:42 < adam3us> gmaxwell: maybe.  now security depends on a few more components including a theorem prover's comprehension vs virus writers
15:42 < adam3us> andytoshi: nice to have a fast to verify compact proof yes.
15:43 < andytoshi> adam3us: we could maybe put these proofs in the blockchain along with a unique identifier, then require all txes to reference the proof that they are safe
15:43 < nsh> we're on to viral transactions now? great...
15:43 < andytoshi> obviously this is a half-baked idea, as you say theorem proving is not developed enough to do such high-consequence real-world stuff
15:44 < adam3us> andytoshi: maybe.  or we could amuse ourselves with what we can do with non-extrospection languages
15:44 < andytoshi> yeah, i'm really impressed and surprised with what you guys have found to be possible
15:44 < nsh> i'd like to see a fully darwinian transactosphere...
15:45 < adam3us> nsh: suggest looking at ethereum.  will be interesting to spectate :)
15:45  * nsh nods
15:47 < nsh> had a very unbaked and thoroughly handwavey idea about a DSA-authorized capabilities-based distributed computational system over a blockchain with costed access to scripts and (computational) inputs somehow marked to market by utility or complexity
15:48 < nsh> not sure exactly what all those words means though so it'll probably remain pretty deep in my imagination :)
15:49  * adam3us wonders if its considered part of redcode game to write ethereum stealing viruses?
15:49 < andytoshi> that's interesting, if you can infect a majority of hashpower you can "hack the matrix" so to speak :P
15:50 < nsh> (it's always part of the metagame to cheat in ways that haven't be considered and thus explicitly prohibited)
15:50 < andytoshi> i guess i mean, if you can infect almost all the validating nodes
15:51 < gmaxwell> I think I mentioned before, some of these altcoins basically appear to have no nodes... even 'widely' used ones: people just mine directly to exchange accounts.
15:51 < gmaxwell> so you've got a couple of pools, a couple of exchanges, an odd geek or two, and thats it.
15:52 < adam3us> nsh, andytoshi: i was thinking there could be two levels of viral ethereum progrms.  a) within the interpreted execution space, eg viral covenants etc; b) escape the interpreter via sandbox escape.	i wonder though, they probably wouldnt find it funny even if you did
15:52 < gmaxwell> and these are things where there is no huge cost to running a node... the chains are small because there are few txn.
15:53 < adam3us> gmaxwell: ha not only no tx, no wallet, but not even any full nodes.
15:53 < nsh> hmmm
15:54 < gmaxwell> well there are some levels of transactions, but no real reason for someone to run a node. So thats the kind of outcome I'd expect for ethereum, particularly because running a node would be expensive.
15:54 < adam3us> gmaxwell: i was thinking beyond why not virtualize the whole thing.  pay for virtual VPS, virtual ASIC hardware,... maybe you can make that provably fair like central but fair dice; i mean what the difference its only a tulip/pryamid coin anyway.  people can speculate on synthetic nothing without wasting eletricity then
15:55 < gmaxwell> adam3us: you could call it "mastercoin"
15:55 < adam3us> gmaxwell: minioncoin.	many someone should fork mastercoin and put it on top of dogecoin
15:56 < gmaxwell> Every dog has his master.
15:56 < gmaxwell> Many leashes. Such dogwalk.
15:56 < gmaxwell> the "exodus" needs to be DogCarRide
15:57 < adam3us> gmaxwell: please can 2014 be the year of the death of tulip coins?
16:00 < kinlo> heh, to see gmaxwell talk dogetalk made me laugh :)
16:03 < michagogo|cloud> andytoshi: Erm, you've given me an error I've never seen before
16:03 < michagogo|cloud>,kwBmvFO
16:04 < michagogo|cloud> andytoshi: Is the file I got broken?
16:04 < michagogo|cloud> 3836c0fef1bffbb4ed7c35564dbb23ad51295a74df7bc53b234b13e198bf4264 */cygdrive/c/Users/Micha/Downloads/
16:04 < gmaxwell> kinlo: that meme was a favorite in my household two months ago. dogecoin is kinda overplaying it at this point.
16:04 < michagogo|cloud> (sha256)
16:04 < maaku> "maybe.	now security depends on a few more components including a theorem prover's comprehension vs virus writers" <-- there's no way you'd want the therom prover to be part of consensus
16:04 < maaku> i was suggesting it as part of the IsStandard check and wallet code
11:52 < TD> i am rather skeptical about widespread coinjoining. small scale joining gives you a small modicum of deniability .... how much privacy it gives you is rather an open question at this point
12:00 < petertodd> Emcy: in the short term my main thinking is to use coinjoin with two-party-mixes as a way to thoroughly break the idea that transactions are authored by a single person. There's a lot of work to do beyond that, but breaking that assumption is a very important first step.
12:01 < petertodd> Emcy: e.g. naive two-party-mixes leak information with regard to the values on the txins and txouts, but subsequent efforts can help plug that leak by, for instance, using value-matching techniques where one party to the transaction delibrately matches the values of the other party's txouts
12:03 < petertodd> Emcy: this also ties into merge avoidance: if txins are not always merged into a single txout to make a payment you have a lot more flexibility in making coinjoins that don't give external observers useful information. equally that people are doing merge-avoidance with coinjoin means that even when you don't use that feature, transactions have solid plausible deniability
12:08 < petertodd> Emcy: example: I want to pay you, and you've told me you'll accept up to two txouts for that payment. I do a two-party CJ mix with someone who needs a specific output value, and I use one of those txouts to match their value, the other to send you the balance of the payment, and I have a third txout with my change.
12:19 < petertodd> Hmm... and come to think of it, rather than calling it "merge avoidance", the idea is better described as "merge flexibility" - the receiver of funds is saying "here's how many txouts I'm willing to accept, use that to better optimize how you merge the txouts you are using to pay me to balance privacy and cost per transaction". Using CoinJoin in conjunction
with merge flexibility is a win because it lets you get away with fewer txouts - more ...
12:19 < petertodd> ... merging - at the same privacy level. In short, it's cheaper for a given level of privacy.
12:22 < Emcy> petertodd i fear it will take much more. Youre assuming rationality about how the system works.
12:23 < petertodd> Emcy: explain?
12:23 < Emcy> consider how bad IP addresses are for identifying individuals vis a vis the war on bittorrent
12:23 < Emcy> they do it anyway, no one seems to care much that they get it wrong all the time
12:24 < petertodd> Emcy: oh sure, don't get me wrong, I'm not saying this is easy. The fact that "merge avoidance" seems to have been proposed as a way to let blacklists still function shows how hard this will be.
12:24 < petertodd> Emcy: But we can only respond by making better privacy as cheap and easy as possible and trying to get as many people using it as possible.
12:24 < Emcy> it seems like you have to stop the idea that some sort of convenient data can ID a person and what they do before people get it into thier heads, never mind that it might be completely wrong anyway
12:24 < petertodd> Emcy: even's centralized coinjoin implementation is a huge win in that regard
12:25 < Emcy> thats why convalidation makes me worry even as it is now
12:25 < petertodd> same, but again, sitting around and complaining won't fix things.
12:27 < Emcy> do you really think mikes merge avoidance thing was really proposed specifically to let blacklists get a foot in the door?
12:27 < Emcy> I thought it was more CJ + merge thing complementing each others weaknesses
12:28 < petertodd> Emcy: yes. from the article on medium: "Merge avoidance doesn
t interfere with coin tracing."
12:28 < petertodd> Emcy: the original proposal was merge avoidance as a complete replacement for coinjoin; fortunately it complements coinjoin very nicely
12:29 < petertodd> Emcy: notably everything that makes merge avoidance possible to use without coinjoin can be re-used to use it with coinjoin.
12:29 < Emcy> can you link? I thought i read it. maybe that went right over my head
12:29 < petertodd> Emcy:
12:29 < petertodd> Emcy: it's at the bottom of the article
12:30 < petertodd> Emcy: the article is very misleading about coinjoin as well, giving lots of reasons not to use it
12:31 < Emcy> i really want to believe hes playing devils advocate like it was a 10 pence a go street fighter arcade cabinet in 1989
12:32 < petertodd> Emcy: FWIW merge avoidance isn't new either - the first time I heard of the concept was from adam back pointing out how pervasive merge avoidance gives privacy properties very similar to zerocoin. (if coins are always fixed in size)
12:33 < petertodd> Emcy: lol!
12:36 < Emcy> it just seems like there are quite a few people confusing pragmatism with submitting fully to the usual strictures requested on disruptive new techs without a fight
12:38 < Emcy> if you cant imagine something better than the way things basically already are with a new coat of paint then why the fuck are you here frankly.....
12:39  * nsh subscribes to Emcy's newsletter
12:39 < petertodd> lol
12:39 < Emcy> yeah i completely missed that last paragraph of that article somehow
12:40 < petertodd> Emcy: heh, the interesting thing is how that paragraph was in there in the first place - nicely transparent
12:40 < petertodd> Emcy: anyway, we're lucky that good solutions appear to exist; hopefully as they are implemented we don't find show-stopping problems
12:42 < Emcy> hopefully hes wrong about mergepurge being in lieu of coinjoin, and people realise they work better together...........but he might be right
12:43 < petertodd> the laws around this stuff are certainely still in flux
12:43 < Emcy> i have a heavy suspicion there are LOTS of people in bitcoin who would betray it utterly to The Man if it means the price keeps going up, which it preatty much will as long as its not banned or somthing
12:43 < petertodd> agreed
12:44 < Emcy> right, and if that happens then the uncomfortable conclusion is that every other shitty and irrational thing in the world is the way it is because it has to be, because we suck.
12:45 < Emcy> perhaps thats my projecting though
12:45 < TD> Emcy: it works for bittorrent because basically all IPs that participate in a particular torrent are all doing the same thing (i.e. violating copyright). you can't generalise from that to bitcoin.
12:46 < andytoshi> Emcy: a lot of people here are dimly aware that "bitcoin is decentralized" but simply cannot imagine anything else .. only recently have people started talking about this stuff like it's something normal people should be doing
12:46 < TD> i don't think my article is misleading about coinjoin. it balances other things that were written about it by pointing out some obvious problems.
12:46 < andytoshi> so we'll see an improvement as awareness increases
12:46 < TD> which were not being adequately covered elsewhere
12:47 < petertodd> TD: cj will be soon implemented without centralized servers, so you can correct that, you can also correct the long waits as the plan is to combine users who want txs to go through now with ones who are willing to wait
12:47 < TD> if/when those things happen i would amend the article. however it's not misleading to describe the world as it is now.
12:47 < andytoshi> TD's article also talked about how cj is not a panacea .. i agree, this was not really mentioned elsewhere
12:48 < petertodd> TD: coinjoin isn't implemented now, so talking about a theoretical bad implementation isn't honest
12:48 < TD> somehow you don't believe what genjix or blockchain did is coinjoin?
12:48 < petertodd> TD: note how bc.i's implementation uses techniques to negate most of those concerns
12:49 < petertodd> TD: genjix is a quick prototype. anyway, it's dishonest to talk about what merge avoidance might be unless you are willing to compare it to what coinjoin just as plausibly might be
12:50 < TD> i don't think there was any dishonesty in my article at all, it correctly reflected the issues that exist with implementing both approaches. but i'm tired of arguing about this. you will continue to paint me as dishonest and somehow part of a conspiracy regardless of what i write, because that's what you do.
12:50 < petertodd> TD: if you don't want to be painted as dishonest, then don't write stuff that leads to that conclusion
12:51 < TD> see? i haven't. it's just you.
12:51 < petertodd> TD: this conversation isn't going to be very productive for either of us
12:51 < maaku> TD: genjix and (and andytoshi's) are not the protocol described in gmaxwell's original posting
12:51 < TD> correct
12:52 < petertodd> maaku: yup. more to the point, coinjoin is a whole family of techniques, with different tradeoffs. I'm pushing two-party-mixes because I believe that the tradeoffs are useful, but other approaches (like yours!) have tradeoffs that make more sense in different circumstances.
12:54 < petertodd> TD: anyway, please do work on merge avoidance - as I say above it'll really help make coinjoin more useful
12:55 < TD> lots of other things to do first. like actually get the payment protocol launched and used.
12:58 < petertodd> TD: seems to me that a good first step would be to define an output range in the Output message in the payment protocol: "optional <something> amount_range = 3;"
12:59 < TD> well, you can do some merge avoidance with the v1 protocol as specified
12:59 < Emcy> TD no the point is that you cant link an IP to a person to any sort of acceptable evidentiary standard, for the act of infringment. But it happens anyway.
12:59 < TD> which is no surprise because i designed it that way from the start
12:59 < petertodd> TD: sum of all outputs must == sum of all amounts
12:59 < TD> Emcy: of course you can. Find a torrent that is for a movie. Find all participants in that Torrent. They're all distributing the movie. Open/closed case, right?
10:30 < adam3us> gmaxwell: its the missing part of my hypothesis that a 1-way peg is already close to plausible for mkt maker to fill the gap, if there is eg some long term chain migration plan.  in this way no migration is necessary.
10:32 < adam3us> gmaxwell: pay per cycle.  yes seems plausible, but may create lumpy work load for nodes.  maybe processing with in a given time-frame becomes critical to the semantics of the tx even.  the point of TC would be to use it as a meta-programming language to define new coins and rules.  eg in this kind of system something like p2sh change is just a script with
no system code changes.  a script can define a new concept
10:33 < gmaxwell> yea, I'm still not arguing letting validation become expensive is a good idea. :P  Just filling out the idea.
10:34 < adam3us> gmaxwell: but u have to wonder about the safety of that.  btc script is intentionally constrained and even then people were value scared enuf to disable most of it.  general script are even disabled right (only certain pre-cooked ones allowed)?  this on the other hand may allow a clever set of scripts to attack each other, and
10:35 < gmaxwell> Implementers currently get script execution all wrong and it's already quite simple.
10:35 < adam3us> gmaxwell: so somone creates a btc/usd call option, and someone else creates another script to do something else or a competing call option and it steals all the money from the other call options.  its like redcode
10:36 < petertodd> adam3us: I don't think we're ready to have scripts run on thier own - creates consensus issues about when a script is supposed to run!
10:38 < adam3us> gmaxwell: even if the interpreter is correct (single implementation = spec satoshi style) i am not sure about the redcode game issue
10:38 < petertodd> redcode game?
10:39 < adam3us> petertodd: never played it but
10:39 < petertodd> adam3us: ah! yeah that's a classic
10:39 < adam3us> petertodd: users battle for control of the cpu with hostile code
10:40 < petertodd> Interesting thought: transactions and the blockchain are a way of stringing multiple bits of code together in a DAG.
10:41 < gmaxwell> adam3us: certantly that kind of ecosystem would create greater incentives for reorgs.
10:42 < andytoshi> petertodd: i have thought about making a blockchain-based haskell-like language
10:42 < andytoshi> sadly, i could see no point to it
10:43 < petertodd> andytoshi: I had the similar idea of doing a HSM with merklized forth actually - pretty much the exact opposite direction in terms of implementation complexity
10:45 < andytoshi> hsm == Hierarchical storage management ?
10:45 < gmaxwell> hardware security module
10:46 < andytoshi> gmaxwell: ah, that's what i thought, but i didn't see the connection to merklized forth
10:46 < adam3us1> gmaxwell: but even if (hypothetically) the incentives worked, and the interpreter escape issue was magically solved, and program counter issues avoided... i am still wondering if its fundmentally unprovably dangerous
10:46 < petertodd> andytoshi: it's more because forth is incredibly simple, so it's more likely you'd actually get the implementation right
10:47 < adam3us1> gmaxwell: see i mean it defines a language for writing bitcoin functions, new script functions, new semantics for value transfer or whatever, its fully general; but in such an environment would u not be in a core-war / redcode scenario is my point
10:47 < petertodd> andytoshi: yet forth still can do lisp-like tricks by doing data as code
10:48 < andytoshi> petertodd: oh, i see
10:48 < andytoshi> i should've looked up forth instead of hsm :P all i know is 'stack-based language'
10:48 < gmaxwell> adam3us1: I'm not sure if it would be core-war or not. If resource constraints work they'd be fighting the resource constraints not each other. Certantly lots of people would lose money by writing dumb code that can be tricked. "LOL I integer overflowed your transaction and took all your monies!"
10:49 < adam3us1> gmaxwell: its almost but not quite, like you linked a remote execution of java byte code for fees and feature extension ito the bitcoinj - in theory flexible - in practice dangerously generic
10:49 < gmaxwell> and yes, I think it would be very very hard to make safe in a single implementation, and exceptionally hard to safely reimplement.
10:50 < adam3us1> gmaxwell: i mean that one could just take your private key and be done.  but yes exactly, the question is beyond that even competently written script extensions written in a generic jvm bytecode kind of level be systematically safe from any other byte code string that could be later run in the competing ecosystem
10:50 < gmaxwell> This is why I prefer the path of using SNARKs of some kind for more complex scripts.
10:50 < andytoshi> it seems that any instance of 'breaking out of the sandbox' would be a forking scenario, since it'd probably depend on the memory layout of the targets
10:51 < gmaxwell> adam3us1: I mean, right now eligius isn't using a multisignature address for the emergency pool address because they don't know how to go forward on making sure their prefered script formulation is safe.
10:51 < adam3us1> gmaxwell: well snarks just mean that u dont run the code, you run the verifier on the proof the code was run; it still vulnerable if it is as self-extensible as TC arbitrary vm bytecode level code
10:52 < petertodd> gmaxwell: you mean they don't have the tools to just go make a scriptSig to try spending it?
10:52 < gmaxwell> andytoshi: maybe, overwriting the behavior of one other opcode might be possible just with a constant offset.
10:53 < gmaxwell> petertodd: they want to have a    {a and b} or {{a or b} and 2 of 3{c,d,e}}	sort of script. They came up with one, but were not completely confident that their coding was flawless (or if unexpected behavior in op_if would let funds get stolen)
10:54 < gmaxwell> adam3us1: at least there is no "code escape" bug in the snark case. Or consensus-criticial-implementation-consistency bugs.
10:54 < andytoshi> adam3us1: are you talking about finding bugs in the snark circuit (which is commited to in the preprocessing stage) itself?
10:54 < petertodd> gmaxwell: ah, did they do the "op_if" as "select block of code" style?
10:54 < gmaxwell> only the risk that you write a bad script.
10:54 < adam3us1> gmaxwell: i am thinking it may have even some mathematical provability limits.  if u consider the near infinite (finite because of program counter limit per time-slice)  set of computable functions how can you generically prove that there exists no other function that can damage teh intended properties of the former extension function when used by anyone.
10:55 < adam3us1> gmaxwell: correct on the code ecsape and interpretation fork
10:55 < gmaxwell> petertodd: they did two checksigs and accumulator to count how many worked, and if its not two, they drop into an op_if block that checks the accumulator for one, and runs a check multisig.
10:55 < adam3us1> andytoshi: no i am just saying if each and every user can go wild and create bitcoin script language extensions dynamically how do u know the resulting ecosystem will be safe after each dynamic new feature is added.  it is maybe mathematically undecidable
10:56 < gmaxwell> adam3us1: sure, or
  "You can steal my coins if you can find the discrete log of 0xdeadbeef"
10:56 < andytoshi> adam3us1: oh, gotcha, still on the redcode scenario
10:57 < petertodd> gmaxwell: right, see I would do that as op_if 2 a b checkmultisig else if a checksigverify else b checksigverify endif 2 c d e 3 checkmultisig endif
10:57 < adam3us1> gmaxwell: but these TC extensions are stateful.  so if there is any rational logic to disabling simple things like XOR script, this is like letting anyone define new opcodes and higher level functions running arbitrary byte code.  how is that safe in comparison
10:58 < petertodd> gmaxwell: spend with sig_a sig_b 1, or with: sig_c sig_d (sig_a or sig_b) 1/0 0
10:58 < petertodd> gmaxwell: no accumulator needed
10:58 < gmaxwell> petertodd: well that form repeats the pubkeys a fair bit.
10:59 < petertodd> gmaxwell: yes, but it's very simple to understand
10:59 < gmaxwell> adam3us1: yea, I can't justify stateful things.
10:59 < gmaxwell> petertodd: but ... we want to both have and eat the cake.
11:00 < petertodd> gmaxwell: lets see if we can succesfully eat a muffin without losing tens of thousands of dollars
11:00 < gmaxwell> petertodd: in any case, it's an issue that the ability to safely use fancier scripts is that they're moderately risky.
11:01 < gmaxwell> but (1) my comment was also an existance proof that people are actually smart enough to realize this (2) it's sort of their own problem if they don't.
11:01 < petertodd> gmaxwell: well that's just inherent to doing complex things
11:01 < andytoshi> i thought the rationale for having disabled opcodes is that they could screw with the people running the code (i.e. everyone) to cause either DoS attacks of some form, or worse, forks
11:01 < gmaxwell> (It wasn't me who pointed out that script was risky either, I think)
11:01 < andytoshi> but in case of snarks, everybody is just verifying that a specific (TC-complete) circuit was run
11:02 < gmaxwell> andytoshi: we disabled the op_codes because lshift was exploitable to crash nodes.
11:02 < petertodd> andytoshi: the rational was "oh shit! lets be super cautious now"
11:02 < gmaxwell> It turns out that some of the other disabled ones had other bugs too.
11:02 < petertodd> andytoshi: lshift could have been fixed, but just disabling was easy
11:02 < petertodd> andytoshi: back then I don't think people fully understood how hard re-enablingthem would be
11:03 < adam3us1> gmaxwell: what next.	google nacl (sandbox execution of x86 binaries).  activex for bitcoin :)
11:03 < andytoshi> well, i'd hope that we donet have OP_OPENNETWORKPORT ;)
22:32 < gmaxwell> e.g. who cares if you use dollars as your daily spending money. Gold exists and is 'deflationary' (maybe, ignoring your collapse argument)... so if the argument is true why isn't the economy collapsing due to people rapidly converting every free dollar they have to gold?
22:33 < andytoshi> the claim is that once people have their gold, they stop converting anything to anything..
22:33 < andytoshi> which is arguably even sillier
22:36 < gmaxwell> I think a lot of this ultimately stems from the fact that there are inherent unfairnesses and inefficiencies in the whole concept of durable money.
22:36 < gmaxwell> But the notion that money itself is a purely artificial construct and perhaps not perfect in every way, is so far outside of peoples thinking that they get stuck in weird dissonance.
22:38 < gmaxwell> At least in the US our society has placed money in a position of existing as a kind of independant good
 decoupled from the productivity and happiness of people that we just don't really have the right perspective needed to critically question the behavior and role of money in our society.
22:39 < gmaxwell> In perhaps the same way that societies with slavery seemed to have a generally difficult time reasoning about the pratical and ethical implications of it.
22:40 < andytoshi> what is interesting is that if you look at most any society throughout history, they always come up with some sort of currency, and these currencies are so similar that we recognize them today as money
22:40 < andytoshi> perhaps the same is true of slavery
22:41 < andytoshi> it is more than ordinary can't-think-outside-the-box dissonance because this really does seem baked into human thinking
22:42 < andytoshi> the problem of finding a consistent measure of value is universal, and money solves this extremely well ..
22:42 < andytoshi> and then it is represented by some physical good or token, so it naturally assumes a reality of its on
22:42 < andytoshi> own*
22:43 < andytoshi> bitcoin is fascinating because it is not physical and acts in highly non-physical ways, but it still solves the problem that money does
22:44 < gmaxwell> Yea, I don't mean to suggest that we shouldn't have money. Money enables a lot of awesome stuff, but it has a bunch of odd behavior too.
22:45 < gmaxwell> E.g. with durable money you can do things like do one really useful thing, and then never do anything useful again and have society provide for you... in a way which is highly non-linear, e.g. doing N x 1/N useful things is in no way assured to do anywhere near as well for you esp if the GDP is growing.
22:46 < gmaxwell> simply because you can get a bunch of money, and then loan it out to get exponentially more.
22:47 < andytoshi> otoh, when you invest it or lend it out, even though society is supporting you, the wealth they are throwing at you does not act like your wealth
22:48 < andytoshi> so even though you are (unfairly) becoming very wealthy, there is a larger efficiency gain for society
22:48 < andytoshi> in principle, anyway
22:48 < gmaxwell> which is an effect which is _entirely_ decoupled from the whole idea of wanting to be able to do "barter at arms length"... maybe a good effect or a bad effect, but it seems like an inherent effect in money as our societies have envisioned it.
22:48 < andytoshi> this is true, these things are very hard to decouple mentally
22:49 < andytoshi> that, i think, is ordinary human dissonance
22:50 < gmaxwell> yea, I'm not good at it myself, and personally ... perhaps I'm not a great person to question this system because I've benefited from it tremendously, at least if I measure my wellbeing relative to most of the world.
22:51 < andytoshi> mm, myself as well
22:52 < andytoshi> and tbh i think very little about the function of money, despite thinking about bitcoin a lot ... my economic curiosity mostly lies in what happens when machines are able to exchange value
22:52 < andytoshi> suppose we actually had a market with rational actors -- and these actors never needed to sleep or relax
22:53 < andytoshi> the -wizards discussions are fascinating, because maybe they could even be 100% evilly selfish, and even so they could trust each other
22:53 < gmaxwell> yea, well, most of my thinking only really extends to the realization that it's actually more complicated then we take for granted.
22:55 < andytoshi> i think humans avoid a ton of the complexity by relying on biological impulses to trust each other
22:55 < andytoshi> and on the police :)
22:55 < gmaxwell> andytoshi: well, yea, but also somewhat scarry too if you go too wizards-wank about it.  Imagine now that you have uploaded minds in computers... then everything you're thinking about also applies to "people" too, at least in theory. Which sounds neat, but then you wonder about the social implications of things like ZK-SNARKS meaning that it could actually
be physically impossible to tell a convincing lie, no matter how good the ...
22:55 < gmaxwell> ... justification.
22:57 < andytoshi> wow, i have not considered that ... i need to write some scifi about this, try to explore the social implications
22:58 < andytoshi> (not good scifi, or even anything i'd publish .. just something to organize my own thoughts)
23:00  * andytoshi grabs another beer
23:02 < gmaxwell> the nearest I've seen to touching any of these matters is in the latter half of "Rapture of the Nerds" (Doctorow, Stross
 both of whom I think are crappy writers, but I enjoy their books) there is a part where the people enter into a bar which is I/O isolated from the rest of the universe, the reason for this is because the bar implements a contracts
system where violating the rules is impossible (if you violate the rules the bar ...
23:02 < gmaxwell> ... rewinds state to undo the violation)
23:03 < gmaxwell> most of this stuff hasn't been touched in scifi because the authors just really have no clue it's possible. PCP theorm is still pretty recent and the implications really haven't percolated all that far.
23:05 < andytoshi> i just encountered its philosophy today in 'quantum computing since democritus', i don't have a clear idea of it yet
--- Log closed Mon Dec 30 00:00:39 2013
--- Log opened Mon Dec 30 00:00:39 2013
00:59  * andytoshi-logbot is logging
00:59 < andytoshi> <.<
01:04 < pigeons> there is a book called The Anarchistic Colossus by A E van Vogt where immediate punishment from "Kirlian computers" enables an anarchistic society, perhaps "weak" and ripe for alien invasion...
01:28 < gmaxwell> heh xkcd  "Extremely Strong Goldbach conjecture"
01:31 < BlueMatt> gmaxwell: lol
01:45  * midnightmagic CHEERS for comment about Stross + Doctorow being crappy writers!!
01:45 < midnightmagic> i couldn't even fnish the atrocity archives.
01:49 < gmaxwell> they really are, also rudy rucker is a crappy writer too.. but again some neat ideas.
01:51 < midnightmagic> Snow Crash couldn't been a short story. He has these brilliant oases of ideas and diction in the middle of whole empty deserts of shitty prose
01:52 < midnightmagic> *could've
01:56 < midnightmagic> .. which pretty much defines most modern scifi these days.  Oh Stephenson, how your cryptonomicon disappointed.
01:57 < gmaxwell> I'm mostly fine with Neal Stephenson's writing. He's long winded, and well, perhaps I'm not the person you should look to for criticism of that.
01:57 < gmaxwell> it does annoy me that I can't ever recommend his books to most people because they're simply too long.
01:57 < gmaxwell> If you can't read a long (say 80kword) novel in a single sitting then you basically can't enjoy his books.
02:08 < midnightmagic> I read Tommyknockers in basicaly one sitting.
02:19 < midnightmagic> I gots staying power. Blindsight in one sitting. 50+ chapters of HPMoR in one sitting. Greg Bear's blood music in one. Herbert's Hellstrom's Hive and Dune, Chalker's old Wellworld novels, Four Lords of the Diamond, Stross' Friday ripoff (Saturn's Children I think? I'm trying to forget,) and entire collections of Lovecraft even though it was written
at the turn of the century and is clunky.
02:21 < andytoshi> nice -- i've had neuromancer and cryptonomicon sitting on my HD for several years now
02:21 < midnightmagic> Neuromancer was an easy couple hours. Heck I can read comp sci textbooks in one go (makes studying them later easier)
02:22 < andytoshi> i can read textbooks for hours on end, with fun books i always feel like i ought to be doing something useful if i'm gonna stare at text for several hours
02:22 < andytoshi> ...and yet, i have no problem with IRC...
02:22 < midnightmagic> But Snow Crash. Damn. Half that stuff didn't even belong in there. Or Gaiman's American Gods. What the hell man. Thunderbird's super-powerful but the christian deities don't make an appearance?
02:22 < midnightmagic> bah
02:24 < midnightmagic> Nooooo they're making a series out of it
02:33 < nsh> American Gods was pretty consistently good reading for me
03:35 < maaku> andytoshi, money has not taken consistent form over time
03:35 < maaku> that is to say what we call 'money' has been changing in nature time after time throughout human history
03:35 < maaku> with measurable effects
03:38 < gmaxwell> (there was a reason that I qualified my statements with 'durable money', tough perhaps thats not the best definition for the effects I was talking about)
03:39 < maaku> yeah you know my bias on that, but even so it's not like historical money can be put in just two categories
03:40 < maaku> its weird and bizaare how many fundamentally different systems we used for the same function, and retroactively we tend to think what we use now has always been the case
03:43 < gmaxwell> not just always been the case, but is the only kind that can exist.
03:43 < maaku> yeah
03:43 < gmaxwell> which is also somewhat amusing because we currently do use other kinds of money too, we just don't reconize it as such.
18:17 < TD> probably. TPM runs on the LPC bus, traditionally.
18:18 < TD> though you may already have a TPM without knowing?
18:18 < Luke-Jr> I guess I should look at the header..
18:18 < TD> did you actually check?
18:18 < Luke-Jr> yes
18:18 < Luke-Jr> it was on my "list of things I lose in this upgrade"
18:18 < TD> i mean, there might be one integrated into some other chip
18:18 < TD> did you check if the kernel can see one?
18:18 < Luke-Jr> ASRock Z87 Extreme4
18:19 < Luke-Jr> not sure what I'd be looking for there
18:22 < TD> i think on some systems there is a /proc/tpm
18:22 < TD> but i dunno if that's always true
18:22 < TD> it might require a modprobe tpm first
18:22 < TD> not that it really matters if you have a hard disk
18:23 < TD> it's only an issue for people with log-structured file systems or SSDs
18:25 < maaku> TD: so long as it remains computable on consumer hardware, no such thing as overkill
18:25 < Luke-Jr> maaku: but you'll slow down my compiles!
18:25 < Luke-Jr> <.<
18:26 < Luke-Jr> TCSD TDDL ERROR: Could not find a device to open!
18:26 < Luke-Jr> guess I have none
18:29 < Luke-Jr> Newegg has no TPM stuff it seems
18:34 < gmaxwell> ebay.
18:39 < Emcy> pond reads similar to bitmessage
18:42 < maaku> Emcy: similar, but better imho
18:43 < Emcy> that means its less likely to catch on
18:44 < maaku> Emcy: ? I don't think bitmessage has any significant mindshare to speak of
18:44 < TD> it's not very similar
18:44 < maaku> if anything Pond is probably more well known (outside of bitcoin community)
18:45 < Emcy> just a joke. the good stuff gets passed up for the first thing that sort of works all the time
18:46 < Emcy> decent overview
18:46 < Emcy> "weaponised" is a fair way to put it
19:09 < adam3us> jgarzik said on the zc thread "would rather see automatic mixing and privacy built into every client." you know actually that would be quite a reasonable fungibility fix in the face of coin validation fungibility risks - if its generally default and non-opt-in feature.	then the default reaction of biz will be to reject coin validation or they lose sales
19:11 < Emcy> if its not ubiquitous then using such measures automatically makes you the target you never wanted to be
19:11 < Emcy> so better that it is
19:17 < warren> I might have set a trap in the Litecoin code months ago that breaks in an obscure way if used with feathercoin's parameters...
19:18 < warren> but they are having trouble getting the ordinary functionality to work
19:18 < Emcy> heh
19:18 < Emcy> what does feathercoin do anyway
19:19 < warren> Emcy: copy > rename > add new logo > pump with lots of videos
19:19 < Emcy> also why dont you play with scrypt until gpu mining is actually infeasible, as claimed at the beginning
19:20 < sipa> i don't think many litecoin users still value that idea
19:20 < warren> or rather, it isn't broken with feathercoin's parameters, just becomes exploitable
19:20 < warren> I might have done this.
19:22 < Emcy> that was litcoins whole conceit though
19:22 < Emcy> to run on all those shitty semprons in bitcoin mining rigs
19:22 < warren> Emcy: Litecoin - sponsored by AMD
19:23 < Emcy> a-are you joking
19:24 < warren> maybe
19:24 < sipa> after AMD bought ATI, suddenly litecoin became viable on GPUs
19:24 < sipa> it all makes sense!
19:26 < Emcy> shiiiiiiiiiit
19:26 < Emcy> wonder how it goes on those APUs
19:26 < warren> not too well.  relies on memory bandwidth
19:27 < Emcy> so with ddr3 2500 or whatever then
19:27 < warren> might be decent on a PS4, if it were hackable
19:27 < Emcy> thats still well below gddr i suppose
19:32 < Emcy> i wonder what hardware security the new consoles will have
19:32 < Emcy> might make decent miner as you say if someone can break it
19:33 < Emcy> or a nice little PC
19:36 < warren> I was joking earlier, and a lot of this isn't wizards material.
21:52 < Luke-Jr> [00:24:48] <sipa> after AMD bought ATI, suddenly litecoin became viable on GPUs <-- hahahahaa
23:41 < warren>
23:41 < warren> anything to edit/add?
--- Log closed Mon Nov 18 00:00:00 2013
--- Log opened Mon Nov 18 00:00:00 2013
--- Day changed Mon Nov 18 2013
00:54 < Luke-Jr> warren: it's not clear that doing just the first item gets some reward
00:55 < Luke-Jr> nor that 2 and/or 3 might be done without 1, in case 1 is impossible
00:55 < Luke-Jr> 3 should probably be split up between writing a fix, and getting it merged
00:55 < Luke-Jr> ie, someone who writes a fix but doesn't have the patience for getting stuff merged should still get something
00:55 < warren> Luke-Jr: devs have power to decide apportionment, so whatever.
00:56 < Luke-Jr> warren: yes, but people might see the list and give up because they don't know how to code
00:56 < Luke-Jr> it should be clear that non-developers can contribute toward 1 for part of the bounty
18:11 < petertodd> so... headers first
18:12 < sipa> i was discussion this with petertodd
18:12 < sipa> and this question came up
18:12 < sipa> what if you know about multiple header chains whose tips are better than what you currently have
18:13 < sipa> perhaps there's this situation: A-B-c, A-B-d-e
18:13 < sipa> eh wait
18:13 < petertodd> no, that's correct
18:13 < sipa> A-B-c and A-d-e-f
18:13 < sipa> and you have A and B, but not c d e f
18:14 < sipa> do you only try to fetch blocks for d e f, or do you also try to fetch c?
18:14 < petertodd> and the same problem *is* present on A-B-c, A-B-d-e
18:15 < sipa> agree, but the case with a reorganization is more revealing probably
18:15 < petertodd> so my scenario was, suppose we have an attacker who is mining blocks, but decided to withhold the actual contents. with headers first you'll find out abotu the headers, and hence the chain, but I argue you have to try to download all tree tips simultaneously, so that you can advance your fully verified tree so the majority of hashing power can move forward
18:16 < sipa> if the case becomes A-B-c vs A-d-e-f-g-h-i-j-k-l-m
18:16 < sipa> then it's probably easier to see that you should fetch c too, just to keep up with a potentially best chain, while you're fetching the potentially even better one
18:17 < petertodd> right, because d could be invalid, as an example
18:17 < sipa> indeed
18:17 < sipa> though you did already verify PoW, so that is very unlikely
18:17 < petertodd> well... :)
18:18 < petertodd> could be all sorts of crazy economic incentives, for instance if you figures out how to get the other hashing power trying to extend different tips
18:18 < sipa> we shouldn't assume it's valid of course
18:18 < petertodd> main thing is we want an algorithm that's going to get everyone to come to consensus about what fully validated chain tip to continue mining on, regardless of what crazyness is going on with the headers
18:19 < sipa> yup
18:19 < petertodd> like, suppose we had a bug where a block somehow made the networking code crash, leaving a connection in a state of limbo
18:19 < petertodd> plausible with threads for instance
18:20 < petertodd> oh, shit, this makes the blockwithholding strategy even worse you know:
18:21 < petertodd> suppose we have A-B-C-d-e-f-g-h-i, and we have fully verified up to i and are trying to make j
18:21 < petertodd> now, if there's ever any slowdown in block distribution, we could wind up with hashing power split on A-B-C, A-B-C-D, A-B-C-D-E etc.
18:23 < sipa> well the best rational strategy is probably to mine empty blocks on top of the best header chain you know
18:24 < petertodd> yes unfortunately, modulo fees
18:24 < sipa> and never build on blocks when you know there's better header chains
18:24 < sipa> modulo fees indeed
18:24 < petertodd> but that means if someone ever loses a block entirely, we're screwed
18:25 < sipa> ewww
18:25 < petertodd> lovely 'eh?
18:26 < petertodd> also, suppose we have a fork: A-B-c and A-B-d, now bandwidth is split 50:50 downloading c and d, which makes it more likely someone will create block e, which divides the bandwidth again...
18:27 < sipa> well, if block propagation is even comparable in speed to mining speed, there is certainly a problem
18:27 < sipa> headers-first doesn't change that
18:28 < sipa> but the fact that someone could create a header, announce it, and never announce the block... worries me
18:28 < petertodd> not in general no, but in this specific case yes because of how the code would now download blocks simultaneously - that wouldn't happen before
18:28 < petertodd> although, actually, "relay all blocks including orphans" may have this affect
18:28 < petertodd> s/affect/effect/
18:29 < sipa> right, but since you *know* the header strucutre already, you can make smarter decisions in what to download
18:29 < petertodd> well, but are they actually smarter decisions?
18:29 < sipa> than what?
18:30 < petertodd> then simultaneous - again, thinking about the possibility of attack or network affecting bugs
18:32 < petertodd> for instance, suppose you always tried to download the next block in the longest chain first, and then switch to another block on a timeout, but kept mining in case the next block was invalid - if you found a block, other miners doing the same thing wouldn't build upon it because it wasn't the longest chain
18:34 < petertodd> you could have 90% of the hashing power wasting it's time, while 10% is extending a slightly longer chain just by making all your nodes artifically slow down the download of the blocks in your extension
18:47 < warren>  please vote up "Can you fix the LevelDB database corruption bug affecting Bitcoin-Qt on some platforms? 5+ BTC bounty."
18:49 < Emcy> if you guys can find it why do you think anyone else can
18:49 < Emcy> and if they can, why are they not already here
18:49 < theymos> You don't need to be a Bitcoin wizard to find a bug in a database library.
06:47 < jtimon> exactly, you deserve to receive something in exchange for whatever you previously provided to society
06:47 < deantrade> But for as long as you just hold the money, its like you just did all of that work in exchange for nothing, so the rest of society benefited at your expense
06:47 < jtimon> but why society must allow you to think what you want in exchange for as long as you want with no cost?
06:48 < deantrade> There is no gauruntee the money will have the same market purchasing power in the future.
06:48 < deantrade> There is no one forcing anyone to accept some amount of money for anything, its free trade
06:49 < jtimon> yeah, if many savers hoard, it will have an even greater market value in real terms
06:49 < jtimon> I'm assuming monetary monopoly all along
06:49 < jtimon> for example, a gold standard
06:49 < deantrade> Unless a new form of money is created that has better features, then the old money becomes worthless
06:49 < jtimon> there's some force here
06:50 < deantrade> Monetary monopoly: money monopolies do not last either.  They have lasted long time durations, but not forever.
06:50 < jtimon> with a free monetary market edflation is not that harmful because trade and investment can just occur in other currencies
06:51 < jtimon> with a free monetary market, let's say real capital yields drop to 1%
06:51 < deantrade> I agree, people can just chose to invest in whatever they want.  It would just be fraudulent to create a currency where you say it will have one inflation plan, and then later to do some different plan.
06:51 < jtimon> savers don't lend or invest bitcoins anymore
06:52 < jtimon> it doesn't matter, other savers will be happy to lend their frc at 0%interest
06:52 < deantrade> How was the gold standard forced?  Or do you mean in our current situation there is force?
06:52 < jtimon> in our current situation there is force, yes
06:53 < jtimon> and in the gold standard was the same monpoly
06:53 < jtimon> the legal tender was 1 gold mark or whatever
06:53 < deantrade> Savers only options right now is [US Tresuries, Stocks, or Land], gold, bitcoins, what else?  (In brackets = in a bubble)
06:53 < jtimon> dependin on the country
06:54 < jtimon> real capital
06:54 < deantrade> What did that mean though "legal tender"?  At one time it just meant "You can only call it a dollar if it is this many ounces of gold".
06:54 < jtimon> stocks could be counted as real capital, but I agree they're probably still in bubble prices
06:55 < jtimon> the problem is when you can only trade using thalers, whatever the quantity of silver that defines them
06:55 < deantrade> In a free market where banks/money was not a monopoly, "banks" would not be protected from default (their owners would be held liable to pay up), and banks would offer higher interest rates to money market accounts
06:56 < jtimon> interest rates would not be manipulated
06:56 < deantrade> But in the world as it is now, banks just print money and lend out at way lower interest rates than savers would be willing to accept.
06:56 < deantrade> And then banks offer pretty much 0% interest rate to savers.
06:57 < deantrade> So savers are stuck having to invest in US Treasuries, stocks, land (and gold/bitcoins for the smart ones)
06:57 < jtimon> but I think that with enough mutual credit currencies (usually 0% interest) and demurrage currencies like freicoin interests would tend to zero in a free market
06:58 < jtimon> I agree the current situation sucks
06:58 < jtimon> I believe it will end up just as Gesell predicted: hyperinflation
06:58 < deantrade> This is also Austrian Economist's prediction.
06:58 < jtimon>
06:59 < jtimon> Gesell, studied bohem-bawerk, he has more to do with Menger than with Keynes
07:00 < jtimon> in fact, he's closer to Menger than Mises in certain senses, like rejecting the notion of so called "intrinsic value"
07:00 < deantrade> Factories and farms etc... they don't just exist and produce the same amount of products at the same efficiency no matter the owner.
07:00 < jtimon> a dogma very often widespread among "austrians"
07:00 < deantrade> I reject "intrinsic value".
07:01 < deantrade> Value is only relative to one who acts to attain goals.
07:01 < jtimon> but the markets forces the operators of the "unefficient capitals" to change hands
07:02 < jtimon> that's good, unfortunately many goldbugs (and even bitcoiners) don't think like you
07:02 < deantrade> Right... and poor people who prove to be capable of operating them, but don't have the capital to buy them at the moment will look for a loan.
07:02 < jtimon> yes
07:03 < deantrade> And there are many rich people who die, and their children blow the money on drugs etc.
07:03 < jtimon> yes
07:04 < jtimon> there's no need to redistribute wealth from rich to poor, but it's completely necessary to stop redistributing wealth from the poor to the rich
07:04 < deantrade> So productive people live and die.  And when a poor productive person sees that they could vastly improve their life by just loaining some amount of money at some interest rate, then they will take the offer.
07:04 < jtimon> the problem is that some monetary systems impede that interest rate to be zero
07:05 < jtimon> which would represent optimal prosperity: maximum capital accumulation for society
07:06 < jtimon> would be the best position possible for workers (comparatively with capital)
07:07 < jtimon> well, negative itnerest rates would be "unfair for capital" but they're not natural even with demurrage
07:08 < deantrade> Interest rates should simply be chosen by the market.  Interest rates are chosen by two people who come together with differing resources and contracts to deliver at a later time, and fully mutually voluntary acceptence of the contract.
07:08 < jtimon> interest rates are voluntary and determined by the market with freicoin too
07:09 < jtimon> nobody forces you to dodge the demurrage fee by lending or investing
07:09 < deantrade> I'm not disagreeing with that.  I'm disagreeing with the idea that somehow having a money supply that is decreasing is necessarily bad, particularly when that money is just one competing currency when there are many others to chose from.
07:10 < jtimon> I think it's bad only if it's the only money
07:11 < jtimon> I don't think bitcoin will hurt society with its deflation because it will never be monopoly money
07:11 < jtimon> it just won't be as useful to society as it could be if it had demurrage
07:12 < deantrade> Useful to attain what?
07:12 < jtimon> economic development and prosperity
07:12 < deantrade> Economic development and prosperity of which group of people?
07:14 < jtimon> for everyone that produces and consumes
07:14 < jtimon> the higher the itnerest rates, the more everyone pays for what he consumes
07:15 < deantrade> Not necessarily.
07:15 < jtimon> the higher the interest rates the lower the precentage of good prices come from worker wages
07:15 < jtimon> name a single consuming good that doesn't include interest in its final selling price
07:17 < jtimon> for some that % is as high as 50%
07:17 < deantrade> When you pay over time with high interest rate, if the money supply is increasing more rapidly than the interest rate, then later when you pay the interest you potentially have to exchange a lower market value than what the money was worth when you agreed to the deal.
07:18 < jtimon> that's why the inflation premium is a compenent of interest
07:19 < jtimon> sadly inflation indexes are usually manipulated nowdays
07:19 < deantrade> 2% CPI haha
07:20 < deantrade> Fred Monetary Base has been increasing at >30% per year for 5 years now (since 2008 housing financial crisis)
07:20 < jtimon> what I mean is that most people pay far more interests than they receive, even when they haven't borrowed any money
07:20 < wumpus> no matter the economic arguments for it, no one would have bought into bitcoin if it had demurrage; many people were already not taking it seriously for being "virtual", let alone if your holdings magically evaporate over time
07:21 < jtimon> wumpus yes, probably something like bitcoin was destined to be the first crypto
07:21 < wumpus> a future cryptocurrency could do it differently, but bitcoin had to be like this to work
07:21 < jtimon> there was a time when people believed that money couldn't be made of paper, now some people doubt that it can be made of bits
07:21 < wumpus> for example freicoin, had it not included the strange centralized contribution for every mined block
07:22 < jtimon> probably the first p2p currency had to have fully p2p distribution too, no matter how wasteful that is
07:23 < deantrade> Wasteful?
07:23 < jtimon> in terms of real resources, yes
07:23 < jtimon> it's subsidizing security
07:23 < deantrade> How is giving out practically worthless bitcoins (initially worthless) wasteful?
07:24 < wumpus> decentralized systems are by definition less efficient than centralized systems, but compensate for this with added robustness
07:24 < jtimon> no, mining like we're doing now is wasteful
07:24 < jtimon> wumpus, but when the 21 M are issued, fees should provide enough security
07:25 < deantrade> Mining is essential.  Prove of work that you earned the money.  You'd rather the bitcoins were handed out willy nilly like helocopter Ben?
07:25 < wumpus> I have decided for myself that I like the robustness more than the efficiency, but your opinion may vary
07:25 < jtimon> I prefer that they're are given to noprofits you freely decide to donate to like in freicoin, obviously
07:26 < jtimon>
07:26 < jtimon> by the way, crypto-currencies related projects can be listed too even if they're not legally non-profits
07:27 < deantrade> You say "robustness", as if that doesn't also make it efficient.  Bitcoin is an extremely efficient value storage and value ownership transfer system.
05:53 < HM2> article floating around praising Satoshis choice of the k1 curve over r1
05:53 < HM2> currently top of HN
05:53 < HM2> I thought the parameters to r1 were selected deterministically
05:54 < HM2> oh well
06:06 < sipa> HM2: with a 20-byte seed
06:06 < sipa> making the whole deterministic part quite suspicious :)
06:11 < HM2> You'd think NIST would have revealed the seed in light of recent events
06:16 < sipa> the seed isn't secret
06:16 < sipa> it is just long
06:16 < sipa> meaning it can have been selected by a brute force search for vulnerable parameters
06:17 < HM2> why couldn't they have gone for the classic value of pi
06:19 < sipa> or the string "5" or something
06:21 < HM2> sipa, how's your secp256k1 project coming along?
06:21 < HM2> has it reached peak performance?
06:41 < sipa> haven't worked on it for a while
06:56 < warren> HM2: crazy litecoin users are using it
06:58 < HM2> good good
07:26 < adam3us> HM2: nist probably dont know the real seed its probably in an HSM at NSA
07:26 < adam3us> HM2: i think its basically confirmed that it was backedoored; werent some of hte snowden docs published or seen by schneier and greenwald including the internal project summary bragging of th successful backdooring of nist process
07:31 < HM2> There haven't actually been any proof that NIST standards have been backdoored.
07:31 < HM2> I think the NSA presentations made a very strong indication that that was the case
07:32 < HM2> even the EC based RNG that is 'backdoored' is only a 'could be' backdoor (which is enough not to use it)
07:32 < HM2> for all we know the private parameters used to seed that could be lost and not in the hands of the NSA
07:33 < HM2> at least as far as I'm aware
07:33 < HM2> it's hard to keep a aprised of all the revelations concisely.
07:33 < HM2> *apprised
07:34 < HM2> the NSA has no reason to brag about their capabilities though, so it's very likely everything is as feared
07:35 < adam3us> HM2: so basically as i understood it from skimming the news over time, the level of confirmation was there were internal nsa docs in the snowden trove, that were read as indicating yes ec dbrng was backdoored
07:36 < HM2> no, not exactly. it gave a year
07:36 < adam3us> HM2: and particularly as the design seemed very contrived, and the backdoor potential was identified by ferguson et al at microsoft and published some years back, thats pretty much the end of it
07:36 < HM2> and the EC RNG was released that year
07:37 < adam3us> HM2: how does that confirm or refute the strong indication that could is actually was (backdoored)?
07:37 < HM2> I'm not sure who the target audience for the slides released was
07:37 < HM2> if your target is politicians you might want to brag
07:37 < HM2> if your target is foreign ally agencies maybe you want to brag
07:38 < HM2> maybe not
07:38 < HM2> they were all very vague, sadly not a single specific cryptocapability has been leaked afaik
07:38 < adam3us> HM2: i think its internal, but there was seeming lots of internal bragging, as it is about vying for recognition and internal project funding and kudos etc
07:39 < HM2> right
07:39 < adam3us> HM2: snowden made some relatively specific statements about crypto capacities that are lacking - ie public key crypto is good, if no impl mistakes and no hw / sw backdoors
07:40 < adam3us> is this channel logged publicly.. i found a petertodd amazon hosted log fragment; is there a full log searchable?
07:40 < HM2> there was mention of a 'major breakthrough' a few years back that hinted at cracking capability
07:41 < HM2> no idea
07:41 < HM2> you should assume it's all logged and kept in my personal blockchain
07:42 < HM2> in order for me to quickly fake something you said 3 months ago, i'd need a computer the size of jupiter ;)
07:45 < adam3us> is warren hand here the warren togami founder of fedora?
07:45 < adam3us> seems potentially apt that he could start bitcoin staging - the fedora to bitcoins rhel/centos
07:46 < adam3us> (tho he seems attached to making litecoin work in that role at present)
07:46 < HM2> I don't know. They're all faceless ninjas to me.
07:48 < adam3us> i read some old wired article that mentioned charles lee, and that warren togami had stepped in as lead dev of litecoin... then it occurred to me, hey that probably was warren who was talking about litecoin dev speed and healthy competition to bitcoin pushing chnges into bitcoin indirectly yesteray :)
07:49 < adam3us> it'd be easy enough to fork litechoin and put hashcash-sha256^2 and more work but defined method to put in the 1:1 one way peg allowing bitcoin transfer in place of mining
07:50 < jgarzik_> adam3us, yes, warren == warren togami of Fedora.  He and I both worked at Red Hat on Fedora, too.
08:12 < adam3us> erm so patents - has anyone tried to think about a model for preventing/deterring bitcoin related startups from patenting obvious and core things?
08:14 < adam3us> starting to rear its really ugly head unfortunately and i am pissed; people may not know the history but crytpocurrency ecash was littered with mothballed patents stifling products - i personally know a solid biz ecash guy who was blocked from doing something chaum related due to that patent
08:14 < jgarzik_> adam3us, bitcoin is a laggard in this area
08:15 < adam3us> particularly when digicash went bankrupt the VC type investors sold the patents to a random big co infospace that sat n them until they expired
08:15 < jgarzik_> adam3us, coming from Linux, we were really proactive about registering trademarks and patents for open stuff, then donating those to a foundation, preemptively
08:16 < adam3us> jgarzik_: i was thinking the same, maybe bitcoin founation can do something lke the IBM anti-patent abuse pool
08:17 < adam3us> jgarzik: the patent pool could have teeth in that anyone who tries to assert a patent outside of the pool, is denied use of any patent in the pool; but free for everyone else
08:17 < jgarzik_> adam3us, gathers patents from many sources, licenses them royalty-free, and can be used for patent defense through Mutually Assured Destruction
08:18 < jgarzik_> MAD: company A and company B cross-license each other's patents.  If a violation occurs, the other party revokes the patents they licensed
08:18 < adam3us> jgarzik: good, ibm mad like approach (microsoft was scared of accidentally tripping on IBM mad which is a good sign that its a good approach)
08:18 < jgarzik_> works with patent pools too
08:18 < jgarzik_> IBM is a fscking patent behemoth
08:19 < jgarzik_> surprisingly they are pretty benevolent in the software patent space, compared to many others, even though they don't have to be
08:19 < adam3us> jgarzik: they also have some kind of MAD scheme going that microsoft were more scared of than GNU
08:19 < adam3us> jgarzik: so whether its bitcoin foundation or the open thing you mentioned, or IBM: my point is there are no bitcoin patents in an open pool
08:20 < adam3us> jgarzik: and the various bitcoin startups are probably right now creating a raft of them to be "defensive" which is actually lethal
08:21 < HM2> it's not really lethal
08:21 < adam3us> jgarzik_: as when some of them start to go under the VCs that care more about money than bitcoin will sell them to the highest bidder
08:21 < HM2> mutually ensured destruction generally works quite well
08:21 < adam3us> HM2: viz digicash history and infospace
08:21 < adam3us> HM2: yes but there is no MAD, and bitcoin foundation has no patents
08:22 < jgarzik_> for MAD to work, you have to have patents others want
08:22 < HM2> Isn't the foundation just a benevolent observor/advisor?
08:22 < adam3us> jgarzik_: i think its past time the foundation or someone suggest strongly to all the bitcoin startups that they form a MAD pool, to preclude their patents falling into the wrong hands if they go out of business
08:22 < HM2> It doesn't even own the trademark does it?
08:23 < jgarzik_> yeah TM is an issue too, though I think MagicalTux was working on getting the TM for community benefit
08:23 < adam3us> jgarzik_: bitcoinFOO startup may have a patent for "defensive" reasons, bt when it goes under and is sold to a patent troll, it becomes offensive ... good intentions of bitcoinFOO no longer count
08:23 < jgarzik_> adam3us, agreed
08:23 < HM2> the Linux Foundation springs to mind
08:24 < adam3us> jgarzik_: or imagine worse things; US government seizes patents from the foundation as part of a court judgement, and asserts patent to make bitcoin-qt infringing
08:25 < jgarzik_> adam3us, so unlikely it's not worth worrying about
08:25 < adam3us> jgarzik_: patents should be abolished, but until then a bitcoin MAD pool should be created and probably should be held by an international, mulit-jurisdictional entity
08:27 < adam3us> jgarzik_: debatable, weak point on my part; main point bitcoin community probaby defensively needs a MAD pool in the hands of someone trustworthy and aligned with the community; i cant say more probably but i expect anyone with involvement with a commercial bitcoin entity has seen moves to patent something "defensively"
08:27 < jgarzik_> adam3us, agreed
08:27 < jgarzik_> adam3us, agreed (RE abolished + MAD pool)
08:28 < HM2> I'd worry more about the trademark
08:28 < adam3us> jgarzik_: so me = crypto guy, who could chase that down in foundation terms and make it happen?
08:28 < jgarzik_> adam3us, patrick murck, maybe
08:28 < HM2> someone could just buy it up the TM and just stick the name on whatever centralised currency they wish
08:28 < HM2> buy up the*
08:29 < jgarzik_> adam3us, tell him I pointed you to as an example
08:29 < jgarzik_> HM2, well like patent's concept of prior art, there is a way to show TM land grabs by third parties
08:29 < adam3us> jgarzik_: maybe a topic for this xgbtc list - didnt accept the list invite yet
08:29 < HM2> sure
08:29 < jgarzik_> adam3us, never heard of xgbtc
12:51 < jtimon> what fees?
12:51 < jtimon> bitcoin fees?
12:51 < petertodd> remember, ripple is all about optimizing who owes who, but why do you care exactly?
12:51 < jtimon> that's what money is all about
12:52 < jtimon> "bitcoin is about who has what, but why do you care?" I don't understand your point
12:52 < petertodd> what money is about doesn't matter for the end-user, they just want to solve a business problem
12:52 < adam3us> petertodd: freimarket includes real-ripple as a sub-component so freicoins that are IOU based can interop with frecoins that are mined (minus demurrage)
12:53 < jtimon> seriously I don't get your point about not caring
12:53 < jtimon> how would you don't care about who owes you and who you owe too?
12:53 < adam3us> petertodd: i think its a logical and self-consistent system, remains to be seen on adoptions.	some of adoption is first to market, network effects etc.
12:54 < jtimon> petertood: you don't see any value in a ripple network or in credit in general?
12:54 < petertodd> jtimon: because my *business* problem is "I want to make money, and I can make money if I sell icecream, and if my icecream distributor loans me some stock, I'll pay him back and we'll both make money."
12:54 < adam3us> jtimon: i think petertodd is still on competition & adoption, his q. why would someone prefer freimarket IOU freicoin over btc
12:54 < petertodd> jtimon: The "meaning" of money means absolutely nothing to either party in that transaction.
12:55 < jtimon> petertodd: people don't want money, people want the stuff they buy with it
12:55 < adam3us> jtimon: its also a value store i guess.
12:55 < jtimon> it's not about preferring, you have your wares that by definition you don't want and want to sell
12:55 < petertodd> jtimon: and that's the thing, "I'm an icecream mfg, I need milk, now if you farmers give me some milk, I'll give you some money once I sell my icecream" - that's another business relationship
12:56 < jtimon> exactly
12:56 < jtimon> that can be done with "money" or credit
12:56 < petertodd> jtimon: ripple says "hey! this forms a cool graph when we add the customers into a big decentralized distributed database!" and can make those credit relationships magically collapse when the customer buys the icecream or soemthing
12:57 < jtimon> the important stuff is are the icecream and the milk, the rest are just numbers to make that happen
12:57 < petertodd> jtimon: meanwhile the business say "Who cares? Doing it the old way is plenty efficient and the new way requires a bunch of software and buy-in from a zillion parties."
12:57 < jtimon> that's the ideal situation in ripple, try to come back to the b2b stage
12:57 < jtimon> you sell icecream in summer
12:58 < jtimon> I go to you and say "do you accept ourtown's local currency for the ice cream"
12:58 < jtimon> you say "no, I prefer bitcoin"
12:58 < jtimon> "ok, ?I don't have bitcoin, keep your icecream"
12:59 < jtimon> if you want milk and you can buy it with both local credit currency and bitcoin, why reject any of the two?
12:59 < petertodd> and that's the problem, any real business will say "Why the hell do I care about these local currencies? Let someone else figure out how to convert FooDollars to and from Bitcoin so we can focus on making icecream, our core competency."
13:00 < jtimon> hehe, you remind me to people talking about real businesses and bitcoin a while back...
13:00 < petertodd> You might not be aware of this, but one of the reasons Net 30 day works is because there exist third party credit rating agencies that specialize in figuring out whether or not your counterparty will pay you back.
13:01 < jtimon> the magic of ripple is that you will only ever receive the currencies you accept
13:01 < petertodd> ...and when those agencies aren't good enough, the reason why Net 30 day works is because often suppliers have special insights into their customer's businesses, and thus credit worthyness, that is otherwise really hard to get.
13:01 < jtimon> and the payer doesn't need to bother about conversions neither: the system does them
13:01 < jtimon> yes, I'm aware
13:01 < petertodd> jtimon: That's not magic at all.
13:01 < jtimon> no, it's not magic
13:01 < jtimon> it's tech
13:02 < petertodd> jtimon: That's the magic of "I price my icecream in dollars."
13:02 < adam3us> petertodd: well i guess bitcoin doesnt do it
13:02 < petertodd> jtimon: You don't need ripple for that
13:02 < adam3us> petertodd:  bitpay et al let you though, ok
13:02 < jtimon> you can say "I price my icecream in gbp, I accept btc, bristol pounds or gbp"
13:03 < petertodd> adam3us: Exactly! bitpay, and the exchanges they work with, managed to outsource all that highly specialized work related to figuring out how to convert bitcoins to dollars
13:03 < jtimon> I go there with frc and sevillan pumas
13:03 < adam3us> petertodd: probably where a difference comes in is its hard to take out btc denominated loans because its volatile and trending up in price.
13:03 < jtimon> I push "pay 1 gbp to this merchant" the system says "want to pay X frc or Y pumas?
13:04 < jtimon> what's the unconvenience?
13:04 < jtimon> petertodd: a ripple network can do what bitpay does!!
13:04 < petertodd> jtimon: the unconvenience is that you needed this big ripple thing with a zillion credit relationships for it to work, when the alternative is to let some specialist handle it for you
13:05 < jtimon> no, I said the merchant just accepted 3 currencies, that's 3 credit relationships
13:05 < petertodd> jtimon: See, if tx fees to and from sevillan pumas are low, then you're customer, or you, can just as easily use that specialist to convert it for you.
13:06 < petertodd> jtimon: That's a *low overhead* solution to the problem that doesn't require much adoption to work. Ripple is the exact opposite.
13:06 < jtimon> but the point of the system is unite the infrastructure of the different currencies NOT TO NEED the specialist
13:06 < jtimon> whatever, I don't think I can convince you
13:06 < petertodd> jtimon: Modern economics has realized over and over again that specialists are excellent solutions to most problems.
13:07 < jtimon> so please, answer my previous question "you don't see much value in a ripple network or in credit in general?"
13:07 < petertodd> I see lots of value in credit, because people use credit all the time. Ripple, not much value at all.
13:07 < jtimon> petertodd, argument of authority fallacy, your authority: "modern economics"
13:08 < jtimon> Ripple = credit
13:08 < petertodd> jtimon: No, ripple is a way to manage credit. There are other ways to manage credit.
13:08 < jtimon> it's just the same thing with a more convenient infrastructure
13:08 < petertodd> jtimon: You think it's more convenient, I don't for a whole host of reasons.
13:09 < jtimon> what's the difference between an international payment and a ripple transaction?
13:09 < jtimon> transitive credit, it's the same thing
13:09 < petertodd> And the biggest problem with Ripple is the value of it is network effect dependent, so if only a small network of people use it it has very little value. That's a enormous bootstrapping problem on top of all the other problems of it.
13:09 < jtimon> you know, banks took all that overhead of trusting each other
13:09 < adam3us> jtimon: if u really lend people money in small amounts, often you dont get it back.  thats my experience.  and lending money to friends & family generally is not a good idea.  when something goes wrong it leads to problems.
13:10 < petertodd> jtimon: yes, and banks are specialists at that task. Ripple is asking everyone to get in the business of doing that, which goes against the tendency in modern economies to specialise.
13:11 < petertodd> adam3us: yup, it's worth noting that Net 30 day credit relationships are declining as businesses become more complex and transactions more convenient.
13:11 < jtimon> I'm saying it won't start with personal credit, but with b2b, local currencies, p2p markets gateways...
13:11 < adam3us> petertodd: i think the notional advantage of is that they can cancel out some debts and so reduce the fees
13:11 < jtimon> the small participants can join later
13:11 < petertodd> adam3us: yup, which means it's in competition with every solution that reduces fees... and there are a huge number of ways to do that
13:12 < jtimon> just to be clear, I'm talking about ripple the concept not
13:12 < petertodd> jtimon: doesn't work that way, often those small participants are what make the ripple network loops happen that let credit relationships get canceled out - the core thing that ripple does
13:12 < adam3us> petertodd: actually is very poorly explained online.  i am not sure if it also has issued values other than iou values mixing on its network.
13:12 < petertodd> adam3us: is an abomination and we shall not refer to it again
13:12 < jtimon> the way you trust in is very risky for users
13:12 < adam3us> jtimon: yes.  thats why i put when i wanted to refer to them
13:12 < jtimon> because it assumes 1 aaaUSD = 1 bbbUSD
13:13 < adam3us> petertodd: hehe the R-word.
13:13 < jtimon> that's not necessarily true in 2PC ripple or freimarkets
13:14 < maaku> jtimon: replacements can be used for microchannel payments (e.g. utility bill)
13:14 < petertodd> See, fidelity bonded banks are an excellent example of something where ripple can work very well, and one of the reasons that works is because the whole point is to keep tx fees low, 1 aaaBTC == 1 bbbBTC, and all the logic about the trust relationships can be handled in software (talking about the ideal fidelity bonded bank stuff here)
13:15 < petertodd> But that's a crazy-specialized example, and the whole concept of fidelity bonded banking is just as likely to get pushed out by other ways of getting low tx fees.
13:15 < jtimon> aaaBTC/bbbBTC should be just a market like any other
18:57 < jtimon> antonopolous was that guy that got himself filmed having dinner, drinking wine and talking about bitcoin in a restaurant?
18:57 < jron> jtimon: yes
18:57 < jtimon> I didn't watched the whole video but that was kind of odd
19:01 < jtimon> does this make any sense?
19:01 < jtimon> isn't getBlock template the same thing as GBT ?
19:02 < sipa> yes
19:03 < sipa> i assume it's a typo, but i've no idea for what
19:25 < andytoshi> ;;later tell nsh i did the talk, didn't get to any wizards stuff, it was very boring, sorry
19:25 < gribble> The operation succeeded.
23:10 < tt_away> It's late and I'm tired and going through ProtoShares source code; does PTS only use SHA512 as a hash function?  It mentions sCrypt in the white paper, but I'm not seeing it.
23:10 < tt_away> Also these indentations ahhhhhHHHH
--- Log closed Sat Feb 01 00:00:14 2014
21:10 < warren>  (with a limit that is not quite this small)
21:10 < jgarzik> network attacks against bitcoin have best ROI today </standard refrain>
21:10 < nanotube> <gmaxwell> Today you can fill up all connection slots on the bitcoin network with 1 IP. <- i thought current code prevented multiple connection from same subnet ?
21:11 < gmaxwell> nanotube: no, we won't make outbound connections to the same netgroup (/16 for ipv4) but inbound is unrestricted. And it should be
 since otherwise it would be somewhat hard to connect from some universities and countries.
21:12 < nanotube> hmm
21:12 < gmaxwell> (instead, when we fill up instead of turning away new connections we should see if there is a less attractive old one to punt, e.g. punt the duplicate IPs preferentially)
21:12 < gmaxwell> But we don't right now.
21:12 < nanotube> huh, so we don't even block the same ip from connecting twice?
21:12 < warren> nope
21:12 < jgarzik> code it up and PR it ;p
21:12 < nanotube> at the very least, /that/ seems like a low-cost thing.
21:13 < gmaxwell> nope And if we did, as I said, that would cause some problems.
21:13 < nanotube> no country/university has only one ip :)
21:13 < warren> nanotube: and that isn't a good defense if you think about ipv6
21:13 < gmaxwell> nanotube: actually several countries connect entirely from a single IP.
21:13  * nanotube avoids thinking about ipv6 >_>
21:13 < gmaxwell> E.g. Qatar IIRC.
21:13 < nanotube> but heh the private bloom filters bit is pretty cool.
21:13 < nanotube> heh really? wow.
21:14 < nanotube> so quatar just has one giant country-wide NAT ?
21:14 < gmaxwell> yea.
21:14 < nanotube> lol >_<
21:14 < gmaxwell> Things you learn being a Wikipedia admin. "oops you just blocked Qatar. Again" "Opps you just blocked univsity of foo. Again."
21:14 < nanotube> well, all of qatar probably has 2 bitcoin users. they'll manage.
21:14 < nanotube> hehe
21:15 < gmaxwell> I accidentaly the whole qatar.
21:15 < nanotube> is it deliberate, or were they just not allocated any ips?
21:15 < gmaxwell> In any case, it would be pretty easy to make the node-full behavior turn into kick out some old peer based on some priority thing. I would have done it already but there really is no end to the amount of thinking you can do behind the priortization scheme.
21:15 < gmaxwell> speaking of that.. I should probably just PR my dont-use-get-my-ip patch, since it seems no one is going to review the idea without a PR...
21:16 < gmaxwell> :P
21:16 < gmaxwell> but first, dinner.
21:16 < gmaxwell> nanotube: I assume it's more or less deliberate.
21:17 < warren> is there one state owned ISP?
21:17 < nanotube> probably
21:18 < gmaxwell> I would assume, I never looked into it. Thats the case in a lot of those places.
21:19 < gmaxwell> not exactly that most important use cases, but I'd rather not make the system gratitiously hostile. there are a bunch of reasons why you generally want to allow multiple connects from the same IP. E.g. my local nodes addnode each other.. and if we were limited to 1 they'd get rejected... even from nodes that don't listen on the public internet.
21:20 < warren> local nodes would have RFC1918 addresses?
21:20 < gmaxwell> mine don't. Not everyone is behind n-layers of nat, esp on ipv6.
21:21 < warren> especially with ipv6, limiting per IP probably isn't going to work
21:22 < gmaxwell> In any case, go look in the logs here I described my thinking on this, I think there should be a set of priortization which protects some nodes from being dropped and then randomly drops based on a score for the rest, the score could include things like being in the same ipv6 /48 as other peers.
21:22 < gmaxwell> (or even the same /32)
21:28 < warren> hm, "BitcoinJ always bootstraps from DNS seeds."
21:30 < jgarzik> indeed
21:31 < jgarzik> bitcoinj-based Bitcoin Wallet does not rotate keys for each transaction
21:31 < jgarzik> bitcoinj-based Bitcoin Wallet does not support P2Sh
21:35 < warren> multibit also appears to not tell you how many peers you have
21:35 < warren> seems rather insecure for the default client on bitcoin.or
21:35 < warren> org
21:40 < gmaxwell> warren: I think multibit only connects to 4 too, but I also thought that about android wallet and sipa demonstrated otherwise.
21:41 < gmaxwell> IIRC bitcoinj also only queries a single dns seed at random. e.g. instead of doing something like taking one peer from each round robbin. (though not like its hard for a network attacker to intercept DNS)
21:42 < gmaxwell> I dunno if you saw the last round of snodwn papers but it looks like the NSA has a DNS race interception infrastructure.. e.g. use passive taps to see dns queries and then respond faster.
21:42 < warren> wouldn't you see two responses if you were the victim of that?
21:42 < gmaxwell> sure, but you take the first one.
21:42 < warren> and nobody is watching for the second
21:43 < gmaxwell> (I have a friend that runs a really big DNS GSLB infrastructure that works that way too: you query for their domain, they forward the query to all their clusters, and then when the NTP clock strikes the next 100ms interval they all respond at the same time)
21:43 < jgarzik> interesting
21:44 < jgarzik> I know ISC does a lot of anycast
21:44 < jgarzik> anycast works much better for UDP than TCP ;p
21:44 < gmaxwell> hehe indeed.
21:45 < jgarzik> For at least a decade, F root was the most distributed DNS setup by 10x, IIRC
21:46 < jgarzik> At least one other root went distributed years ago, hopefully the others have followed by now
21:46 < jgarzik> Google's new database consensus/sync stuff relies on accurate clocks
21:47 < jgarzik> as 'time' is fundamentally distributed and (in theory) always synchronized
21:47 < jgarzik> relying on that become then an expensive hardware problem of "getting the right time, always"
21:47 < jgarzik> *becomes
--- Log closed Sun Oct 13 00:00:05 2013
--- Log opened Sun Oct 13 00:00:05 2013
01:27 < warren> who is the primary person behind pull tester?
02:25 < sipa> warren: bluematt
07:13 < gmaxwell> petertodd: I just thought up another storage hard function. This one is super simple.
07:14 < gmaxwell> Say you have a tree structured pseudorandom function:   e.g	H(seed) = {Left half, Right half}  ... H(Left half) = {Left half, Right half}  and so on so a single seed can expand to a ginormous tree.
07:14 < gmaxwell> Server gives the client a random seed and the tree size.  The client goes and computes the leafs of the tree and stores the results.
07:15 < gmaxwell> Then the server can challenge the client:  The server randomly picks a leaf, evaluates it itself.. and says to the client "tell me what the index is for the leaf with value X"
07:16 < gmaxwell> the only efficient way for the client to answer would be to have computed a hashtable over the results... otherwise it has to recompute the whole tree.
07:35 < gmaxwell> yippie.
07:43 < gmaxwell> unrelayed:  claims fully homorphic encryption with much better performance and only linear plaintext expansion. (factor of 16)
13:19 < amiller> i sort of have a wrench in the works as far as consensus theory goes
13:19 < amiller> i normally say something like 'every valid transaction is eventually included'
13:19 < amiller> but 'valid' is a moving target and can change, for example in a double spend when one transaction invalidates another
13:20 < amiller> suppose there were an opcode that let you refer to the current blocks' transaction height
13:20 < amiller> and you could make a transaction that was only valid every 1000th block
13:20 < amiller> would that transaction be guaranteed to get committed eventually?
13:21 < amiller> this is basically about whether a sub-50% attacker can consistently snipe a particular block as long as it's not too oftne
13:21 < sipa> well the script system is designed such that a transaction that is once valid, is never invalidated (except for double spending)
13:21 < amiller> well with multisigs the doublespend might not be in your control
13:21 < sipa> it is never in your control
13:21 < amiller> also this is specifically about a hypothetical new opcode
13:22 < amiller> it's in your control if you kept your private key private and don't do it
13:22 < sipa> one of your predecessors may double-spend
13:22 < amiller> good point
13:22 < amiller> hm
13:22 < sipa> it's why software doesn't allow you to spend without confirmations
13:23 < sipa> because it's not enough to trust coins you receive; you must also trust that they're unlikely to be reverted by the senders of the senders
13:24 < amiller> there's other related things like sd_lerner's suggestion to have 'invalid after <date>' opposite of locktime
13:26 < sipa> it does mean a receiver needs to track recent (all?) history of its inputs, to judge how likely they are to become permanently unspendable
13:27 < sipa> as a reorg of a transaction right at the border it very risky
13:27 < amiller> if it's safe to wait 6 blocks anyway, then that's enough
13:28 < amiller> like if you wait long enough that the last guy can't revert it, then no one before can either
13:28 < sipa> true
13:28 < amiller> but still my question is about the other direction
13:29 < amiller> how quickly can you get a tx in a block
13:29 < sipa> i wouldn't say it's always guaranteed that you can
13:29 < sipa> it depends on economic factors
13:29 < amiller> if someone wants to prevent you from getting a tx in even 1/1000 blocks, can they?
13:30 < sipa> assuming miners are greedy/rational and choose transactions with the highest fee/byte ratio
13:31 < sipa> all that's needed is someone constantly creating transactions with higher fee than yours
15:29 < HM3> or they could take your family hostage and threaten to beat them if you make said transaction.
16:39 < nanotube> or put a bounty of 80kUSD on the head of any miner who mines it into a block. >_>
09:31 < azariah4> adam3us1: hmm, did you see the op (59) EXTRO in the current version of the paper?
09:32 < adam3us1> azariah4: ethereum paper? no.  i did describe the extrospection viral goo risk to vitalik tho :)
09:33 < azariah4> ah yes, now I reached your post in the thread talking about it :)
09:33 < adam3us1> azariah4: maaku_ was discussing it for freimarket too and he figured he could somewhat contain it by disabling extrospect on basic coins (non contract)
09:35 < azariah4> well, even if one could prove the language itself has no extrospection, the fact that it has a form of persistent storage could be a issue in practice
09:36 < azariah4> e.g. one specific impl of a ethereum node has overflow/bounds bug in its impl, enabling a script to read outside its defined persistent storage
09:36 < adam3us1> azariah4: it seems interesting to me however to look at contracts you can build by composing dependent and hash-locked non-extrospection bitcoin scripts or other composing methods.	while it seems at first laborious to not be able to express these in a single contract, so long as its functionally equivalent an all the intereting useful things can be built,
without adding extrospection i think that can be enuf, and suspect it might be a des
09:37 < adam3us1> azariah4: yes.  i think they have sparse storage tho.  maybe the address space was like 2^128 or something vast if i recall
09:39 < azariah4> yepp [0 ... 2^256-1] for both temp and persistent storage
09:40 < azariah4> hopefully they can post some updates about these risks before their fundraiser starts in a week
10:11 < Ursium> azariah4: i'm not sure there's anyone from the core dev team on this channel (i could be wrong) - is that something you could raise on
10:14 < azariah4> I could, but I need to read more about it first to properly understand it :>
10:57 < adam3us1> azariah4: didnt they already write about security risk soewhere?  vitalik wrote an article on bitcoinmagazine recently also (didnt read it all yet)
13:26 < maaku_> azariah4: the scripting language would have to be perfectly sandboxed, yes
13:27 < maaku_> but we are talking about a language that could be as small as a dozen or so opcodes, 2-3 types, and an implementation measured in the hundreds of lines of C++ code
13:28 < maaku_> these can be made safe. it could even be proven safe, if you have the resources to do so
13:29 < maaku_> well, i'm talking about my language here, not etherium's
13:29 < TD> maaku_: there were exploits in bitcoin script even though that's tiny. so ..... this stuff is hard :)
13:30 < maaku_> TD: bitcoin's scripting language is more complex than a minimal turning complete language
13:30 < maaku_> and was not given appropriate care and attention
13:37 < maaku_> what i'm saying is there's nothing magical about writing a scripting interpreter that makes it dangerous in itself
13:38 < maaku_> compared to say, the network stack, which is quite a bit larger and also has to be free of remote exploits
14:23 < gmaxwell> maaku_: sure there is, the script interperter is procol normative in a way the net code isn't. It doesn't just have to be free of "remote exploits" it has to be free of consistency failures. So that adds a number of additional constraints and makes it fixing it hard.
14:24 < gmaxwell> maaku_: and of course all that "just a couple hundred lines of code" stuff fails if you then need to make it fast and implementers find that they're pratically required to employ a JIT compiler for it.
14:27 < TD> the world has a poor track record when it comes to sandboxing malicious code
--- Log closed Mon Jan 27 00:00:02 2014
--- Log opened Mon Jan 27 00:00:02 2014
05:07 < _ingsoc> :/
05:31 < grazs> a what
08:18 < warren>  "There are about 10 Billion devices in the world that are connected to the Internet and BlueCava aims to identify all of them."
08:18 < warren> frightening
08:20 < brisque> wonder what they're using to distinguish devices. surely most embedded linux devices all have the same public fingerprint, there's barely anything to distinguish them.
08:21 < warren> more bitcoin devices than humans in the world
08:22 < nsh> s#bitcoin#tcp/ip#
08:23 < TD> i am skeptical about the 10 billion figure
08:24 < TD> having worked in the field myself i am a lot MORE skeptical about identifying all of them being a remotely realistic goal
08:26 < brisque> their goal seems to be attempting to correlate users between devices. matching one browser fingerprint with another, rather than trying to uniquely identify devices.
08:28 < TD> yes of course
08:28 < TD> it's still rather hard
08:29 < TD> well, assuming you "play the game" normally of course
08:30 < brisque> I doubt any of these companies do. if google is using browser bugs to track Safari devices against their cookie settings, you can be pretty sure these companies are going even dirtier.
08:31 < TD> ah, well you don't know the story of that bug.
08:31 < TD> there is a long explanation of it here:
08:31 < TD> tl;dr that was actually a bug in safari and google got the blame for it. nice, huh
08:32 < TD> by "play the game" i meant, try and do it all in the browser. if i had a really compelling product to sell for credit cards i'd ask the user to download and run a native app
08:33 < TD> you can get a lot more scammers that way, of course
08:34 < brisque> TD: that's interesting, i heard the noise around the time but the followup must not have had quite the journalistic merit.
08:35 < TD> the "story" was revealed by the wall street journal at a time when Murdoch was giving speeches about how Google was destroying the newspaper business and it'd be saved by the iPad
08:36 < TD> and it went downhill from there
08:37 < brisque> that thing seems reasonably standard. it does the usual, user agent, plugin version, installed fonts, all the normal fingerprinting stuff. attempts to put cookies and lcoalstorage cookies everywhere, and that's about the end of it.
08:38 < brisque> comes with a big scary warning about how the source they're presenting is confidential and secret, but that's about the end of it.
08:39 < TD> yeah that's typical
08:39 < TD> of course carders know about all of that
08:39 < brisque> coinbase uses all of those too, interestingly enough.
08:44 < brisque> looks like bluecarva tries to use clock skew as a fingerprint too, that's one I hadn't thought of before.
09:16 < aksyn> you can probably fingerprint a browser version based on rendering time of certain DOM elements
09:17 < aksyn> and yeh, shotgun crap into cookies, localstorage, flash cookies etc. to identify users
09:18 < aksyn> market seems busy for a monday night
09:18 < aksyn> on huobi at least
11:57 < tacotime_>
11:57 < tacotime_> whoops
12:00 < grazs> but he looks so honest
12:01 < tacotime_> Popped on those charges for just a mil too, sucks.
12:02 < gmaxwell> Guess the folks who were hoping to get coins back from him, are out of luck.
12:14 < sipa> gmaxwell: get coins back?
12:18 < gmaxwell> sipa: right before bitinstant shut down apparently they bought BTC from a number of parties and never paid. see the link.
12:23 < sipa> ewww
12:26 < pigeons> SHREM is also charged with one count of willful failure to file a suspicious activity report, which carries a maximum sentence of five years in prison.
12:27 < sipa> and the site is gone
12:28 < tacotime_> I'm guessing maybe they dug up the silk road stuff after getting subpoenas/warrants related to fraud.
12:33 < phantomcircuit> tacotime_, yeah or you know they're reading all of the silkroad message system messages
12:33 < phantomcircuit> im thinking that one
12:33 < _ingsoc> Highly unlikely they'd arrest someone high profile without a solid case that'll probably end up in a successful prosecution.
12:34 < krl> having messages in cleartext on a site like that...
12:36 < tacotime_> krl: You really think someone would do that?  Just go on illegal marketplace sites on the internet and use cleartext to communicate? :yaranaika face:
12:36 < home_jg> TorMail data was also seized in its entirety
12:36 < home_jg> as part of the Freedom Hosting takedown
12:36 < krl> people will unless you force them not to
12:37 < home_jg> at _ingsoc implied, arrests at the federal level are not usually made unless they are convinced they have a strong case.
12:38 < home_jg> successful prosecution rate is > 90%.	They also overcharge, hoping to negotiate down to a guilty plea that sticks
12:39 < home_jg> will make the NY hearing _very_ interesting.  It appears that was the intention (just my supposition...)
12:40 < sipa> what hearing?
12:41 < tacotime_>
12:41 < tacotime_> I guess maybe he should have been working with Swiss banks.
12:41 < home_jg> sipa, etc.
12:41 < home_jg> NYDFS is holding hearings, similar to the US senate hearings.
12:42 < home_jg> Lawsky is the "you should have BitLicenses" guy at NY-DFS
12:42 < sipa> New York... depth first search?
12:42 < home_jg> Dept Financial Services
12:42 < home_jg> NY regulator of money transmitters
12:42 < sipa> got it
12:43 < home_jg> I think these hearings will be much more harsh than the US Senate hearings
12:55 < gmaxwell> home_jg: well the 90% conviction rate is in part because damn near everyone pleds guilty because its so stacked against you.
13:10 < michagogo|cloud> Um
13:10 < michagogo|cloud> Did bitinstant market to SR users or something?
13:11 < pigeons> not like the charge would imply
13:49 < TD> michagogo|cloud: read the criminal complaint
13:49 < TD> michagogo|cloud: the dude is almost certainly going to spend a long time behind bars
19:42 < jtimon> but with prefixes, can't you just ask for more info than you need?
19:42 < petertodd> jtimon: that's the whole point of prefixes!
19:43 < jtimon> I know, more bandwidth
19:43 < petertodd> jtimon: gah, have you read that paper of mine?
19:43 < jtimon> my point is I don't see the bad side, with prefixes you can have the best privacy of them all at the cost of bandwith
19:44 < petertodd> jtimon: ah, well, that's why I'm pushing the idea :) sounds like we're in agreement
19:44 < jtimon> sorry, no
19:44 < petertodd> jtimon: you should, because everyone loves debating this without actually reading the damn thing and why I think it's worth making these tradeoffs
19:44 < petertodd> jtimon:
19:45 < petertodd> I mean, hell, it's paragraph three where I outline that my threat model is an attacker controlling a reasonable number of the nodes you're SPV client is going to connect too... which is a *very* reasonable attack model.
19:46 < petertodd> Again, saying this because I've actually done this personally by throwing some cash at Amazon EC2
19:46 < jtimon> yes, I don't understand adam's objections, yet I don't know what's the alternative, but yes, as said earlier to adam you shouldn't bother much explaining me this because I haven't read steakth addresses yet, really my fault for trying to follow again, sorry
19:46 < petertodd> jtimon: thanks
19:47 < CodeShark> jtimon: there's so much stuff going on in this space right now you'd be excused for not reading absolutely everything :)
19:47 < adam3us> petertodd: btw backing up a bit time-lock and stego, i dont think consensus is affected by unavailibility of the key, and the key can be encrypted for the recipeint and stored in the block chain
19:47 < petertodd> adam3us: no, the recipient is the public
19:47 < adam3us> petertodd: so then its  simple matter if people do not reveal the key, they cant respend
19:47 < petertodd> adam3us: that's got nothing to do with it
19:48 < CodeShark> the recipient's key is already a hash of a pubkey
19:48 < adam3us> petertodd: yes for your other use case.  but then make it available from all nodes (its validatable against the ciphertext)
19:48 < petertodd> adam3us: the problem is that miners who know a tx is part of some consensus scheme may want to censor the tx and not mine it, yet the tx data *must* be guaranteed to be made public to everyone for a consensus scheme to work, thus, use timelock to force miners to either delay *all* transactions, or give up trying to censor
19:48 < jtimon> CodeShark yes, that's why I was "passing on stealth addresses for now", as a filter, but then I shouldn't try to follow the discussions about it intervening in them
19:49 < petertodd> adam3us: there is no way to prove publication unless you can guarantee that the data can be decrypted
19:50 < CodeShark> whether or not keys are encrypted has no effect on privacy as long as the keys (encrypted or not) can be associated with a wallet
19:50 < adam3us> petertodd: i guess you are assuming a network where 90% of miners and nodes hate msc spam and want to kill it ;) so then you cant rely even on relaying and it maybe difficult to find a node with the key?
19:50 < petertodd> adam3us: consider a key:value(s) consensus system: if it's just encrypted, I could hold onto the key, then release it after the fact, changing the consensus suddenly
19:51 < petertodd> adam3us: that's the whole fucking point of it: how to make an embedded consensus system that's uncensorable unless miners implement whitelists
19:51 < petertodd> adam3us: of course I'm assuming that - if I wasn't it wouldn't be much of a result
19:52 < petertodd> adam3us: I mean, hell we've got an existance proof that if only some miners hate you you can still get your tx's mined...
19:53 < adam3us> petertodd: ok then; it a bit slow tho time-lock.  maybe you can find a subnet of msc-relaying nodes
19:54 < petertodd> adam3us: well sure, but that's not unlike making the block time longer - perfectly acceptable for a lot of applications
19:55 < petertodd> adam3us: I'm not claiming mastercoin should go and implement it right now - I'm pointing out that they could
19:56 < adam3us> petertodd: yep.  i have some more stego end-game ideas.  still holding them back :)
19:56 < adam3us> petertodd: meaning i dont disagree the steganographer wins. in the en game
19:57 < petertodd> adam3us: meh, do everyone some good and just publish them so people stop making shitty assumptions about scalability
19:58 < adam3us> petertodd: they are not so interesting, just silly things you could do if you had to (if bandwidth was no obstacle).  you probably already thought of them.
19:59 < petertodd> adam3us: ah, well if they're less efficient don't bother
20:00 < petertodd> adam3us: anyway, the interesting thing is how to make crypto-currencies where utxo bloat and so on doesn't matter, and I think we're close to solving that pretty thoroughly
20:00 < adam3us> petertodd: cant u get get consensus by time-stamping and using a separate msc-only network for the data?
20:00 < petertodd> adam3us: consensus isn't just time-stamping
20:01 < petertodd> adam3us: proof-of-publication matters, and it's really not trivial
20:01 < petertodd> adam3us: heck, maybe there is no general solution to it
20:01 < adam3us> petertodd: well i mean if you tolerate jamming.  just have nodes stop if they cant obtain a full explanation of the time-stamp merkle tree.
20:02 < petertodd> adam3us: the point of proof-of-publication is to tolerate jamming you know...
20:03 < adam3us> petertodd: hmm so you want to send the (time-lock) encrypted msg in the chain because then its atomically delivered so either you get it or you dont.
20:03 < petertodd> adam3us: frankly I think many in the bitcoin community are letting their desire to keep data out of the chain blind them to how fucking hard it is to make these things secure
20:03 < adam3us> petertodd: stego wins.  i know it :)
20:04 < adam3us> petertodd: even if you have to use like morse code in the lsbit!
20:04 < petertodd> adam3us: it's not about "stego winning" - it's that people keep pushing MM and similar schemes not because it's better for the consensus system in question, but because it's better for bitcoin
20:05 < petertodd> adam3us: and whenever those consensus schemes take that advice, we bitcoin devs fool ourselves
20:05 < adam3us> petertodd: oh diff meaning.  ok well given the scalability limitations, absent a robust scalability fix, as you said sharding seems better.  so a MM chain is a crude form of sharding.  if security is important buy some kncminers to tip the balance.  or work on educating users to not use big pools etc.
20:05 < petertodd> adam3us: and you know, unless you honestly look at the incentives and attacks possible, you're not going to come up with MM schemes that *actually* work
20:06 < adam3us> petertodd: sure.
20:06 < petertodd> "educatiing users" fuck off
20:06 < petertodd> we've got a system where you *earn more money* mining at a big pool
20:06 < petertodd> that's fundemental to how bitcoin works and isn't going to change
20:06 < adam3us> petertodd: there are other ways to "educate" users you know.  that may require tor for the educators safety...
20:07 < petertodd> adam3us: all solutions that don't help *decentralized consensus systems*
20:07 < adam3us> petertodd: i wonder if any o fthem are selfish mining
20:07 < maaku_> petertodd: currently, you earn more money mining p2pool...
20:07 < petertodd> maaku_: not if you take your time into account for many miners...
20:07 < adam3us> maaku_: yes.  this is very puzzling to me.
20:07 < adam3us> petertodd: but its just as easy to pick p2pool from the list
20:08 < maaku_> adam3us: you don't pick p2pool from a list, you run a local daemon
20:08 < petertodd> maaku_: like it or not we probably have to get to the point where pools *can't* exist, and simultaneously fix scalability
20:08 < maaku_> but i've found it to be very stable at least
20:09 < adam3us> maaku_: i htought one of the miners i tried seemed to support p2pool out of the box (if it ran a daemon itself maybe)
20:09 < maaku_> petertodd: i like getting rid of pools. i don't like the negative side effects i've seen come attached to such proposals
20:09 < petertodd> adam3us: did you have a full node? if not you weren't using p2pool
20:09 < adam3us> petertodd: i did yes
20:09 < petertodd> maaku_: meh, just means you have to keep working on the proposals
20:09 < maaku_> adam3us: that'd be great if it does, but it probably just connected to a public p2pool node
20:10 < maaku_> which is really no different than a centralized pool as far as this conversation is concerned
20:10 < petertodd> maaku_: don't think I'm saying I have a perfect solution yet, I'm just saying we're incredibly naive in this community thinking stuff like p2pool is much of a fix
20:10 < petertodd> heh, heck, adam not knowing exactly what his hashing power was doing is a great example of why this is hard...
20:10 < adam3us> warren: maybe in your p2pool fixing budget you could try get a shiny nice UX GPU / ASIC scrypt/hashcash miner that bundles p2pool and makes it the default
20:11 < petertodd> adam3us: meh, that shiney p2pool bundle is an easy thing that people are already working on for free
20:11 < warren> adam3us: p2pool requires high CPU and disk i/o performance to be efficient =(
20:11 < adam3us> petertodd: i think the UX might be the key though.  if someones doing it for fre fine
20:12 < maaku_> warren adam3us: really all you need to do is bundle up a py2exe virtual environment for p2pool with gitian builds of bitcoind and bfgminer
20:12 < petertodd> warren: I set my p2pool node to mine very small blocks for that reason
20:12 < maaku_> let bfgminer --p2pool set up the services
20:12 < petertodd> warren: I think it's set to like 0.01BTC/KB fee or something
22:24 < andytoshi> yeah, but it's easy to get an endorsement in academia
22:25 < andytoshi> also if you had an account before they started doing endorsements
22:25 < andytoshi> i think you're free
22:25 < Mike_B>
22:25 < Mike_B> heh
22:25 < Mike_B> his first paper was some other random thing
22:26 < Mike_B> he probably was like "can you endorse me for this algorithms paper?" and the guy was like "sure"
22:26 < Mike_B> second paper after that: "P = NP"
22:26 < Mike_B> i'd be pissed if i was the endorser
22:28 < andytoshi> lol yeah, i'd be annoyed
22:28 < andytoshi> tbh i'd probably never bother to find out :P
22:39 < gmaxwell> we find out later it was just created as an effort to manipulate bitcoin prices.
22:40 < gmaxwell> Mike_B: meh, give him an easy one, ask for an md5 second preimage of the all zeros md5sum.
22:41 < Mike_B> ha
22:44 < Mike_B> i wonder how security would change if you replaced the usual 10m blockchain confirm with the following process
22:45 < Mike_B> 1) set difficulty so that each miner can solve the problem in (some shorter amount of time, like 10s)
22:45 < Mike_B> 2) wait for N miners to have declared a solution
22:46 < Mike_B> (assuming N is large)
22:46 < gmaxwell> not progress free.
22:46 < Mike_B> 3) have those miners come to consensus
22:46 < Mike_B> "progress free"?
22:46 < gmaxwell> A large miner has an unfair advantage.
22:46 < gmaxwell> He will mine with his large hashpower, claiming to be M small miners.
22:47 < Mike_B> right but is that just the same 51% vulnerability?
22:47 < gmaxwell> and his partial results for himself, and then come to consensus with himself, and by keeping his partial results to himself he gets a superlinear speedup.
22:47 < gmaxwell> At the extreme the fastest miner always wins.
22:47 < gmaxwell> no its not.
22:49 < Mike_B> so say you have an expected solving time of s, and you need N miners for a quorum, so that s*N = 10 minutes
22:49 < gmaxwell> imagine the extreme version where every hash is a winner. I am 4gh/s you are 3gh/s.  Target is 40giga-shares to solve a block. How many blocks will you solve?
22:50 < Mike_B> what do you mean by "giga-shares?"
22:50 < gmaxwell> hashes.
22:51 < Mike_B> if every hash is a winner, doesn't that mean the target is 1 hash to solve a block?
22:51 < gmaxwell> I mean every hash meets your lower criteria.
22:51 < gmaxwell> I'm using an extreme example where the ratio of the lower criteria to the block criteria is very large.
22:51 < gmaxwell> In those cases mining becomes a race and the fastest miner ~always wins.
22:52 < gmaxwell> it's true when the ratio isn't large, but the advantage is somewhat less.
22:53 < gmaxwell> The method you're describing (breaking up the hashcash into N smaller hashcashes) is suggested in some hashcash papers to reduce variance, but it has the property that it's not progress free, which is why we don't use it.
22:53 < Mike_B> don't understand what you mean by "lower criteria" and "block criteria"
22:53 < gmaxwell> lower criteria is your "solving criteria"
22:54 < gmaxwell> Mike_B: in your own language set N to a large value like a billion.
22:55 < Mike_B> ok, and now what
22:55 < Mike_B> N is a billion, s is tiny, N*s = 10m
22:57 < gmaxwell> now you have some miners and one a good amount faster than the others. instead of sharing his partial solutions he hordes them (or at least hordes them unless he learns of someone else having too many of them).
22:59 < Mike_B> ok
23:05 < Mike_B> gmaxwell: i still don't see the issue, sorry
23:05 < Mike_B> you're talking about a case where a miner has a plurality of hashpower but not a majority?
23:07 < gwillen> Mike_B: I haven't fully understood the issue, but consider that _any_ scheme here you have a threshold of "N miners" can do something by consensus, there's something wrong
23:07 < gwillen> Mike_B: because one miner can always claim to be N miners for any value of N
23:07 < gwillen> so either the threshold is not necessary, or it's broken
23:08 < gwillen> I don't know which is the case here
23:10 < Mike_B> gwillen: i mean N verified proofs of work
23:10 < Mike_B> could be the same miner more than once
23:11 < gwillen> okay, N distinct proofs of work, that defeats my objection
23:11 < gwillen> I don't understand gmaxwell's well enough to know what it does to his
23:12 < gwillen> oh, I think I see
23:12 < gwillen> when it's a single share you need, everybody has a chance proportional to their hashpower, but it's high variance
23:13 < gwillen> if you need N smaller shares, you reduce the variance, but you also reduce the chance of people with low hashpower and increase the chance of people with high hashpower
23:13 < gwillen> if you need 1 share that takes a million seconds on average, winning is proportional to hashpower
23:14 < gwillen> if you need a million shares that take 1 second on average, the guy with the most hashpower will win every time
23:14 < gwillen> (if I'm thinking about this right)
23:14 < gmaxwell> Thats what I'm arguing, yes.
23:14 < gwillen> ok.
23:14 < gmaxwell> It's nor progress free. As you find shares you're making progress.
23:14 < gwillen> oh, interesting
23:14 < gwillen> progress-freedom makes it a poisson process
23:15 < gwillen> and only a poisson process has the right statistics for winning to be proportionate to hashpower
23:15 < Mike_B> gmaxwell, can you link me to a paper that describes this
23:17 < Mike_B> if you're saying one exists, anyway
23:18 < Mike_B> gwillen: what i'm trying to figure out is what the analogue of the 51% vulnerability is as N changes
23:18 < gmaxwell> I thought there was, but I'm not finding it at the moment, I'll look more after dinner. :)
23:18 < gwillen> Mike_B: as I understand it, you could indeed compute an analogous percentage as a function of N
23:18 < gwillen> but I don't know how off the top of my head
23:19 < Mike_B> gmaxwell: alright, well i'd much appreciate it if you do find anything
23:19 < gwillen> I could probably work it out but I have real work I need to be doing
23:20 < Mike_B> gwillen: fair enugh
23:20 < Mike_B> enouh
23:20 < Mike_B> god damn it
23:20 < Mike_B> :(
23:21  * Mike_B "enoughghghghghghghghghghghghg"
23:23 < gmaxwell> new lenovo keyboard?
23:24 < Mike_B> no, i just developed a neuromuscular disorder that lasted 2 seconds
23:26 < gmaxwell> It's been known to happen to bitcoiners. :(
23:27 < Mike_B> bitcoin-related finger tremor
23:28 < Mike_B> ok, so i see your objectionnow
23:28 < Mike_B> so you're saying the target is 0xfffff....
23:28 < Mike_B> so every hash wins, but you need a trillion hashes or whatever
23:29 < Mike_B> so if you have double the hashpower I do, you generate hashes twice as fast
23:30 < Mike_B> and i guess you're saying there's a strategy where you can hoard hashes and i, the poor unsuspecting sap, just broadcasts them to the network
23:30 < Mike_B> is that right?
23:31 < Mike_B> i guess i'm just not sure how you'd use hoarding hashes to have influence more than your hashpower
23:31 < Mike_B> you'd have to wait for me to pass some threshold and thend ump
--- Log closed Thu Dec 05 00:00:32 2013
--- Log opened Thu Dec 05 00:00:32 2013
01:01 < amiller> gmaxwell, what do you think of the transaction notation in the "mpc on bitcoin" paper
01:01 < amiller> is it easy to read?
01:02 < amiller> it's a pretty sound compromise between the current academic notation and how we're used to looking at them, i think
01:03 < amiller> i guess i should try writing something else out in that style
08:21 < jtimon> maaku I'm still on page 5, but this P = NP paper looks very good
08:22 < jtimon> I thought you believed this was possible since you tried it yourself
08:28 < fagmuffinz> jtimon, link?
08:28 < jtimon> <maaku> supposid proof of P=NP :
08:28 < jtimon> <maaku> dubious of a proof that's only 24 pages long
08:38 < t7> can you express the problem in coq or agda?
08:46 < _ingsoc> For a second I thought it was this guy:
08:46 < _ingsoc> I would have been like, damn, that's badass.
08:52 < iddo> jtimon: it's not new, it's revised from 2012, see and
08:53 < nsh> what was the problem in 2012?
08:53 < nsh> shouldn't a constructive proof of P=NP leads pretty directly to an efficient algorithms/reductions for All The Problems
08:54 < nsh> ?
08:54 < TD> huh
08:54 < TD> it's funny to see a list of papers along with claims "This paper proves P=NP" followed by "This paper proves P/=NP"
08:55 < nsh> yeah
08:55 < nsh> --
08:55 < nsh> [Equal]: In September 2012, Sergey V. Yakhontov proved that P=NP. The proof is constructive, and explicitly gives a polynomial time deterministic algorithm that determines whether there exists a polynomial-length accepting computational path for a given non-deterministic single-tape Turing machine. The paper is available at
08:55 < nsh> (Thanks to Ricardo Mota Gomes for providing this link.)
08:55 < nsh> --
08:55 < iddo> nsh: serious people stopped trying to look for problems in non-peer-reviewed papers like this, e.g.
08:56 < nsh> (constructively determining the existence of something is not constructive)
08:56 < TD> isn't looking for problems rather what peer review means?
08:56 < sipa> nsh: there are classes above NP that would be unaffected (ExpTime, ...)
08:56 < nsh> sipa, right
08:56 < sipa> also, polynomial does not imply efficient by any real-world standard
08:56 < sipa> (assume it was polynomial in the 100th degree?)
08:58 < nsh> have there been many cases of polynomial algorithms being found but only with high exponents?
08:58 < nsh> i have the impression (but i don't know how reliable it is) that generally relatively efficient algorithms are found where they exist at all
18:53 < adam3us> btw it would be super embarasising if the thing which over took bitcoin if it happened was esentially a lame param tweak
18:53 < gmaxwell> PPC would be interesting to me if it weren't sullied with that stupid block signing.
18:53 < maaku> the pun on "free market" was just too good to pass up
18:54 < maaku> geistgeld, my favorite. 15 second blocks
18:54 < maaku> that actually was useful
18:54 < maaku> and appropriately, now dead
18:54 < gmaxwell> the scrypt expirement ran its coarse and failed as an expirement: It failed its stated goal, and it's had negative side effects (making initial (/spv) sync slow).  Double sad is that many people (myself included) predicted exactly this outcome.
18:54 < adam3us> sipa: yes litecoin main claim was giving gpu miners something to play with when asics came
18:55 < sipa> i wonder, with PPC, can you mine on both branches of a block chain fork at once, without loss?
18:55 < jtimon> wasn't geistgeld the first one with scrypt?
18:55 < gmaxwell> maaku: I liked "liquidcoin" the one with the difficulty set to a fixed level... it rapidly turned into a thousand seperate currencies as nodes could never manage to converge.
18:55 < adam3us> sipa: well even that was unintended if i caught up correctly it aimed for cpu preference and failed, luckily for it asics came along
18:56 < gmaxwell> sipa: with PoS you can indeed, thats why PoS is sad.	PPC arbritrates forks with a special altert message that adds a checkpoint, run by the developer.
18:56 < jtimon> I dream with a SCIP/spark-based pow
18:57 < sipa> gmaxwell: i keep reading "PoS" as "piece of shit"
18:57 < adam3us> he he
18:57 < petertodd> gmaxwell, maaku: working on a paper analyzing profitability of tx fees - results are looking pretty ugly w/ centralizing mining having at best linear improvements in profitability.
18:58 < sipa> gmaxwell: oh, so that is actually why the checkpoints are needed
18:58 < adam3us> gmaxwell: scrypt spv problem being higher hash validation cost?
18:58 < petertodd> gmaxwell, maaku: you can very quickly construct a proof that in any circumstance mining is something where increased hashing power gives you more profits per unit work
18:58 < sipa> gmaxwell: i thought it was to prevent tons of SHA256 power working against it
18:58 < petertodd> gmaxwell, maaku: which we knew... but it looks like under certain circumstances the implications of that are really ugly.
18:58 < gmaxwell> adam3us: no it wasn't, LTC's claim was that it was cpu only (gpu resistant) :P
18:58 < adam3us> gmaxwell: yes i read that
18:59 < sipa> < adam3us> sipa: yes litecoin main claim was giving gpu miners something to play with when asics came    <-- unsure what you mean here
18:59 < gmaxwell> sipa: most of PPC blocks is PoS mining now, the SHA256 difficulty is quite high.
18:59 < adam3us> gmaxwell: "and it's had negative side effects (making initial (/spv) sync slow)." was referring to that ... scrypt spv problem being higher hash validation cost?
18:59 < petertodd> bbl
19:00 < jtimon> the theory now is that ASICs = centralization = less security: I think bitshares offers an "even-harder-to-asic" pow
19:00 < gmaxwell> sipa: the first version of PPC PoS was super vulnerable, by throwing CPU at the POS you could find a path of solutions where your coins were the lucky POS cons for every block.
19:00 < adam3us> sipa: never mind, i just meant that it would've probably died if asic mining hadnt freed up lots of gpus, when its failed attempt to be better on cpu failed
19:00 < sipa> adam3us: ic
19:00 < sipa> adam3us: ironic :)
19:01 < gmaxwell> sipa: they stopped the majority attack by the alert lockins and then did a hardfork to change the PoS so that the stake is selected using POW blocks to prevet that kind of fork and search to favor your own stake.
19:01 < adam3us> sipa: litecoin investors made money from a failure that succeed for random reasons outside of its authors control or expectation
19:02 < gmaxwell> but you can still mine all possible forks, and its rational to do so... you just can't use doing that to make yourself mine all the blocks. :P
19:02 < jtimon> I guess atlantis had a lot to do with ltc success too
19:02 < gmaxwell> (unless you also have a lot of hashpower)
19:02 < adam3us> sipa: but it is kind of interesting that the value of a coin is partly fom the fun that can be had in the act of mining it... if you take away peoples toys by removing gpu mining and asics being hard to get, then thats what happens
19:03 < adam3us> jtimon: atlantis?
19:03 < jtimon> was another silk road that accepted both btc and ltc
19:03 < gmaxwell> adam3us: litecoin mining was really weird for a long time, e.g. it was net unproftable over power for a very long time until GPU mining took off.
19:04 < adam3us> btw i had a look at bitshares protocoin mining run and they very badly screwed their params, but the psychology of the miners on the #protoshares channel was interesting... they mostly didnt understand what it was or why they were mining it, just it was fun, and they were early and getting  discount/jump on a timelimited offer
19:05 < gmaxwell> adam3us: yea, mining all the new things blindly has been at times very profitable.
19:05 < adam3us> (they hard forked their params with no warning to the alarm of users who prepaid for like hosting services on a month basis that bitshares was taking referral commission on)
19:05 < adam3us> i was too late to encourage their users to reject and not upgrade!
19:06 < gmaxwell> adam3us: nothing can compete with with all the crazy stuff solid coin did.
19:06 < adam3us> (they put a message n their site to say you have to upgrde or else, but the threat w incorrect - if the miners revolted that wouldve been the end of th param change plan)
19:06 < gmaxwell> I'm pretty sure you could do a hardfork of a moderately successful altcoin where you just moved half the users balances to yourself, and they'd take it.
19:06 < midnightmagic> gmaxwell: I wonder if that's the anonymous developer who wants to add in all that new stuff to an altcoin fork.
19:06 < jtimon> gmaxwell, do you have more on your interactive hashtree proof besides this thread?
19:07 < gmaxwell> jtimon: the block cut and choose idea at the bottom is applicable to any fiat shamir style non-interactive proof, it just potentially makes them smaller for a given security level.
19:08 < gmaxwell> midnightmagic: hm?
19:08 < adam3us> gmaxwell: btw about your aside about patent trolls, i did send a mail to the foundation lawyer guy and matonis, and they replied to say yes they were working on a defensive shared patent pool
19:09 < gmaxwell> midnightmagic: realsolid hardly did anything original
19:09 < sipa> he was perhaps the first to use floating point in consensus-critical code :)
19:09 < gmaxwell> adam3us: uhh. that the foundation would own? danger danger. 501(c)(6) assets can be taken in bankrupcy to creditors, and bankrupcy transfers can sever otherwise perpetual licenses.
19:10 < midnightmagic> gmaxwell: The ideas lists were collected from others' hardfork wishlists
19:10 < adam3us> gmaxwell: but yeah i dont know.. i suggested such risks to jgarzik who was on the thread here and he seemed less worried
19:10 < gmaxwell> midnightmagic: well ideas are a dime a dozen, sit down I'll pump out another gross of them for you.
19:10 < midnightmagic> :)
19:10 < adam3us> it seemed to me a risk that the foundation could be legally attacked and the patents seized
19:12 < adam3us> but the current alternative is not fantastic either that each new bitcoin startup probably patents half a dozen defensive things, that sooner or later will get bought by a troll, or sol to a big co that does nothing with it apart from park it in a 5000 patent defensive pool
19:12 < adam3us> it happened with chaums digicash patents, until they expired
19:14 < gmaxwell> adam3us: SFLC considers that kind of risk significant, for codec patents we've used a complicated interlocking scheme with multiple 501(c)(3) (which have special asset disposition rules which prevent them from being taken in a bankrupcy), e.g. mozilla filed patents and then assigned them to Xiph.Org under an agreement controlling the dispostion of the
patents should Xiph.Org go away., and we still consider it generally risky as ...
19:14 < gmaxwell> ... opposed to pure defensive publication. (but the risk was necessary because we had to be able to force other potential patent holders to adopt licensing terms we specified and thus needed negotiating leverage)
19:15 < adam3us> i see - maybe you should fwd that to the lawyer guy & matonis
19:15 < gmaxwell> The biggest problem in true defensive patenting is that under current caselaw in the US a bankrupcy court can disolve _any_ licensing agreement, and they do.
19:16 < gmaxwell> (this is also why things like the twitter patent pledge thing are nice in spirit but may not work in practice)
19:16 < adam3us> i was thinking it would be nice to have some way to defnesively avoid patents becoming troll material
19:17 < gmaxwell> the next best idea was to embed trapdoor misconduct in the patent application process, so that our patents were trivally invalidatable but only to us.. uh.. I hope that expresses how hard we considered the process to be. :)
19:17 < adam3us> that bitcoin startups have; maybe they can own them but they revert to the foundation - far out of my depth other than hating patents with a vengence and seeing too many fo them through consulting on crypto for people and wanting to avoid seeing the digicash patent endgame
19:18 < adam3us> if there was a safe way to have  defensive pool, it would be good to have something to pressure bitcoin startups to assign their patents too so they can be forced to be sincere about their defensive plans
21:35 < gmaxwell> at some point I believe we'll add some (or multiple) kinds of finite resource priority peers can use to get slots if they're having problems. I've got a couple ideas for that.
21:49 < nanotube> hm, that's interesting
21:52 < nanotube> mem was stable at 16conn, restarted with 128.
--- Log closed Wed Sep 11 00:00:26 2013
--- Log opened Wed Sep 11 00:00:26 2013
00:11 < nanotube> 27 peers, 13 tor. 269/598M ram. (vs 268/585 at 16 peers)
00:11 < nanotube> jrmithdobbs: maybe something changed in a month, but i'm definitely seeing plenty of tor peers.
07:35 < nanotube> 27 tor out of 52. 302/591 mem.
07:35 < nanotube> that /is/ pretty small mem impact per connection, it seems.
07:36 < gmaxwell> it used to be much larger, but, yea, that mostly should have been fixed.
16:21 < nanotube> also, 33 out of 57 connections are tor. definitely some popularity there.
16:37 < nanotube> we could probably use sipa's crawler to get a rough estimate of how many torcoin nodes there are...
17:54 < sipa> nanotube: i crawl tor
20:34 < nanotube> sipa: ah cool. so got any rough estimate? :)
20:35 < sipa> there's 31 onion peers in my database
20:40 < nanotube> heh, i have 35 tor peers right now as we speak. >_<
20:42 < nanotube> but those are people connecting to me, so maybe they are not running a hidden service
--- Log closed Thu Sep 12 00:00:29 2013
--- Log opened Thu Sep 12 00:00:29 2013
01:16 < gmaxwell> nanotube: exactly, we're short of short on onion peers. :(
08:39 < nanotube> there seems to be a decent list on
10:03 < gmaxwell> petertodd:  someone proposes a composable signature scheme based on pairing crypto.
10:05 < gmaxwell> e.g. you have a bunch of pubkeys, and values signed... and you can't tell which signed which. bonus: they seem to be claiming the aggregate is constant size.
10:06 < gmaxwell> (though they make some claim about the security model essential to the size being constant and not linear in the number of signatures which I don't understand)
11:44 < petertodd> gmaxwell: broken link
11:45 < petertodd> Sounds promising though!
11:52 < gmaxwell> petertodd: sorry, I moved around some posts:
11:53 < gmaxwell> In any case, you start of with a bunch of  {key, message, signature}	and can aggregate one way into a {N x key, N x message, signature} such that you can't tell which key signed for which message. The final signature may be constant in length.
11:53 < gmaxwell> (may because they had some security handwave I didn't follow, otherwise its linear)
14:04 < amiller> i really think i've figured out the economics of bitcoin
14:04 < amiller> it has to be unprofitable for everyone
14:06 < amiller> we have to assume it's always more efficient for large corporations to mine, because of economies of scale etc etc
14:07 < amiller> this is the underlying reason why people panic about the trend of bitcoin towards centralized mining
14:07 < amiller> and it's compelling
14:08 < amiller> if it's unprofitable for some people to mine and profitable for others, then unfortunately it's likely to be profitable only for people with the biggest investments
14:08 < amiller> but this lottery theory is totally a way around that
14:09 < amiller> the solution is basically to make it unprofitable for everyone, including the potentially enormous miners
14:10 < amiller> and in fact the motivation to participate, despite it being unprofitable, is most applicable to the small users and not to the biggest players
14:11 < jgarzik> One argument I've always made is that larger corporations, if they decide to buy into bitcoin mining, will be willing to mine even at a loss
14:11 < amiller> i think the opposite
14:11 < amiller> maybe if they have some external reason as well, like political influence i suppose?
14:12 < jgarzik> amiller, you may obtain several opportunities of ancillary value from mining
14:12 < jgarzik> amiller, mining your own transactions, slowing down your competitors, strategic value, etc.
14:12 < jgarzik> amiller, general network security, lessening dominance of others
14:13 < jgarzik> amiller, laundering (the 110% PPS case)
14:13 < amiller> i see
14:13 < amiller> that's not detrimental, it doesn't necessarily imply the winner take all case
14:13 < jgarzik> agree
14:14 < jgarzik> not trying to rebut your argument, just noting all the value that may be extracted even if the mining itself is notionally unprofitable
14:14 < amiller> sure, fair enough
14:14 < amiller> some of that almost counts as altruistic model as well, basically you've described like a bitcoin stewarding company
14:15 < amiller> it would be disconcerting if a potentially strictly-greedy newtork-ambivalent cost-cutting company could get more and more profitable just by mining and accumulating compute power
14:16 < amiller> so i'm really comfortable now with this decision theory called Cumulative Prospect Theory
14:16 < amiller> it's a generalization of the standard Expected Utility version
14:16 < amiller> EU says that no one ever participates in lotteries, CPT accounts for that
14:17 < amiller> i'm really confident now that modeling bitcoin miners as CPT-rational agents is the way to go
14:19 < amiller> it's not inherently irrational to play a lottery with -ev
14:19 < amiller> which is a nice observation because we know that people do
14:19 < amiller> what's neat is that a lot of people of ordinary wealth may be very excited about the potential of winning like $2500 by mining a block
14:20 < amiller> when the potentially reward is tuned right, basically the most amount of people will participate and the ev will drop
14:21 < amiller> yet $2500 is nothing to a big company, and they're less and less likely to get a big enough jackpot to make it worth participating
14:24 < jgarzik> not necessarily stewarding -- I was thinking to myself of an idealized "bitcoin bank", or an HSBC/Goldman bank that wants to participate with bitcoin
14:24 < jgarzik> If you want to participate in the network, there is value in helping to defend it
14:25 < jgarzik> another thought, the most dfficult problem to solve:  how to compensate people for joining the network and relaying transactions
14:26 < jgarzik> otherwise we quickly degenerate into only miners running full nodes (which, admittedly, Satoshi described as an end game)
14:37 < jgarzik> amiller, compare price of hardware versus likely expected payoff
14:37 < jgarzik> amiller, it's expensive hardware for a low-payoff lottery, right now
14:38 < jgarzik> any hardware within the reach of normal people will on average produce 1 block every 10 years or so
14:38 < jgarzik> and it seems like that trend will continue
14:38 < amiller> one thing i found is that the cost is totally dominated by equipment rather than power
14:38 < amiller> it surprises me whenver i do that calculation
14:38 < jgarzik> indeed
14:39 < jgarzik> though my $300/month power bill increase was painful today :)
14:39 < jgarzik> 2x Avalon, 2x BFL
14:39 < jgarzik> (need to get that other Av back up)
14:39 < gmaxwell> petertodd:
14:39 < amiller> i'm interested in the structure of bitcoin's reward
14:39 < amiller> like if there were bigger jackpots
14:40 < amiller> perhaps sometimes you could win a thousand bitcoin bonus
14:40 < amiller> that would change the way in which people participate
14:40 < amiller> even if somehow the expected profit was fixed
14:40 < amiller> that's my point overall i guess is that i'm moving away from an expected-profit-centric analysis of the rewards
14:40 < gmaxwell> 11:19 < amiller> what's neat is that a lot of people of ordinary wealth may be very excited about the potential of winning like $2500 by mining a block
14:41 < gmaxwell> ^ doesn't explain why most people won't solo mine,
 even in small amounts... even with a positive ev. :P
14:42 < gmaxwell> amiller: a significant fraction of miners think mining is a race, and that you get super linear rewards from big aggregates. "So much for rational agents" .. so perhaps thats what explains the prevailance of pooling, it doesn't seem to explain the near absense of solomining.
14:42 < gmaxwell> jgarzik: 11:25 < jgarzik> another thought, the most dfficult problem to solve:  how to compensate people for joining the network and relaying transactions
14:43 < gmaxwell> So, there was just a "anonymity" proposal that resolves that as a side effect.
14:43 < amiller> gmaxwell, i have two responses, one is that it could easily be something that happens later as people learn to understand the economics better, the other is that perhaps the $2500 is even too steep and people would like to have a small chance at winning like $20 or something
14:44 < amiller> there are tons of studies on lottery design, and its' well known that lottery designs typically have lots of different prizes
14:44 < jgarzik> Explaining the near absence of solo mining:  There is a rather large chance you will /never/ get paid for that noisy, loud hardware you had to fight to obtain.
14:44 < amiller> i found one paper that looks at optimal lottery design for a market of CPT agents in partiuclar, and basically concludes that an optimal lottery has a continuous prize distribution, not just finite prizes
14:44 < jgarzik> The motivation to help the network is not nearly so strong.
14:44 < amiller> bitcoin has exactly one prize
14:44 < amiller> for bigger prizes, you have to go to satoshi dice
14:44 < amiller> for smaller prizes, you have to go to satoshi dice
14:45 < gmaxwell> jgarzik: I mean back when CPU mining was still profitable (postive EV over power costs) but not very, I had basically no luck convincing now gpu miners to spin up their cpus laying around solo mining.
11:58 < jtimon> petertood: "reduce the consensus "size"", that's what I meant here " though the most promising scalability improvements can only come from more data being directly exchanged between parties without toughing the chain"
11:58 < petertodd> TD: ha, for once we're on agreement on scalability (at least on what we should do in the short/medium term)
11:59 < jtimon> TD ok I get your point
11:59 < TD> i'll go  out and celebrate tonight :)
11:59 < jtimon> TD but that's assuming no merged mining :(
11:59 < petertodd> TD: and for long-term, we can probably agree that we don't know yet becaues the research hasn't been done :)
12:00 < TD> the scaling issues with bitcoin aren't really mining, they're to do with management of the chain/transaction rates/etc. so merged mined altcoins are fine.
12:00 < TD> indeed!
12:00 < jtimon> yeah, maybe I'm just envisioning the worst-case scalability scenario, and still future looks bright
12:00 < petertodd> jtimon: ah, well depends on your definition of "the chain" - I think long-term we can create systems where, very roughly speaking, you have multiple chains where the "timestamping" PoW is all merged, but the proof-of-publication isn't
12:01 < petertodd> jtimon: so your tx on *a* blockchain might be subject to consensus by an audience of 10,000 or whatever, but the "audience" timestamping it may be millions
12:02 < petertodd> jtimon: and most likely the tech will be such that the more valuable transactions end up paying higher (absolute) fees, and are "seen" by a larger audience
12:02 < adam3us> TD: i'm more excited about pegged side-chains (aka alts but with bitcoin price pegging in lieu of new scarcity races) as a building block to explore sharding and other features.  then each guy with a crazy idea can go knock himself out on a side chain without creating dust on bitcoin main meta-coin style, and without creating a new tulip coin with scarcity
race sales-hook being his "feature"
12:02 < jtimon> petertodd: I just don't know how you're going to do that
12:02 < petertodd> jtimon: the open research problems are all related to how does security work there
12:03 < jtimon> petertodd: as said some kind of sharding  would be very nice
12:03 < petertodd> jtimon: well, I've got some ideas - day before yesterday I outlined one on -wizards
12:03 < jtimon> yeah you half-explained me one, but I was unconvinced
12:04 < petertodd> adam3us: yeah, merge-mined sharding w/ pegged value is probably a reasonable way to upgrade bitcoin 1.0 to this kind of technology
12:04 < jtimon> I'm happy that you're thinking about these things though
12:04 < petertodd> adam3us: but as I say, the specifcs are an open question right now
12:04 < adam3us> anyway its not doom & gloom, we're not all out of ideas, maybe petertodd is full of it or maybe he finds the magic formula :)
12:05 < jtimon> petertodd: one idea I had in mind was partitioning the sequencing itself
12:05 < helo> sharding is sending bitcoin to an unspendable bitcoin addresses to mint altcoin?
12:05 < adam3us> petertodd: right exactly.  so lets build pegged side-chain and let a dozen people and startups go try see if they can figure it out
12:05 < jtimon> but I haven't found a way to make it p2p
12:05 < adam3us> helo: no sharding is generic... just means split up the volume somehow
12:06 < helo> ok
12:06 < adam3us> helo: pegged side-chain involves proof of transfer (you can move the coin back too, not destroyed as such)
12:06 < petertodd> adam3us: heh, worst comes to worst all my off-chain stuff *does* work just fine subject to the semi-centralization involved, and it has the enormous advantage that implementations of it can fail and won't take down the whole system with it
12:06 < jtimon> helo: like having half transactions in one chain and the other half in another chain
12:07 < jtimon> helo: I meant that for sharding
12:07 < adam3us> petertodd: it is highly likely that at least one person will try to claim solving it via a centralized server.  well we have open transactions even :) federated but auditable, and rebuildable from receipts
12:07 < petertodd> jtimon: yeah, atomicicity of transactions in sharded systems is a really interesting question
12:08 < petertodd> adam3us: yup, my actualy claim to fame in that space is only better systems of auditing and fraud punishment - the idea itself is so simple as to get reinvented constantly
12:08 < petertodd> adam3us: *actual
12:08 < jtimon> let me explain how would it work "centralized", maybe you can come up with a way to make that p2p
12:08 < adam3us> petertodd, jtimon: so pegged side chain, like 100 of them merge mined, coins moved via SPV proof of move or atomic cross chain swap.  seems not implausible
12:08 < jtimon> or someone else
12:09 < petertodd> jtimon: see fidelity bonded banks where the machine readable fraud proofs are what makes it possible to do it p2p
12:09 < jtimon> adam3us: that still requires fat validation miners
12:09 < petertodd> jtimon: no it doesn't, mining is scalable because miners don't have to validate all chains
12:09 < jtimon> petertodd you don't know what I'm going to say yet
12:10 < adam3us> jtimon: it merged mined, but maybe some model can be found for mining without having all 100 full tx feed.   its not like most mining power right now is even looking at the tx...
12:10 < jtimon> petertodd: there was no sharding in adam3us not implausible comment
12:11 < jtimon> "pegged side chain, like 100 of them merge mined, coins moved via SPV proof of move or atomic cross chain swap.  seems not implausible"
12:11 < adam3us> anyway we dont have to solve it today... more worried about how to provably preventing someone sneaking fractional reserve into a side-chain at this moment.
12:11 < adam3us> jtimon: yeah is just a definitional thing.  you could consider the 100 side chains 100 shards
12:12 < petertodd> adam3us: well, like I said above, the trick is to separate timestamping form the proof-of-publication - merge-mined side chains can naturally work that way if they are genuinely merge-mined, as opposed to just a soft-forking change
12:12 < adam3us> petertodd: yes this is a kind of open transactions argument.  i buy that as a plausible thing to explore.
12:12 < jtimon> well, since we don't know how to shard yet and you didn't explicitly mentioned it, I thought you meant we could still scale doing that without sharding
12:13 < adam3us> jtimon: i was thinking of a use-case of (multiple identical) pegged side-chains as a mechanism for sharding
12:13 < petertodd> jtimon: well, remember my thought example of the tree-like consensus system? if your top node in that tree is the bitcoin blockchain, then the two leaves logically are your merge-mined side-chains
12:14 < petertodd> jtimon: which is why coming up with a backwards-compatible upgrade is actually fairly plausible - ugly, but feasible
12:15 < jtimon> adam3us: but the pegging thing is to solve the "exchange rate" problem TD mentions
12:15 < adam3us> petertodd: its the beauty of pegged side-chain, the side chain (or lots of them, or competing lots of them) can go do experiments while retaining bitcoin main fungibility
12:15 < petertodd> adam3us: yup
12:16 < jtimon> adam3us: I'm saying I don't know a technical solution for merged mining + sharding in the first place, seem kind of incompatible to me
12:16 < adam3us> jtimon: right.  but pegged side-chains also form security firewalled experiment zones for interesting things, like sharding, freimarket script extensions, utxo compaction, zerocoins, comitted tx... anything within reason
12:17 < adam3us> petertodd: the limitation is oniy i think it has to be not too alien for bitcoin to not be able to consume the side-chains SPV proof of move
12:18 < jtimon> adam3us: security firewalled? what in pegcoin makes it more attractive to merge mine than say, devcoin?
12:18 < petertodd> adam3us: nah, I'd say the bigger limitation is that long-term PoW security needs to be paid for by fees, and the basic economic model is screwy there and has a high potential of failure
12:18 < adam3us> jtimon: incentive you mean? ask petertodd he's the incentive / game-theory gur ;P
12:18 < petertodd> adam3us: it's the think with off-chain stuff: it becoming too effective is a huge risk in the long-term!
12:19 < petertodd> adam3us: now that's like, 10 years away long term hopefully, but it's a problem that needs solving eventually
12:19 < adam3us> petertodd: it seems like the biggest open q about it really.  incentives.  but its not like that solved in main.  $25k/block or $150k/6-block is the price to admission (x the failure rate to build a chain long enough)
12:20 < jtimon> petertodd are you suggesting off-chain technology working nicely and securely is a "huge risk"? what do you mean?
12:21 < adam3us> petertodd: Maybe its a TD thing.  we (humans) want and need this to work, so maybe most honest people will do it and that will carry the day
12:21 < petertodd> adam3us: yup, currently my best guess is per-tx PoW schemes (and actually, maybe per *txin* PoW schemes) with anti-pooling stuff and PoW algorithms more resistant to ASIC centralization is what'll work, but those are all -wizard level questions and lots of research to be done
12:21 < adam3us> jtimon: he's worried about an incentive break down leading to attacks
12:22 < jtimon> adam3us well I ask you because you made the firewall claim, but I'm happy receiving an explanation from anybody
12:22 < petertodd> adam3us: in the meantime, honesty and other non-ideal second order effects will help the existing system limp along for a lot longer than it deserves too
12:22 < petertodd> jtimon: yes, in the long term the PoW security needs to be paid for, and one of the few reasonable ways to do it is transaction fees, no-txs == no pow security in many very plausible future models
19:32 <@gmaxwell> at some point this should get built, even if its just a toy insecure form.
19:33 <@gmaxwell> people were talking in #bitcoin-offtopic about building an IRC micropayment bot...
19:33 <@petertodd> Did you read my bonded ledgers thing?
19:33 <@gmaxwell> You send it 1btc.. then you can bot: pay petertodd 0.012345 btc    and eventually petertodd can checkout if he likes.
19:33 <@petertodd> The idea of focusing on making a ledger who you are only holding to not allow double-spends to happen is nice.
19:34 <@gmaxwell> Not secure, not private, etc. But it would be insanely useful. It would do micropayments instantly in a way bitcoin cannot, it would avoid blockchain bloat and transaction fees..  etc. Even the weakest forms of your chaum bank stuff would be better than "just trust the bank"
19:35 <@gmaxwell> the bonded ledgers was just the OP code for double spends?
19:35 <@petertodd> Yeah, and if it's just a ledger, you could re-use all the Bitcoin transaction machinery, including machinery to do double-spend proofs.
19:35 <@petertodd> Pretty much, and if the scripting system was just slightly more powerful, you probably wouldn't even need a dedicated opcode.
19:36 <@gmaxwell> I wonder how you could construct its transactions to make the proof of doublespending maximally small?
19:37 <@petertodd> Basically decompose CHECKSIG, allow for string manipulation, and provide a way to constraint was the txout set of a scriptPubKey spend is.
19:37 <@gmaxwell> though I suppose ideally it would work on bitcointransactions so you could use it for both on and off chain doublespending prevention.
19:37 <@gmaxwell> though that presupposes a public ledger which is lame.
19:37 <@petertodd> Well, one key thing would be for signatures to use a hash tree to generate the hashes. You just have to show that the inputs were the same both times, not the outputs.
19:38 <@gmaxwell> yea, I've wanted to define a transaction format that is tree structured
 for other reasons: to build altchains that don't validate burried signatures.
19:38 <@petertodd> Public ledger is the easiest, but you don't have to do that. One way would be to use a crypto accumulator ont he set of all txins spent.
19:39 <@petertodd> So you would challenge the ledger periodicly to prove they didn't double-spend your transactions.
19:39 <@petertodd> hmm... actually, that could work very nicely...
19:40 <@petertodd> You do need the ledger to publish some type of "state of the ledger" publicly, in a way that can be retrieved anonymously, but, for instance, that could be done with the ledgers deposit and withdrawl transactions as a smalldata.
19:41 <@petertodd> Basically, for any tx the ledger ever makes, if you find the ledgers signature on it you can simple say "OK, so that's the state of the ledger, now prove to me that you didn't double-spend my input"
19:41 <@gmaxwell> the advantage, e.g. of an irc paybot is better scale for microtxn, and improved privacy (basically privacy more like IRCs: not cryptostrong but ephemerial so long as everyone is playing nice)
19:42 <@petertodd> And when you accept a transaction from the ledger, ask for *that* transctions history, back to where it came from in the blockchain.
19:43 <@petertodd> I assume you've seen reddit's bitcointip right?
19:44 <@gmaxwell> yes. pretty horrible in that it makes a bitcoin txn per tip or at least it did.
19:44 <@gmaxwell> "worst of all worlds: insecure, slow, and non-scalable"
19:44 <@petertodd> Pretty sure it still does; it's based.
19:44 <@petertodd> Especially given the tiny size of tips.
19:45 <@gmaxwell> Yea, b.i
 doesn't even have a facility for internal transactions.
19:45 <@petertodd> OK, so there's a goal: an library for auditable off-chain transactions.
19:45 <@petertodd> Well, how could b.i and still meet it's security promises?
19:46 <@gmaxwell> by allowing you to have some portion of your balance with b.i instead of in your wallet, of course.
19:46 <@petertodd> Well, sure, but then they need my auditable off-chain tx library. :P
19:46 <@gmaxwell> :)
19:46 <@gmaxwell> mtgox seems to do fine without one.
19:47 <@petertodd> mtgox is big enough to have credibility, of coruse, so is b.i
19:47 <@gmaxwell> What would the audits prove?
19:47 <@petertodd> The audits *could* prove fraud, if caught.
19:47 <@gmaxwell> I mean what kind of fraud.
19:47 <@petertodd> Well, lets say the ledger is internally doing a full blockchain basically, one tx per block.
19:48 <@petertodd> Each block is signed by the ledger, and the blockchain is linked by a merkle mountain range hash system.
19:48 <@petertodd> You also have a UTXO proof system basically.
19:49 <@petertodd> So, one valid query would be to ask "Give me a full transaction history from my tx back to the on-chain tx"
19:49 <@gmaxwell> Right, how do you avoid the proofs not becoming exponential as coins split and merge?
19:49 <@petertodd> It's a good question, likely the ledger can only say "proofs will never be more than 1MiB" or something.
19:50 <@gmaxwell> basically, I'm thinking this hidden blockchain model imposes some performance limits on the dumb-irc-bot-bank that would be unfortunate.
19:50 <@petertodd> I mean, heck, just make the whole thing downloadable, and every year or so just throw it away and start fresh.
19:50 <@petertodd> Yeah, it's a tough one.
19:51 <@petertodd> Double-spend fraud in the ledger is detectable enough, with a spent-UTXO accumulator.
19:51 <@gmaxwell> well what do we really need to prove: that the users balances sum to the deposits, right? What else for that application?
19:51 <@petertodd> Yes, I think that's the biggest one.
19:52 <@petertodd> The other thing is proving that the ledger isn't giving me my money back, although for now that doesn't need to be automatic.
19:53 <@gmaxwell> So, the bot publishes an anonmized list of accounts and their balances. And it publishes sigmessages showing it holds an equal amount of bitcoin.  You can see your balance in the public list,
19:53 <@petertodd> Hmm... well if every transaction is in a chain, and updates a balance sum, that helps. At least all the transactions to and from the ledger can be easily audited. (to deposit the ledger would sign your deposit tx as well)
19:55 <@petertodd> Do we need balances, or scriptPubKey txout hashes?
19:55 <@petertodd> (with merkle summing)
19:55 <@gmaxwell> if your balance changes on you and you don't agree... you publish a "fuck you, bot stole my balance"--account key.  which people hash to get the anonmized account key, and the bot publishes a list of all the txn to your account, and all withdraws should be signed by you.
19:56 <@gmaxwell> and if the bot can't produce a transaction log that matches the balance sheet, we know it robbed that person.
19:57 <@petertodd> That works easy enough.
19:57 <@gmaxwell> initial deposits into the system could basically be handled by the payment protocol type non-repudation.
19:58 <@petertodd> So basically, the bot can't inflate the balance, provided that every user checks that their balance is shown in the public ledger.
19:58 <@petertodd> The ledger balance must match up to the on-chain balance.
19:58 <@gmaxwell> You go to deposit in, bot says "okay, I'll add 1 btc to account H(pubkey), iff you pay address 1unrelated" --bot  ... and if you don't get credited you can cry foul on that too.
19:59 <@petertodd> Yes, my fidelity-bonded ledger thing even had a special UTXO out query opcode for that, to use internally with the ledger.
19:59 <@gmaxwell> I don't think that on chain deposits would actually go in directly. Instead the system would be started off with one account: "bank" and a balance owned by the bank. Payments into the system would go into the bank owner's private wallet, and he'd move funds from the bank internal balance to the user mostly.
20:00 <@petertodd> OK, that's reasonable, and as you say, the deposit includes the promise to move the balance from the bank balance to your one.
20:00 <@gmaxwell> (of course the balance balance could be increased over time, but there wouldn't need to be a 1:1 match. This would also enable people to buy space in the bank using chaum tokens, mtgox codes, or whatever they want
 since deposit inside the bank and on the chain are decoupled)
20:01 <@gmaxwell> well whatever they want subject to how automated fraud handling should be.
20:01 <@petertodd> It's still very reliant on that public ledger of all balances, but seems doable.
20:01 <@gmaxwell> the public leger would need to be delayed somewhat, I expect.
20:01 <@petertodd> For privacy?
20:01 <@petertodd> Delaying is fine provided it includes some type of hash linking back to your tx's.
20:02 <@petertodd> You want to be able to prove that a tx you performed should have been included in the master published ledger hash, but wasn't.
20:03 < ielo> hello helo
20:03 < ielo> ielo helo
20:05 <@amiller> i think this use of proving txs  is only useful if there's osmething automated that happens
20:05 <@amiller> but this is a good reason to want the big bitcoin blockchain to be capable of metavalidation of other chains
20:05 <@amiller> because something like a doublspend in a minor chain can trigger an insurance payout in a larger chain
20:05 <@petertodd> amiller: This is the toy system - we'll implement automated proofs later.
20:06 <@petertodd> amiller: Basically this is Mt. Gox redeem codes + some auditing.
20:13 <@gmaxwell> petertodd: I guess the balance sheet really ought to be a Merkle-sum-tree.. this way they only publish the root, and only allow users to query their own balance.
20:14 <@gmaxwell> if the whole balance sheet is public you can grok out whos transacting with who by observing matching changes in balance.
20:14 <@gmaxwell> with a Merkle-sum-tree deanonymization requires the users to cooperate to deanonymize each other.
20:58 <@gmaxwell> I also have a related proposal, which needs a new transaction format, that I call checkpoint-transactions where users specify checkpoints in their transactions and the fees can only be recovered (completely?) in chains where the checkpoint matches.
20:58 < amiller> petertodd, fair enough but i think that's not interesting and/or not a reason to try to understand the behavior of optimal miners better
20:59 <@gmaxwell> amiller: I don't think your solution is stable. There will just be an incentive to reduce that fee via whatever other means are available. External fees, promoting locked/checkpointed txn/ etc.
20:59 < amiller> so you are saying that i acn do it cheaper
20:59 < amiller> by paying someone out of band
21:00 <@gmaxwell> I think so.
21:00 < petertodd> amiller: sure, and this is -wizards, but remember there is value in fixing the problem for 95% of the cases
21:00 < amiller> i don't see why that's any chaeper or more effective than broadcasting the remainder as af ee
21:01 <@gmaxwell> amiller: because unless the fee you take is zero there still exists some orphaning incentive.
21:01 <@gmaxwell> and unless the fee you give away is zero there is some incentive to take fee move to another way.
21:01 < amiller> i think the optimal amount to take is exactly the fair cost of the work
21:02 < amiller> like that would an equilibrium point because anyone else would be indifferent to mine above or below you
21:02 < amiller> which would be good, like it would be good if such a stable equilibrium existed
21:02 <@gmaxwell> But I want moar. and I can get moar if I just arrange to pay in a way other than fees.
21:03 < amiller> what other ways are there and how do i include them in this model so i can argue about under what conditions they're cheaper
21:03 < amiller> pay per shares?
21:03 < amiller> i just claimed that the equilibrium is taking eactly the cost of thew ork
21:03 < amiller> meaning exactly the same as what it would take to purchase mining shares
21:04 < amiller> so those are the same equilibriums
21:04 <@gmaxwell> I'm not talking about purchasing mining shares.
21:04 <@gmaxwell> okay, we're not communicating and I have work to do.
21:06 < amiller> "you send me shares and I pay you with regular bitcoin transactions"
21:07 < amiller> that's why i assumed that's what you were talking about
21:10 <@gmaxwell> amiller: Ah, I see how I wasn't clear.  I mean that I pay you for proof that you're attempting to work on my transactions, I dont give a hoot for the rest of the block, I'm not paying you for that, just the fees for mine.
21:10 <@gmaxwell> I'm not running the mining infrastructure or anything else.
21:10 <@gmaxwell> you could do the same work and send proof to hundreds of parties.
21:13 < amiller> ok well i still don't see why that would be a cheaper way to get mining power to work on your transactions
21:13 < amiller> i have to afk a bit so i'll try to work out what you might mean and you can work :o
21:34 <@gmaxwell> amiller: it's cheaper simply because the parties you pay don't have to give any of it away to avoid the risk of being orphaned to steal it.
22:31 < amiller> ah ok so yeah my premise that this begins with someone paying extraordinary fees is silly because there's no good reason for anyone to pay such a fee
22:33 < petertodd> amiller: fidelity bonds
22:33 < amiller> oh yeah hm
22:33 < petertodd> amiller: although if the fidelity bond fee is high enough to create weird incentives, it's not working correct
22:34 < amiller> if there was a time that there were more rational miners that were prepared to take advantage of opportunities like that
22:34 <@gmaxwell> you can make the fidelity bond into a transaction chain easily enough.
22:34 < amiller> then i think it would be better to remove the coinbase maturity limit
22:34 < amiller> i think i don't understand what it's there for anyway
22:35 < petertodd> gmaxwell: yeah, my protocol is designed to make that easy
22:35 <@gmaxwell> It prevents a reorg for making honest people into thieves.
22:35 < petertodd> gmaxwell: in part for that reason
22:36 < petertodd> yup, like imagine no maturity, someone spreads a coinbase tx to hundreds of people, and then it gets reorged
22:36 < petertodd> even on a technical level that's ugly
22:36 <@gmaxwell> It also reduces the boom-and-bust incentive
 where you get a bunch of hashpower to majority attack the chain for a bit then quickly sell the coin before anyone notices you've been attacking. Though I think this is just a side benefit.
22:37 < amiller> i don't see how that is unique to coinbase as opposed to any other transaction
22:37 < petertodd> amiller: any other transaction can be put in another block
22:38 < petertodd> (modulo tx mutability)
22:40 < amiller> i see, so it's like a double spend, except a) it's easier to pull off because it will definitely work because it can't be spent in another block (that's the important part) and b) the attacker doesn't get his coins back
22:41 < amiller> that doesn't seem compelling to me because it's still caveat emptor as far as waiting for 6 blocks before believe you own the coin
22:41 < petertodd> yeah, that's one way of looking at it. I mean the main thing is just that it creates horridly ugly accounting problems
22:41 < petertodd> I doubt satoshi thought too hard about nash equilibriums for weirdly high fees - heck, I found an email from him dated nov 2008 where he wasn't even sure if bitcoin would have tx fees at all
22:42 < amiller> (tbh it's not really that i'm so concerned with high tx fees but i'm trying to get a good grasp of this and it's a toehold, and i have so few others!)
22:43 < petertodd> it'd be good to understand it better before people start making crazy fidelity bond sacrifices...
22:48 < amiller> it's possible that a weird high-tx fee attempt could make a double-spend attack cheaper
22:49 < amiller> my new fantasy prediction is that a stylized "rational mining pool" will eventually become predominate and shortly nearly everyone else will follow
22:50 < amiller> you know, that and the 'auto-double spend' feature gets built into every client so that in the case of a huge fork, no one wants to be the guy with the hot potato that gives up a windfall to the scumbag after you who has it enabled
22:51 < petertodd> heh, you'd like my mempool rewrite...
22:52 < amiller> i'm afraid i'm going to dislike it only because it will make this network-mapping project i'm about to try not work so well
22:52 < petertodd> lol, what's this project?
22:52 < amiller> i want to probe the network to see which peers are actually connected with sockets
22:52 < amiller> the simple case is i want to see if node A and node B share a connection
22:53 < petertodd> ah, I better develop some alt-p2p info distribution systems quick...
22:53 < amiller> i create two conflicting txs Tx0 and Tx1, I send Tx0 to both A and B, and simultaneously send Tx1 to everyone else i can connect to
22:53 < petertodd> interesting
22:53 < amiller> now A and B are logically isolated from everyone else
22:53 < amiller> I can send Tx0' to A and see if B relays it
22:53 < amiller> if so, i know they're connected, or at most they're connected via a dark pool dude
22:54 < amiller> because no one else will relay Tx0' because it conflicts with Tx0
22:54 < amiller> this can be improved in pretty straightforward ways to do a lot of mapping in fewer passes
22:54 < petertodd> and you can use that to trace back connections to individual mining pool nodes
22:54 < amiller> it breaks if people relay conflicting transactions or use different rules for mempool
22:55 < petertodd> yeah, replace-by-fee isn't a problem, but the totally different mempool behavior could be
22:55 < petertodd> still, just pay a reasonably high fee to get high priority, and make the profitability equal for both txs
22:55 < amiller> yeah
22:55 < amiller> well lmk if you start to propose something that would braek this
22:56 < amiller> because i think it's probably better for everyone if they obscure their connections but it would defeat my attempt at glory
22:56 < amiller> also petertodd tell me what you think of this
22:56 < amiller> a major thing that is lacking is the ability to get realtime measurements of mining power
22:56 < amiller> this would be solved if mining pools would release some of their shares, as realtime streams of proof of work
22:56 < petertodd> heh, I think you are a bad person, incapable of love, for trying to defeat anonymity, but at the same time, I'd much, much rather see you do it, so you should do this
22:57 < petertodd> well, just ask them nicely...
22:57 < amiller> well asking them is one thing
22:57 < amiller> but i'd rather everyone demand it because they acknowledge its better for the network to do so
22:57 < amiller> anyone who's doing mining should be able to produce concise summaries of their work
22:57 < amiller> just a sample of their shares, like their nearest misses
22:58 < amiller> i could measure p2pool this way of course
22:58 < amiller> but "ethical" pools like slush or btcguild or whatever should adopt this too because it would make it easier to respond to changes
22:58 < amiller> for example during the 0.7/0.8 fork it would make it easier/quicker to estimate just how much of the hashpower has switched behaviors or something
22:58 < petertodd> sounds like central authority...
22:59 < amiller> no it's inherently distributed
22:59 < petertodd> if you need that information, I think it'd be better to ask how can you *not* need it
22:59 < amiller> do you grok what i mean by concise samples of proof of work
22:59 < amiller> oh i see what you mean
23:00 < amiller> the realtime information could be used to amplify movements like that?
23:00 < petertodd> see, I think we're better off accempting that in the short term mining is this crazy random process, and you just have to wait until consensus emerges
17:46 < amiller> lets keep consideing the worst case where i am the only one using this trade path and so i have to pay for the entire validation
17:47 < gmaxwell> that in and of itself is a residual hold up risk.
17:48 < gmaxwell> e.g. I can at least extort the value of that refund minus epsilon assuming the non-iterated interaction.
17:48 < amiller> lets decide we figure out what that price will be and set an appropriate length of time
17:48 < gmaxwell> I'm not sure how much of a real risk holdup actually is.
17:48 < amiller> does this solve the race condition
17:48 < amiller> i still can't put my finger on how to state this
17:48 < gmaxwell> The interesting thing is that it's always been possible to do secure-except-holdup cross chain transactions
 and no one is doing it.
17:49 < gmaxwell> But you can't say that holdup is some enormous scare factor because plenty of people do totally insecure cross chain trades.
17:49 < gmaxwell> I have a feeling that holdup isn't actually a big problem. It's a problem
 but you could just add a little bit of reputation or identity and basically eliminate it.
17:50 < petertodd> All the evidence that the holdup happened can be right in the blockchain making the reuse problem fidelity bonds face much easier to solve.
17:50 < gmaxwell> (or at least reduce it to the point where that kind of solution is cheaper
 even considering the weighed failures
 than the infrastructure required and the direct costs for your proof-refund txns)
17:51 < amiller> i'm aiming bigger, if this is solvable then it's useful for local rather than global chains
17:51 < gmaxwell> petertodd: right, you can even say a foo-bond can only be used for one txout at a time.
17:52 < petertodd> gmaxwell: exactly
17:52 < gmaxwell> amiller: I realize this, as a fundimental way of making thing scale better.  ... making the global chain a metachain that validates cross chain transactions, effectively. In which case its reasonable for the local chains to all watch the global chain but not viceversa.
17:52 < amiller> right
17:52 < amiller> yeah... well put
17:53 < petertodd> worst comes to worst, use the global chain for consensus on the fidelity bonds
17:54 < petertodd> And the existence of a global chain can be used directly for your proof-of-work algorithm via proof-of-sacrifice.
17:57 < amiller> ok so along the way, at the very least we've talked just now about a new result for SPV verification
17:57 < amiller> you can sample work and show that a coin *is still available/unspent* without even having to validate all the headers
17:58 < petertodd> ? I missed how that works
17:58 < amiller> petertodd, do you know the work-sampling idea
17:59 < petertodd> amiller: no
18:00 < amiller> petertodd,
18:00 < amiller> if you have some big collection of blocks, and you want to estimate the total amount of proof-of-work used to create them all, you can do that just by sampling a really small number of them
18:01 < amiller> if there are a million blocks with at least two zeros 00xxxxx
18:01 < petertodd> right, seems obvious enough
18:02 < amiller> then there are probably at least a hundred blocks with several more zeros 00000xxx
18:02 < gmaxwell> amiller: works for large numbers, not so much for small numbers though.. and that doesn't prove they're connected, unless the structure is changed to link along the hash highway.
18:03 < amiller> the structure can be changed pretty efficiently to have a sort of skip-list like thing to make it easier to produce that sample
18:03 < amiller> for spv it's not necessary to prove they're connected, you just have to prove they all don't disagree
18:04 < petertodd> amiller: merkle mountain range:
18:04 < petertodd> how are you going to show they don't disagree?
18:04 < gmaxwell> I'm not actually sure if thats better for proving header difficutly than a straight non-interactive cut and choose. The later is easier to put proofs in just some blocks.
18:05 < amiller> petertodd, by showing that each member of the sample commits to a utxo and that each utxo still has the transaction in it i want to prove still exists
18:05 < gmaxwell> petertodd: you repeat the proof for each block
 e.g. it's unspent here and here and here and here. you don't need to show they're connected.
18:05 < gmaxwell> big proof though.
18:06 < amiller> gmaxwell, i think you might be right about cut and choose working just as well
18:07 < amiller> in any case it's basically just possible to do this
18:09 < petertodd> amiller: Why not just do a binary search?
18:10 < petertodd> amiller: Oh wait, I'm dumb...
18:11 < gmaxwell> its kinda sad no one has proposed a non-interactive cut and choose to faster bootstrap spv.
18:11 < amiller> i guess i still don't know how to efficiently prove that it wasn't spent in the last 10 blocks, because you can fake that work easier
18:11 < petertodd> Well, SPV bootstraps pretty fast anyway...
18:11 < amiller> i think i worked out that you could sample work more finely towards the front and get some benefit
18:12 < petertodd> amiller: Proving a coin wasn't spent recently is always going to be insecure - you only have a recent mined block as witness.
18:12 < gmaxwell> petertodd: they're distributing "checkpoints" with SPV clients now to make them bootstrap fast. :(
18:13 < petertodd> amiller: I mentioned to TD earlier today the idea of miners committing to a merkle tree of txids in their mempool, just to prove visibility, you could use that if the commitment included txins being spent.
18:13 < gmaxwell> (though their checkpoints aren't the same kind of thing the reference client has
 at least in bitcoinj based stuff they're a "if you can connect back at least this far, the sum of the rest of the diff is Y", as far as I understand it)
18:14 < petertodd> gmaxwell: What? True, I guess on a cellphone ~100MB adds up or whatever it is...
18:14 < gmaxwell> well it's 20mbytes right now.
18:14 < gmaxwell> but the fetching isn't very efficient.
18:14 < gmaxwell> e.g. not pipelined.
18:15 < petertodd> gmaxwell: What do you mean by pipelined? You just mean we can't ask for more than one block header at a time?
18:17 < gmaxwell> I thought they did scalar fetching instead of piplelining, but I might be incorrect. I'm going by what I've seen from logged getheaders but perhaps I'm just missing them setting the count to >1.
18:17 < gmaxwell> Otherwise I don't really understand the reason for the optimization.
18:18 < petertodd> gah, powers out, wonder how long the ups's at work last...
18:18 < petertodd> gmaxwell: TD's NSA handlers?
18:19 < petertodd> I guess you should be able to set your bloom filter to match nothing, then ask for sequences of blocks, and get just the headers pipelined
18:22 < gmaxwell> petertodd: I mean, getheaders works just like getblocks and should be able to pipeline.
18:23 < gmaxwell> I just didn't think it was being used that way; but its likely that I'm stupid
19:32 < amiller> so this should also work with other-than-proof of work
19:33 < amiller> suppose there are just two separately-trusted serializer entities like opentransaction servers or quorum or whatever
19:36 < amiller> eh i'll finish that thought later
--- Log closed Tue Jul 09 00:00:22 2013
--- Log opened Tue Jul 09 00:00:22 2013
10:48 < petertodd> gmaxwell, amiller: powers back - Toronto just broke the record for most rain in a single day in history, 126mm, vs. the previous of 121mm during hurricane hazel in the 50's... the creek behind my apartment rose about 15ft, although fortunately the engineering is pretty good and houses are set back enough that other than a flooded school it was just some
basements here and there flooded.
10:53 < amiller> ahh... hopefully your basement wasn't affected!
10:53 < amiller> according to my logs you did not miss any conversation :)
10:54 < petertodd> I'm on the twelfth floor :)
10:54 < petertodd> thought my legs are killing me... the backup power for the elevators and lights died, and I spent a few hours helping people up to their apartments who didn't have lights...
11:16 < gmaxwell> 'here is a flashlight, drop it down the garbage chute when you make it'
12:38 < petertodd> gmaxwell: clever
15:08 < gmaxwell> petertodd: have you pondered the implications of replacing chaum tokens in a chaumian bank with zerocoin?  I think it lets you make the signing oracle memoryless (well, enough to verify ZC proofs).
15:09 < petertodd> gmaxwell: That's a good idea actually
15:10 < petertodd> gmaxwell: Although right now I'm convinced the right way to go is with a proof-of-sacrifice blockchain.
15:10 < gmaxwell> Further reducing the scale of the part that has to be trustworthy and resistant to regulator weirdness.  Also, if we had a more scalable group signature scheme, the bank could be pretty massively distributed.
15:11 < petertodd> gmaxwell: Auditing the signing oracle would be really easy too.
15:12 < petertodd> gmaxwell: Oh hang on though, you still need consensus about the state of the zerocoin accumulator, so it's not memoryless
15:12 < gmaxwell> petertodd: no you don't.
15:12 < petertodd> How does that work?
15:12 < gmaxwell> it signs the last proof it saw.
15:13 < gmaxwell> and then you just present that proof with your next update.
15:13 < gmaxwell> same way a storageless full miner could still add transactions with the help of a client that has the utxo.
15:13 < petertodd> Yes, but it needs to know the height of the last proof signed. That's not totally memoryless
15:14 < gmaxwell> Fair point. In the case where its not distributed it still reduces it to a counter.
15:14  * jgarzik listens -- this might have application on my idea for a network of bots that enable off-chain transactions, with some level of prove-they-are-not-cheating
05:17 < gmaxwell> jtimon: well not quite because there is no perfect competition, so everyone with friction along that path are taking their tax.
05:17 < deantrade> Well, if the coins weren't spent for 100 years, then the market probably already adjusted to the lower effective money supply, then like if the original miners who forgot/lost their private keys all get their coins thrown out, people will then know for sure the money supply actually is smaller.
05:18 < jtimon> think about paper wallets, physical representations of bitcoin...
05:18 < jtimon> gmaxwell there is perfect competition in theory
05:19 < jtimon> and bitcoin's "demand for security" is extremely elastic
05:20 < gmaxwell> security is basically a perfect lemon market. You only need any at all except in hindsight.
05:20 < deantrade> jtimon: on that note, I was thinking that eventually people will make altcoins with all sorts of different fixed inflation rates (fixed per ledger), and then let the market decide which inflation rate they want to use.
05:22 < deantrade> I wish bitcoin didn't have such drastic changes in block reward...  50 25 12.5...  its a big deal when transaction fees are significantly less than inflation block reward
05:23 < deantrade> I mean to say, it shoulda been made more continual, no?
05:23 < gmaxwell> seemed to work out okay in practice.
05:24 < gmaxwell> piecewise constant has certian planning and accounting advantages.
05:24 < deantrade> In practice it didn't really matter too much to the miners.	But when the next transition hits, miners will have tro do lots of planning yea on what kind of hardware they want to buy and run.
05:24 < jtimon> in freicoin it decreases linearly
05:25 < jtimon> gmaxwell some have said that the first reward halving caused the following "bubble"
05:25 < deantrade> In just one block the reward for mining is going to half when it had been the same for 4 years, that is going to have a big effect on network hash rate when it happens
05:25 < jtimon> deantrade not necessarily, it can also affect prices, or both or a combination
05:26 < gmaxwell> jtimon: the following bubble was pretty long after (three months?)
05:26 < gmaxwell> jtimon: if so, uh. well I am not complaining.
05:26 < deantrade> jtimon: No, I don't think so.  Bitcoin is valuable because it is better than other currencies/money/banking systems.
05:26 < deantrade> Maybe bitcoin's halving just brought lots of media attention and more confidence to the system because it was maturing.
05:27 < jtimon> I think it was Impaler who speculated that that was the time it took for the markets to "feel the lack of new bitcoins coming"
05:27 < jtimon> according to him, miners speculated as much as they could but then they had to sell some part to pay the bills
05:28 < jtimon> I think liear would have been better but I don't think it is a big deal really
05:29 < deantrade> Linear?  I'm not sure what you mean.  Do you mean a more continual reward reduction rather than one step every 4 years?
05:29 < gmaxwell> jtimon: I'm skeptical, market volume was a pretty big multiple of the newly mined coins by then (oddly it seems lower now) but I guess its unknowable.
05:30 < jtimon> deantrade yes, in frc it is reduced every block until it is not reduced anymore
05:30 < gmaxwell> the biggest argument against the half operation that I have is that it creates a pretty big incentive to orphan the last block!
05:31 < gmaxwell> but arguably a continuious formula makes for a much smaller incentive to do that constantly instead of only a couple times in the system's life.
05:31 < jtimon> gmaxwell yeah I don't know, Impaler or galambo (I think was Impaler) made some numbers I think, but I agree is probably unknowable
05:32 < jtimon> never thought about it that way
05:32 < gmaxwell> jtimon: it's also hard to sort out because we actually changed who was mining at that time.
05:33 < gmaxwell> When the 50->25 change happened I was watching eagerly to see if we'd get stuck warring for the last 50 btc block. :P
05:33 < jtimon> I have no idea, but it was an interesting hypothesis
05:33 < gmaxwell> certantly we had miners which were large enough to where doing so would have been rational.
05:33 < deantrade> I was just looking at the FAQ on freicoin.  I disagree with a lot of what the author has to say, his philosophy.  It flies in the face of Austrian Economics.
05:33 < jtimon> yeah, we have to rewrite those faqs to somthing more neutral
05:34 < jtimon> r000n wrote those faqs
05:34 < deantrade> For example: "But money is created by the government, isn't it?"  You say the government doesn't make the money, but that's not quite right.
05:34 < jtimon> I wrote ones before but then they were assimilated into the about page...
05:34 < deantrade> The Federal Government's Military and Citizen Police enforce the US's monopoly on money in the US and in international trade
05:34 < jtimon> it's not very well expressed
05:35 < jtimon> but comercial banks create most of the money, even if the state enforced that privilege
05:35 < deantrade> In exchange, the Federal Reserve prints them lots of money for thier protection racket.
05:35 < deantrade> Yea, I agree, the commercial banks also with their FDIC default protection get to print lots of money for themselves too
05:36 < jtimon> the treasury could print the money directly without needing to "exchange" anything with the fed
05:36 < deantrade> Yea but that would be less confusing, and they like to keep the sheeple confused
05:36 < jtimon> that's what "greenbackers", positive money and other monetary reformist propose
05:37 < jtimon> what backs paper money is the state and its promise to tax you on that currency
05:37 < deantrade> Anyways, yea the government is the enforcer of the monopoly money, the gov steals from gold backed private banks (NORFED/egold/1933)
05:37 < jtimon> not anything in the feds balance sheet
05:38 < deantrade> No, what backs paper money is that using paper money and banks increases our productivity via productivity gains in specialization and trade
05:38 < jtimon> that's what back all money, but yes, true
05:38 < deantrade> Its just that there is a monopoly enforcement on USD, so we have to use USD to get those productivity gains
05:39 < jtimon> what i mean is that state money (like any other money) doesn't need any backing
05:40 < jtimon> and the goverment could take all the seignoriage for itself instead of giving it to the banking cartel
05:40 < deantrade> I agree, only for money to have reliable limited supply and for it to be easily/most efficent in trading is what makes money valuable as money
05:40 < jtimon> it doesn't even need to impose a monopoly
05:41 < deantrade> Hm, but the banking cartel is kind of like the smart people, and the government is just pandering politicans who do what the cartel wants.
05:42 < jtimon> yeah, the politicians don't rule
05:43 < deantrade> Freicoin says that the underlying cause of the boom/bust cycle is the entrenchment of the financial elite...  so it then concludes that for people to be able to own durable valubable things for a long time is bad.
05:43 < deantrade> That is invalid.
05:43 < deantrade> The boom/bust cycle is caused by monopoly money enforcement + money supply manipulation.
05:45 < jtimon> no, what causes monetary cycles is nominally everlasting money's incapability of producing zero interest rates when real capital yields naturally drop that low
05:45 < jtimon> keynes didn't solved the problem, but the problem is older than him
05:45 < jtimon> there was monetary cycles with gold
05:46 < jtimon> we really need to correct the fact, thank you for pointing that out
05:47 < deantrade> "There was monetary cycles with gold"-> not so much when there were private banks, there were local and chain defaults, and booms from bankers increasing their reserve ratios... but nothing like what the Federal Reserve can do.
05:47 < jtimon> probably you learn more about free-money by reading directly from Gesell
05:48 < jtimon> well, I'm not historian
05:49 < jtimon> but when do you say monetary cicles started?
05:50 < jtimon> Gesell, predicted hyperiflation as the unoavoidable end of keynes-like schemes, yet was strongly against gold and blamed it for cycles
05:50 < deantrade> "money's incapability of producing zero interest rates when real capital yields drop that low"-> uh... in the free market... every durable good has an interest rate that directly corresponds to how much value over time it brings to the market owners as demand and people's strength of desire to own something now rather than later.
05:51 < deantrade> Monetary cycles start when banks loan out at higher rates then they can afford to stay in business without defaulting.
05:51 < deantrade> When banks loan more out (higher reserve ratios) (lower interest rates)
05:52 < jtimon> deantrade so called "time preference" theory of interest is based on the fallacy that everybody prefers things in the present over things in the future
05:52 < jtimon> just because everybody prefers dollars and gold in the present than in the future
05:53 < deantrade> If people don't care when they have something then interest rates go lower.	That doesn't make it invalid/fallacy, you are just confirming what I am saying.
05:53 < jtimon> interest rates, like any other price, depends on supply and demand
05:54 < deantrade> But if people want things more right away then interest rates go up.
05:54 < jtimon> capital yields are profits, and depend on competition, not in the intrinsic properties of the real capital
05:54 < jtimon> the more factories there are, the less each one of them yields
05:54 < deantrade> Agreed on last 2 statements.
05:55 < jtimon> and if people prefer things in the future they go negative? that can't happen with gold, usd or btc
05:55 < jtimon> money DOES HAVE and effect on people's time preference, more than the other way around
05:56 < petertodd> well, maybe not ok as it might make mapping inter-network connections easier...
05:58 <@gmaxwell> hm. making a blind SIN into a rate limit is a little tricky.	"This message is signed by key(s) from the SIN SET, with at least X btc in value" isn't enough, since its not a rate. (e.g. you can keep doing it)
05:59 < petertodd> can't the blinding be deterministic? IE it maps to one and only one sacrifice from the set of all prior sacrifices
06:00 <@gmaxwell> You need an additional  "Random ID X	is the hash of a determinsitic signature of time T, by key(s) from the SIN SET, with at least X btc in value." term.
06:00 < petertodd> yeah
06:00 <@gmaxwell> where time is quantized to get you your rate limit.
06:01 <@gmaxwell> (perhaps just divided by the value times some rate control factor set by the system)
06:01 < CodeShark> sorry for interrupting
but what's a sacrifice?
06:01 <@gmaxwell> CodeShark: e.g.
06:02 < petertodd> CodeShark: underlyng mechanism:
06:02 < CodeShark> oh, that :)
06:02 <@gmaxwell> yea, perhaps a better page.
06:02 < petertodd> gmaxwell: I need to do a specific "proof-of-sacrifice" page
06:02 <@gmaxwell> doesn't have to be coins to fees, could just be coins parked in the UTXO set or something else... but coins in the utxo set can keep moving, which makes sacrifice better.
06:06 <@gmaxwell> sadly even the fastest ZKP system would still effectively be a POW ratelimit right now. :P
06:06 < CodeShark> by "parked" you mean something like a reverse timelock?
06:07 < CodeShark> "coins cannot be spent until after block X"
06:07 < petertodd> gmaxwell: lol
06:07 < petertodd> CodeShark: that's not yet possible to do in bitcoin
06:07 < CodeShark> petertodd: I know - but in principle it could be done
06:08 < petertodd> gmaxwell: coins in the UTXO set do have the disadvantage of making attacks cheaper, kinda like merge-mining
06:08 < CodeShark> this is wizards, after all :)
06:08 <@gmaxwell> CodeShark: by parked I just mean, e.g. coins that were sitting in place as of time X. ... perhaps moved right after.
06:08 < petertodd> CodeShark: true!
06:09 <@gmaxwell> e.g. at the first block after midnight every night (by the blockchain timestamps) becomes the parking-block-height. If we had some kind of utxo commitment you'd just prove your had coins as of the most recent parking height... and that gives you bitmessage bandwidth.
06:10 <@gmaxwell> so long as the snapshot is atomic there is no double dipping.
06:11 <@gmaxwell> and as PT pointed out before the utxo commitment doesn't even need to be in bitcoin itself, it could just be computed by bitmessage nodes. (though theyd have to have the full utxo set to do it)
06:11 <@gmaxwell> probably sins are better though, since they're more easily found, etc.
06:14 < petertodd> gmaxwell: I'm very skeptical of systems that allow for re-use across different applications - UTXO-based stuff falls into that category
06:14 < petertodd> gmaxwell: thre is the disadvantage of a smaller anonymity set though
06:15 <@gmaxwell> yea, using the whole utxo set has the biggest anonymity set.
06:16 < petertodd> oh, speaking of, so I came up with a nice scheme for non-interactive stealth addresses
06:17 < petertodd> your anonymity set is some configurable subset of all transactions
06:17 <@gmaxwell> whats a stealth address?
06:18 < petertodd> just have the receiver publish a pubkey, and the sender does ECDH with the pubkey of one of the inputs to derive shared secret x, which is then used to derive a destination address from the receivers pubkey
06:18 < petertodd> the receiver now scans the whole blockchain looking for funds it can spend. To make it more efficient, just use some mechanism so that scan only has to happen for a subset of all transactions, e.g. by forcing one of the addresses in the transaction to have some specific prefix
06:19 < petertodd> stealth address being a publicly known address where funds sent to it are not known publicly
06:19 <@gmaxwell> yea, bytecoin suggested something like that a long time ago!
06:19 < petertodd> nice!
06:19 <@gmaxwell> (he also described how to send an undetectable encrypted message inside it!)
06:20 < petertodd> ha, I was just re-reading that post...
06:20 < petertodd> obviously not very well :P
06:20 < petertodd> or maybe well enough!
06:20 < petertodd> anyway it's a pretty decent solution to soemthing amir and co have been worrid about for awhile
06:20 <@gmaxwell> yea, in any case, yea .. it's just computationally expensive for the reciever...
06:21 <@gmaxwell> and I don't really know that payments with one way communication are really all that interestesting.
06:21 < petertodd> not a big deal - so is bitmessage which was (one of) his alternatives
06:21 <@gmaxwell> maybe they are. I dunno.
06:21 <@gmaxwell> perhaps there should be an address type defined for "donation addresses" which are just that.
06:22 < petertodd> I suspect that making stealth addresses well-supported would in practice get rid of a lot of address re-use due to UI constraints
06:22 <@gmaxwell> as far as your "analysis bait"  I suggest using R as a sidechannel.
06:22 <@gmaxwell> yea, I agree, you win. it's an awesome point.
06:22 < petertodd> if we can tell people the "address" for their wallet is some stealth address, I think we'd have a decent UI that people would actually use correctly
06:23 <@gmaxwell> it's one of the few cases we've had where address reuse is hard to eliminate, and the cost on the reciever is not so high... plus if they're special donation addresses that fact that its reciever expensive isn't so bad.
06:23 < petertodd> well, it needs to be a distinguisher that prefix-filtering can identify (annoyingly bloom filtering can't pull this off without making the transactions distinguishable)
06:24 < petertodd> and the great thing with prefix-filtering is that stealth addresses done that way are no more bandwidth intensive than the alternative
06:24 <@gmaxwell> well it could have its own filtering.
06:24 <@gmaxwell> e.g. some servers that tell you about all transactions meeting some criteria.
06:25 < petertodd> yeah, although we're not likely to do mined commitments to those lists which kinda sucks
06:25 < petertodd> we're very likely to do prefix-filtering compatible commits
06:25 < petertodd> *commitments
06:27 < CodeShark> I'd love to see a CAS which compensates you for providing resources to the network for all these kinds of things
06:28 <@gmaxwell> petertodd: so.. downsides, an arbritary point multiply is a fair bit more expensive than multiplies with a generator. and you now have to keep a secret key online in order to tell which txn are paying you.
06:28 < petertodd> the hard part is figuring out how to force the dest address into the right format, if you have txin pubkey A and receiver pubkey B you get a fixed B', now you can brute force with some incrementing integer i, but that upps the computational effort for the receiver proportionally
06:29 < petertodd> gmaxwell: the secret key doesn't need to be the same secret as unlocks the funds though
06:29 < petertodd> gmaxwell: doubles the size of the address though
06:29 < petertodd> (which is already larger than usual)
06:30 <@gmaxwell> petertodd: I think it's okay if the address is kinda big. After all it has to be big just to have a pubkey.
06:30 < CodeShark> what does UI simplicity have to do with underlying protocols? when you connect to an ssl site, there's a whole handshake mechanism going on under the hood most users don't ever notice
06:30 < petertodd> gmaxwell: yup
06:30 <@gmaxwell> CodeShark: Reality.
06:30 < petertodd> CodeShark: it matters a lot because people like to pass around addresses in things like PGP-signed emails
06:30 <@gmaxwell> CodeShark: go solve address reuse for things like donation addresses that people slap on forum signatures. :)
06:30 < petertodd> CodeShark: requiring payment protocol for that stuff really sucks
06:32 < CodeShark> ok, granted, that is a reasonable use case
06:33 < petertodd> gmaxwell: a cheap trick would be to fail a bit on absolute indistinguishability and reuse, say, nSequence for the prefix-forcing integer
06:34 < petertodd> gmaxwell: you could even use the nonce on the signature, but that breaks determinism...
06:34 <@gmaxwell> petertodd: I don't know why you didn't like my R grinding. :P
06:34 <@gmaxwell> oh thats why
06:34 < petertodd> gmaxwell: yeah, this should be compatible with as many wallets as possible
06:36 <@gmaxwell> meh, if you don't require any obvious 'bait' then its easy.
06:37 < petertodd> what do you mean by that?
06:42 <@gmaxwell> I mean the tricky part is adding something distinguishable to the transaction.
06:42 < petertodd> oh right
06:42 < petertodd> well
06:42 <@gmaxwell> should just benchmark and see how expensive it is to do ecdh with every txn in the blockchain.
06:42 < petertodd> yeah
06:43 < petertodd> can't be much different than syncing the blockchain on a full node...
06:45 < petertodd> with the two key version you can outsource the computational work too - the risk is only that the counterparty could deanonymize you, something, say, electrum servers already can do
06:46 <@gmaxwell> yep.
10:43 < HM2>
10:43 < HM2> can't believe i missed this over the last week
10:50 < adam3us> btw the card thing P(52,26) is conveniently > 2^128.  course then you have to keep them from getting accidentally shuffled
10:58 < adam3us> vaguely related to the idea to use shuffled subset of plastic bitcoin cards to avoid trust in printer pay to address created by adding Q values off half of them, use the other half to check the private key is under the sticker
13:37 < gmaxwell> Sadly that doesn't prevent bitcoin from comitting suicide, but at least it would be with the consent of people that own a bunch of it.
13:37 < petertodd> Yup. I'm happy if Bitcoin is destroyed with the concent of those holding Bitcoins myself.
13:37 < petertodd> *consent
13:38 < petertodd> From a practical perspective, it also takes a lot of politics out of the situation IMO.
13:39 < gmaxwell> Well, to be clear: it's some kind of 'majority' consent... which means that some people holding bitcoin will not consent to the suicide.  But the alternatives sound worse.
13:39 < gmaxwell> (e.g. alternatives being technical guy political tournamants and fork-risking-wars over client software)
13:40 < gmaxwell> I think ideally would have been to establish bitcoin with initial parameters that could be kept forever.
13:40 < gmaxwell> But since that seems to be impossible, having an economic majority seems like the next best thing.
13:41 < petertodd> Yup, see Peter Vessenes comments about how much a fork would harm bitcoin:
13:42 < petertodd> In a sense the presense of alt-coins makes it always be an economic majority thing, but the process of people dumping bitcoin for another coin will be really ugly.
13:42 < petertodd> Much better if we come to consensus on an equitable process to choose the limit.
13:43 < petertodd> It'll still lead to PR campaigns and the like of course, but those efforts become less relevant to the dev team.
13:45 < petertodd> The voting method is also designed such that an SPV client can verify the vote, and in particular, that means even if you don't hold the coins directly you can verify the person you did voted according to your wishes. (or the majority of a banks clients wishes for instance)
13:46 < gmaxwell> petertodd: can it support key delegation? in particular I should be able to take my coin signing keys offline.
13:46 < realzies> so imma start up an llvm backend project, and see where I can go
13:46 < realzies> I've never dealt with LLVM backend api, so its gonna be a learning experience
13:46 < petertodd> gmaxwell: With scripting support, yes.
13:46 < realzies> but first, breakfast
13:47 < petertodd> gmaxwell: The idea is a vote is considered valid if a scriptSig matches a txout scriptPubKey, so just add a special OP_VOTE thing - would work best with MAST support.
13:47 < gmaxwell> wow, you seem to have politically influenced vessenes.
13:48 < petertodd> Well, jdillon too.
13:49 < gmaxwell> One problem with the vote thing
 I expency is there is an uncountably infinite number of free parameters.
13:49 < gmaxwell> e.g. how fast can the parameters be changed, what are the maximums and minimums.
13:49 < petertodd> For sure, such votes can be extended to anything...
13:50 < petertodd> You could just as easily vote on the coin distribution schedule.
13:50 < gmaxwell> Yes, _HOWEVER_, as I said above the ideal is that we have something and that it never changes
 let people switch currencies if we got it that wrong.
13:50 < petertodd> But then again, changing the blocksize is setting precedent that we're willing to change an economic parameter too.
13:51 < gmaxwell> But well, that doesn't work when basically everyone can agree that the paramter is probably not right at least not right forever.
13:51 < gmaxwell> I think we can all agree that the distribution schedule is right enough forever.
13:51 < petertodd> Yeah, well, something I realized recently was you can construct a PoW function for an alt-coin that forces miners to prove they've attacked Bitcoin.
13:51 < gmaxwell> And changing it against the consent of some would be no better than letting people change currencies on their own.
13:52 < gmaxwell> petertodd: oh sure, trivial to do. merge mine with bitcoin and constrain it to only be 'bad blocks'.
13:52 < petertodd> Yeah, anyway, if there *was* a strong movement to change the distribution schedule, well, it'd be better to do it with a vote that by fiat.
13:53 < gmaxwell> Whereas with blocksize, I do think that changing it with the consent of most but not all is actually still politically and morally superior to saying "fuck you, switch to fatcoin".
13:53 < petertodd> gmaxwell: Yup, and make those bad blocks empty aside from a bunch of UTXO spam...
13:53 < petertodd> Yeah, and what jdillon proposed was to calculate the median of the votes, which means that everyones vote did count.
13:55 < gmaxwell> I'll have to look at the details later, I'm still getting myself comfortable with making the blocksize controlled that way.
13:55 < petertodd> Yeah, and details matter - I don't think you can prove a median was calculated accurately without all votes for instance.
13:56 < gmaxwell> I suppose you could gain traction for a particular implementation by proposing them and
 externally to the blockchain
 gain POS signmessages.
13:56 < petertodd> Ha, yeah for sure.
13:56 < gmaxwell> petertodd: yes, I would have instead expected something where each block commits to a set of votes, and the block hash picks a representative vote.
13:56 < petertodd> gmaxwell: Yup, NIZK-style random vote.
13:57 < petertodd> gmaxwell: He did say that the per-block vote should be median, and to then take the mean of the blocks - that can be proved incrementally.
13:58 < gmaxwell> one problem with voting is that many voters will be pretty indifferent. It will be easy to buy their votes.
13:58 < petertodd> Oh, and the nonce for the NIZK proof should probably be taken by getting the LSB of the last 64 blocks...
13:59 < gmaxwell> does that matter?
13:59 < petertodd> Sure, but it's ultimately an economic power vote anyway - what I'd be more worried about is wallet software that votes behind users backs.
13:59 < gmaxwell> If the current block goes into the proof, which it must.. then you could search for your favorite vote.
13:59 < petertodd> Yes, because you want to make sure that you can't apply more hashing power to mess with the vote.
13:59 < gmaxwell> petertodd: yea, except you don't solve that.
14:00 < gmaxwell> e.g. H(last block .. this block) is no better than H(this block) for picking the resulting value.
14:00 < petertodd> Sure I do, if the LSB of the current vote only allows you to influence the path taken at the bottom of the tree, they you have the least possible control. (if the bottom is sorted)
14:01 < gmaxwell> then you can deny entry into the tree for selected votes to get two votes you like into the position decided by that bit.
14:01 < gmaxwell> and then you get complete selection with only 1 bit more work.
14:01 < petertodd> Right, but the miner choses what votes to include in the first palce.
14:01 < petertodd> *place
14:02 < gmaxwell> I'll have to go read jdillion's thing then, as I'm not quite following how its really solved.
14:02 < petertodd> We're only trying to make sure they can't include 10 votes, and claim all 10 were for the highest size.
14:03 < gmaxwell> so, maybe it would help the proposal: but I would suggest that engineering sanity constrains the maximum rate of blocksize change.
14:03 < gmaxwell> And so instead of people voting on a particular size they could just vote for larger or not.
14:04 < gmaxwell> and stop voting for larger when its large enough.
14:04 < petertodd> Yeah, he's done that to a degree: if the size goes up, and people stop voting, the status quo votes are for the average of the new and old size, so the size will automatically start going down again.
14:04 < petertodd> One issue with sanity constraints is picking the rate of max change is in itself political...
14:05 < gmaxwell> yea thats what I was talking about uncountable paramter space.
14:05 < gmaxwell> But I think it's less bad.
14:06 < gmaxwell> The exact value is debatable, but I think I can say "whatever it is, it shouldn't be faster than doubling every year" and I think no one would argue.
14:07 < petertodd> Hmm... given the votes are essentially part of the UTXO set, actually what the miner does is add votes to that set, and the NIZK is then picking representative votes - it is acceptable to then calculate the median of the votes for the blocks in the past year in that case.
14:07 < gmaxwell> maybe the downward limit is harder to guess.
14:07 < petertodd> gmaxwell: I'm sure Mike would. :P
14:07 < gmaxwell> I don't think he would, or if he did he'd give up easily.
14:07 < petertodd> Yeah, in jdillons proposal with miner consent the limit can drop as fast as the users want it too.
14:08 < gmaxwell> doubling every year is really really fast. It's faster than expected computer scaling.
14:08 < petertodd> Which is interesting: a 50% economic majority, with 50% hashing power, can vote to shutdown Bitcoin.
14:08 < gmaxwell> and yet it's still slow enough that you can plan for it. Every fiscial year plan to double the amount of storage you're already using. :P
14:08 < petertodd> True, doubling works for that.
14:09 < gmaxwell> petertodd: should there be a minimum maximum? on one hand, it's stupid to vote it down to nothing. OTOH miners can already do that.
14:09 < gmaxwell> the vote would just make it easier for miners to coordinate doing that.
14:09 < petertodd> Heh, you could say every year we pick a representative UTXO, and if they voted to double, we do.
14:10 < gmaxwell> petertodd: variance is a bit high on that. :P
14:10 < petertodd> Yup, I don't see anything wrong with that, and after all it *does* require 50% majority of miners.
14:10 < petertodd> A 50% majority can always chose to ignore the minority including those votes.
14:10 < gmaxwell> petertodd: just for technical reasons, a limit might make sense, because, uh. you don't want to actually stupidly end up in a state where a next block isn't possible. :P
14:11 < petertodd> Yeah, heck, a lower limit of 1MB would probably be fine.
14:11 < petertodd> Maybe say 100KB for sake of argument.
16:31 < petertodd> now, back to my main point: why can't I parallelize that? I have a n port memory block, so I just have n different cuckoo cycle-finding attempts running in parallel
16:32 < tromp__> because prior to insertion both cuckoo[i] and cukoo[j] may alrd point elsewhere
16:32 < tromp__> because the paths from one attemp will totally screw up the paths from the opther
16:32 < petertodd> so what? sometimes these attempts will collide, but that's just a probability thing, we can discard those failed attempts
16:33 < petertodd> I'm still getting parallelism
16:33 < tromp__> no you'll almost never be able to follow a long path of edges all from one attempt
16:33 < petertodd> tromp__: how long is long?
16:34 < tromp__> to find a 42 cycle, you'll need to follow for instance paths of length 21 from each of i and j
16:34 < tromp__> and all these 41 edges you follow MUST be from the same attempt
16:34 < petertodd> (btw, the magic word here is birthday)
16:34 < tromp__> so your odds of running even 2 instances in parallel are about 2^-41
16:34 < tromp__> good luck with that
16:35 < petertodd> ah, but are you sure I can't be more clever than that?
16:35 < tromp__> my paper analyses a more sensible case of trying to reduce memory
16:35 < tromp__> i cannot prove it, but i'm pretty sure
16:36 < tromp__> i'll bet money on it
16:36 < petertodd> like, suppose handle collissions by quickly grabbing an adjacent memory cell to temporarily store the extra data?
16:36 < petertodd> that's the kind of thing a custom ASIC could be engineered to do cheaply
16:36 < petertodd> *suppose I
16:37 < tromp__> then you're essentially creating a bucket instead of a single slot
16:37 < petertodd> tromp__: sure, but I can do that really cheaply!
16:37 < tromp__> no, adjacent slots will mostly be in use
16:37 < petertodd> tromp__: why?
16:38 < tromp__> because you''ll be at a load of close to 50% before you find cycles
16:38 < petertodd> for instance, with my grid of small memory bank architecture I can easily have the circuits for each small bank handle that deconfliction
16:38 < tromp__> so almost half of all slots are filled
16:39 < petertodd> tromp__: right, but remember all that matters is we find a short cycle
16:39 < tromp__> plus the administrative overhead of keeping track of which slots store an i edge of an i-1/i+1 edge will kill you
16:40 < petertodd> in software it'd kill you, in hardware it won't
16:40 < tromp__> yes, if you call 42 short
16:40 < petertodd> 42 is short compared to hundreds of mb
16:41 < tromp__> basically, if you try to use shortcuts for edges that work 90% of the time, then you'l still be only 0.9^42 effevtive
16:41 < tromp__> which is negligably small
16:42 < tromp__> cuckoo makes you use most of N * 32 bits for a single attempt
16:42 < petertodd> you're still not getting it... let me try another argument
16:42 < petertodd> so remember what I was saying about how memory works?
16:42 < petertodd> even in the *single* attempt case, a routed memory architecture uses a lot less power than a standard one
16:42 < tromp__> let me ask a qst first
16:43 < petertodd> qst?
16:43 < tromp__> if you think you can run multiple instances within memory, are you claiming that you can run cuckoo with half the designed memory?
16:43 < petertodd> tromp__: no, I'm claiming I can run it in less power
16:44 < tromp__> power is alrd pretty small since most time is spent waiting for memory latency
16:44 < petertodd> if you think power is what matters then you don't understand the economics of PoW...
16:44 < tromp__> you assume that PoW must be dominated by cpu bound computation
16:44 < petertodd> you're always in the situation where if you use the equipment for more than a few months power costs more than the equipment
16:45 < tromp__> that's why cuckoo is different.
16:45 < tromp__> you'll be spending way more on RAM prices than on power
16:46 < petertodd> if you want me to believe that, then get a hardware designer to analyse your design, you haven't done that
16:48 < tromp__> i just want you to believe that you cannot feasibly run cuckoo within half the designated memory, even if you add lots of non-memory asics
16:48 < petertodd> tromp__: which I'm not claiming - asics can be memory optimized too you know
16:48 < petertodd> a interesting construction technique for that is to take a memory die and overlay it with a non-memory die actually - extremely low latency, and totally custom
16:49 < tromp__> since cuckoo really randomly access the random-access-memory, it will be hard to optimize memory layout
16:49 < petertodd> could be a good way to do the routed memory option actually, and then use power-gating to turn off whatever part of the dies isn't being used for computation, as well as put the dram's into lower power modes
16:50 < petertodd> you don't have to optimize layout, you optimize the wiring that gets the signals to and from the memory cells
16:50 < petertodd> like I said, you burn a lot of power getting the data from the dram cell to the processor and back - shorten those wires and the hwole thing uses a lot less power
16:50 < petertodd> how do you shorten them? crazy custom asics, and die-on-die is a pretty solid way to do that
16:51 < petertodd> you also get lower latency by shortening them, and you *did* say cuckoo is latency hard...
16:51 < tromp__> any such optimizatoin would benefit existing ram chips as well. we can assume that samsung alrd optimized their memory chips pretty well
16:52 < petertodd> no they won't, dram is constrained by the fact that it has to be general purpose, I'm saying you can optimize for latency by placing a asic with the computational part of the circuit - not much - directly on top of the memory die
16:52 < petertodd> remember that L1 and L2 cache is basically that same strategy, but with tradeoffs due to all the computational circuits needed in a modern processor
16:52 < tromp__> the computational part of cuckoo is really small. just one hash per edge
16:53 < petertodd> exactly! that's a huge problem
16:53 < tromp__> whereas you need to do 3.3 memory reads and 1.75 memory writes per edge on avg
16:53 < tromp__> so it's really dominated by latency
16:53 < petertodd> so my custom asic die can be those tiny little hashing units scattered all over the place, and my custom memory die can have a lot of read/write ports so that the wires to the closest hashing unit are short, thus reducing the latency
16:53 < tromp__> putting hash circuits on your memory die doesnt help much
16:54 < petertodd> once you find your hash, then the wires to the *next* memory cell/hashing unit can also be short
16:54 < petertodd> tromp__: if you think that doesn't help much, you don't think L1/L2 cache helps either
16:54 < tromp__> all the memmory accesses still need to be coordinated to properly follow the paths
16:54 < tromp__> and reverse parts
16:54 < petertodd> so? that can be done locally with custom routing circuitry dedicated to that task
16:54 < tromp__> for cuckoo, L1/L2 cache will be quite useless
16:55 < petertodd> yes, only because it's so small, I'm telling you how to make essentially a custom GPU dedicated to hashing with distributed memory to keep latencies down
16:56 < tromp__> your hashers will be idle 99.999% of the time
16:56 < petertodd> and that's a good thing! when they're idle they use no power
16:56 < petertodd> in fact you'd probably do best with a really custom async-logic implementation of this so you don't have to route clock signals a long distance
16:56 < tromp__> and have no benefit over a single hasher doing all the hashing work
16:57 < petertodd> yes you do, getting the data to and from that hashing uses a lot of power
16:57 < tromp__> you cannot avoid the latency induced by having to coordinate values read from random memory locations
16:57 < tromp__> no matter what wiring, the distance between 2 random memory locations is still large
16:57 < petertodd> yes I do, my hashing circuitry and memory routing circuitry is physically located closer to the cells than before, so speed of light is short
16:58 < petertodd> nope, I can do far more efficiently if the computation and routing happens on the same die and/or module
16:58 < petertodd> remember, the reason why main memory access are so slow is because of the speed of light - I've proposing a design that shortens all those distances drasticly
16:59 < tromp__> your not shortening the distance from random location cuckoo[i] to random location  cuckoo[j]
16:59 < tromp__> and the algorithm's action depend on both those values
17:00 < petertodd> yes I am! the distance in commodity hardware is about 10cm, I'm shortening it to about cm
17:00 < petertodd> *about 1cm
17:00 < petertodd> even less if I use crazy 3d packaging... which I can because this is low power!
17:00 < petertodd> like, I should actually sandwich at least three dies, hashing in the middle and memory on either side
17:01 < petertodd> (you may not know this, by direct die-to-die connections are possible these days with techniques like microdots of conductive glue)
17:01 < tromp__> if 3d memory becomes feasible you'll see it on commoduty hardware first
17:02 < petertodd> hint: you already do, it gets used for cache and even main memory (in system-on-a-chip designs)
17:02 < petertodd> problem is those designs aren't optimized for latency
17:03 < petertodd> instead they *tradeoff* area for latency, and then make it back up by taking advantage of locality with caching
17:03 < phantomcircuit> petertodd, for scrypt?
17:03 < petertodd> which means I can create a custom design by optimizing for latency at the expense of some area cost
17:03 < petertodd> phantomcircuit: we're talking about cuckoo cycle pow
17:04 < petertodd> phantomcircuit: it's supposed to be asic hard, but it's actually the exact opposite
08:58 < iddo> TD: yeah but they prefer (anonymous) submission to conference for peer review, instead of posting it publicly and confusing random people who come across false proofs
08:58 < nsh> confusion has some overlap with inspiration :)
08:58 < nsh> i don't mind 1000 quacks if there's one genius
08:59 < nsh> (the ratio is probably much higher in practice though)
09:01 < iddo> nsh: i think poly time algorithms for interesting problems are no more than a small const in exponent after optimizations, say n^6 or n^12 when n is the bit size
09:02 < nsh> right, i wonder why this is though... seems very... fortunate
09:02 < iddo> nsh: obviously you can have artificial problems like clique of size 1000 in an arbitrary graph, with poly time complexity of n^1000
09:02 < nsh> sure, there'll always be nasty cases. but it's a question of how they're distributed i suppose
09:26 < jtimon> so iddo, has the paper been proven wrong?
09:29 < iddo> jtimon: probably no one serious tried to look and refute it
09:29 < andytoshi> jtimon: this paper is a tangled structure of about 30 definitions and 10 nested algorithms which purports to be a program which proves the existence of a poly-time algo for a given NP problem
09:29 < andytoshi> (i think)
09:29 < andytoshi> nobody is going to peer-review that when it's just a random thing on the arxiv
09:29 < iddo> jtimon: is you google you can find explanations, e.g.
09:32 < pigeons> this one is clearer
09:32 < andytoshi> (iddo's link is a general "how to judge P vs NP papers without reading too closely" article)
09:36 < iddo> there was a claim that looked serious (involving a new tecnique of statistical physics) about 3 years ago, so Terence Tao and co. looked and demolished it within a few days after it became public:'s_P!%3DNP_paper
09:41 < t7> Terence Tao used to hang out in the go-lang irc channel :|
09:45 < andytoshi> does he not anymore? he seems to spend an impossible amount of time hanging out on the internet
09:45 < andytoshi> considering how much work he gets done..
09:46 < t7> andytoshi i stopped using go a long time ago
09:54 < jtimon> pigeons you gave me a link about a physics unified theory
09:54 < pigeons> yeah sorry, bad joke
09:54 < jtimon> ah, ok
09:54 < jtimon> this one is clearer
09:54 < pigeons> i was trying to comment on the reliability of papers
09:54 < jtimon> I see
09:55 < pigeons> but if you have to explain the joke, it wasnt a very good one :)
09:55 < jtimon> but is there a critique to this concrete proposal?
09:56 < jtimon> although thank you for the link iddo
09:58 < jtimon> or it was just rewarded as "not enough serious" and not reviewd by anyone or something?
12:35 < maaku> jtimon: the paper has only been up for hours
12:36 < jtimon> oh, I see, so there's probably no critique yet
13:37 < zooko> Huh, there are two papers recently added to with "proof of space" in their title.
13:37 < zooko> amiller: have you seen gmaxwell's argument that making mining-effort into a "dual purpose" operation isn't necessarily good?
13:38 < amiller> fwiw i am *not* in favor of "dual purpose" unless the dual purpose is intrinsic to the system itself somehow
13:38 < amiller> zooko, ^
13:38 < amiller> that probably makes no sense i can try to elaborate though
13:41  * nsh nods
13:41 < gmaxwell> it makes sense to me.
13:42 < andytoshi> it makes sense to me
13:43 < amiller> ok :)
13:43 < andytoshi> though i'd have to think a bit about why you feel that way
13:43 < amiller> these two proofs of space papers are interesitng that they show up though and
13:44 < amiller> i can't really figure out if they're better than gmaxwell's proof of storage
13:46 < nsh> eerily simlar works
13:46 < nsh> (per abstract, at leasts)
13:47 < amiller> oh, one of the auhtors of one of them is also on the Secure Multiparty Computation on Bitcoin paper
13:47 < zooko> amiller: that makes sense.
13:47 < amiller> university of warsaw seems to have a strong bitcoin research faction now...
13:47 < zooko> amiller: because of gmaxwell's argument about weakened incentives for correct consensus-building?
13:48 < amiller> zooko, yes that's the argument i have in mind and think is right
13:48 < zooko> ("consensus-building"
13:48 < zooko> amiller: thanks.
13:51 < gmaxwell> amiller: I think the first paper there is basically isomorphic to my proposal with a lot of obfscuating language.
13:52 < gmaxwell> well not quite isomorphic.
13:53 < amiller> do we have a standard template form letter yet to send people who write papers and don't cite forums posts they should
13:53  * amiller wants to see whatever iddo sent the lottery paper auhtors
13:54 < _ingsoc> Lottery paper?
13:55 < amiller> _ingsoc, summarized in this thread
13:56 < _ingsoc> Oh cool. Thank you. :)
14:10 < iddo> amiller: i pasted the link here yesterday:
14:10 < iddo> i asked them to reference this in their paper, but they haven't replied so far
19:23 < andytoshi> like, in 100 years?
19:24 < andytoshi> it's growing at well under 10gb/year
19:25 < andytoshi> the block limit is 1mb, let's suppose that each one takes 1mb on disk, and that the blocks come every 10 minutes
19:26 < andytoshi> that's 144 per day, 52560 per year
19:26 < andytoshi> 52.5 gb
19:26 < andytoshi> so 20 years minimum
19:26 < gmaxwell> nOgAnOo: Bitcoin already is decenteralized, so I'm confused by your question.
19:31 < phantomcircuit> gmaxwell, i think he means storage of old blocks
19:31 < gavinandresen> andytoshi: yes, but there is broad consensus that we will need to increase the max blocksize soon-ish.
19:33 < phantomcircuit> nOgAnOo, nobody is going to watch that
19:33 < gavinandresen> mmm.  it is on youtube, it must be correct.
19:33 < phantomcircuit> you might as well have just asked us to stare at the wall for 5 minutes
19:33 < gavinandresen> nOgAnOo: there are lots of plans for how to scale up bitcoin while keeping it decentralized.
19:34 < gavinandresen> nOgAnOo: actually IMPLEMENTING them will take time, careful thought, etc.
19:34 < gavinandresen> In any case, scaling up is in the category of "good problem to have"
19:36  * andytoshi is actually watching the video..
19:37 < andytoshi> "250 gigabytes within 2 years"
19:38 < phantomcircuit> andytoshi, otherwise known as "i pulled this number out of my ass"
19:38 < andytoshi> mmhmm
19:38 < andytoshi> after that it sorta crumbles from lies into incoherency
19:38 < andytoshi> to answer your question nOgAnOo, there is thought going into blockchain expansion, but no concrete plans
19:39 < andytoshi> and it's not even close to as urgent as that video claims
19:40  * nsh smiles
19:40 < andytoshi> nOgAnOo: if you listen to this channel you'll see links to research drifting by
19:40 < andytoshi> following them would involve a -lot- of background research i'm afraid
19:40 < jrmithdobbs> so you're a moron asking why you're a moron that doesn't understand a different moron, good show
19:40 < jrmithdobbs> good show indeed
19:41 < andytoshi> but you're not going to get a coherent picture of anything from youtubers
19:42 < phantomcircuit> lol
19:42 < jrmithdobbs> andytoshi: or "christian" researchers ... or any "religious sect" researchers, for that matter
19:43 < jrmithdobbs> andytoshi: "<3
19:43 < edulix> did I read christian researcher in bitcoin-wizards? makes sense, mixing different kind of magic
19:44 < andytoshi> jrmithdobbs: i recently moved to america, was caught off guard by the amount of "god bless"s that go on between strangers here
19:44 < andytoshi> so i give them all the benefit of the doubt
19:45 < amiller> gesundheit
19:45 < jrmithdobbs> andytoshi: where i grew up in texas and have developed a 7th sense for the bullshit and know exactly when to start mocking instead of attempting to teach
19:45 < jrmithdobbs> andytoshi: ;p
19:46 < andytoshi> well, i'm still learning ;)
19:46 < edulix> nOgAnOo:  in the new world order, maybe vatican opens the next mtgox :p
19:51 < nsh> there are sci-fi precendents for this
19:52 < nsh> (deranged-seeming religious beliefs inspiring technological uptake from strange quarters)
19:52 < nsh> also historical precedents :)
19:52 < nsh> but the sci-fi ones are more fun
19:53 < jrmithdobbs> we don't need sci-fi examples, we've got luke! ;p
19:59  * nsh smiles
20:20 < amiller> i'm trying to think of how to explain what's significant about the choices made about how much deposits are needed for the lottery game
20:20 < amiller> in N player lottery game from this paper
20:20 < amiller> say each party puts in 1 coin
20:20 < amiller> the point is that one person is supposed to win N coins
20:20 < amiller> first just note that the expected utility is zero
20:21 < amiller> expected money payout anyway
20:21 < amiller> if the other party goes away you don't necessarily learn the result
20:21 < amiller> one of the parties i mean
20:22 < amiller> but who cares if he has already put in his money
20:22 < amiller> there's a sort of common problem in protocols like this where you show fairness is impossible
20:22 < amiller> suppose you *could* carry out the protocol fairly if someone doesn't send their message in time
20:23 < amiller> that means that last parties message is optional and he might as well not send it
20:23 < amiller> but then the second to last party's input must have mattered
20:23 < amiller> so you follow that back and either you already knew the outcome for the beginning, or someone's participation makes a difference whether it's fair or not
20:23 < amiller> and so the solution is to overcompensate
08:36 < iddo> hmm headers first is an optimization that isn't related to merkle datastruct (like MMR) for lite nodes, i think?
08:37 < sipa> not at all
08:37 < sipa> completely orthogonal
08:38 < iddo> ok, peter todd and amiller said yesterday that the MMR stuff can mitigate DoS that checkpoints currently protects against, i wonder why...
08:39 < sipa> checkpoints don't protect against a DoS, they are just there to make not-checking-all-signatures safe
08:40 < sipa> wait, no, they do protect against a dos by helpig the heuristics determine if an early block in the chain has a chance of beatig the total known PoW
08:40 < iddo> sipa: yes i mean what gmaxwell said: (i.e. you ignore diff-1 at genesis because you already have a checkpoint)
08:41 < iddo> but then peter todd said that MMR can give this anti-DoS without checkpoints, and amiller said that the reason is that blocks have commitments to the UTXO set
08:42 < iddo> but i don't see why it helps, yet
08:43 < iddo> this is in the context of the new paper by Aviv Zohar, it seems that anti-DoS is easier with Bitcoin rules than his new rules, assuming that there are no checkpoints
08:45 < iddo> for example the most naive anti-DoS is for the Bitcoin node to have some quota and not accept more than certain amount of forks for each block, so if in the future it turns out that a competing fork is better then that node will need to ask peers for blocks that it rejected in the past
08:46 < iddo> but with the new paper, this naive anti-DoS doesn't work, i think
08:46 < iddo> (could cause netsplits that don't re-converge)
08:48 < iddo> and even if it can work with the new rules, the communication among nodes will be much greater i think
09:35 < petertodd> iddo: emphasis on *sum* tree - the MMR (or just merkle tree) lets you interactively query your peer to be sure the total sum work claimed makes sense. But yeah, even without the sum tree just working backwards from current best block is pretty good too.
09:49 < iddo> petertodd: trying to understand you... isn't that just a method to prove more efficiently that a competing fork has more weight?
09:50 < iddo> petertodd: what i don't understand, diff-1 PoW blocks are (relatively) easy to generate, what's the rule that will cause you to ignore them instead of DoS attack where you'd be bloating your local copy of the blockchain with them?
09:51 < iddo> (checkpoints do prevent this kind of DoS attack)
09:56 < iddo> it still seems to me that with Bitcoin rules to select the best chain we can have anti-DoS mechanisms (without checkpoints) against diff-1 orphans at genesis attack, while with Aviv Zohar's rules I'm not so sure
10:00 < iddo> but i'm still unclear why amiller and you said that such merkle trees remove the need for checkpoints, is it just in the context of bootstrapping new nodes without doing too much work verifying the entire history, or also in the context of anti-DoS ?
10:57 < amiller> iddo, well... you can do something like starting at SPV security and gradually validating the chain
11:05 < iddo> amiller: but not all nodes can do that, i think? the question is still whether full nodes should eliminate orphan branches or keep them, if they always eliminate then the communication can blowup?
11:07 < amiller> eventually eliminate them?
11:09 < iddo> yes i think that with Bitcoin it may be safe to eliminate old orphans (assuming no checkpoints), but with Aviv Zohar's rules, i'm not sure yet
11:09 < amiller> you may even think of it as an incentive thing, there's a tradeoff from an individuals point of view
11:09 < amiller> potentially keeping some orphans around will save on future bandwidth, but at the cost of storage now
11:10 < iddo> it's also not only about eliminating orphans that you already have, but also about rejecting new orphans, like the 1-diff at genesis attack
11:12 < iddo> with Bitcoin i think that it can be safe to reject short orphans (with small risk that you may need to request them later and waste communication), but with Aviv Zohar's rule, not sure..
12:14 < iddo> ok i summarized what i asked here, in the public thread:
12:19 < iddo> gmaxwell: with this new rule, you think that blocks need to point to all their ancestors only because of lite clients? full nodes can calculate the difficulty of a block without it having pointers to ancestors, i think?
12:20 < amiller> one question i've had is how you do efficient merging
12:20 < amiller> to make sure the same work doesn't show up in multiple places in the same tree
12:29 < iddo> amiller: btw if you can dig up #bitcoin-dev or mailing list link where you first proposed this rule, maybe they could reference you in this paper:) might be worthwhile, there's plan for followup paper too
12:38 < amiller> i send an email to the thread with the irc log from bitcoin-dev
12:39 < amiller> i wouldn't mind having an acknowledgement but i didn't develop the idea very far at all :p
12:39 < amiller> i'm really glad that someone is working on it.
12:42 < amiller> i also tried to emphasize that, it's not even that their idea isn't fine as is (we haven't argued super well that there *clearly is* a big dos attack), but that it's difficult to analyze that there are no dos attacks, so being conservative to include thing is understandable
12:43 < amiller> so if they really want to say there thing is practical and ready to implement, they should come up with some really compelling anti-dos analysis
12:44 < amiller> that's just my opinion though :o
12:46 < iddo> yes that's all true, probably difficult to analyse it in theory, trying simulations first is a good idea
14:32 < warren> gmaxwell: hm.... the previous thoughts about pruning included nodes having a random subset of the blockchain to serve to peers.  that seems good, but that may have privacy issues?
14:32 < warren> gmaxwell: you can use that to identify nodes
14:34 < gmaxwell> You can use many things to distinguish nodes already. So what about it?
14:35 < gmaxwell> You propose instead forcing nodes to use tens of gigabytes of disk space if they want to contribute at all to distributed storage?
14:35 < warren> no
14:35 < gmaxwell> It doesn't connect transactions to anything.
14:36 < warren> are there ways to obscure the subset so it is less certainly a unique identifier
14:36 < gmaxwell> I never suggested a random subset that would be stupid, I always suggested contigious quantized ranges.
14:37 < gmaxwell> (stupid because it would take a lot more data to express than just a range or two)
14:38 < warren> ok
14:43 < sipa> and be a lot harder to make sure that a particular block is available
14:44 < sipa> in particular, you'd need O(n^2) nodes that serve the same n blocks with the same probability to get equal chance a particular block is available
14:45 < warren> when I connect to random bitcoin peers now, it seems that often many of the peers are useless, too slow or fake
14:45 < iddo> in the future we can have SCIP proofs for UTXO "checkpoints", so less need to serve old blocks
14:46 < warren> hmm key birthdates would help
14:57 < gmaxwell> iddo: perhaps, we need scip that doesn't need a trusted CRS.. and prover performance that at least makes it possible to run.
14:58 < gmaxwell> I don't know if we'll have that in 2 years, 5 years, or 10 years.
15:01 < iddo> proof size is logarithmic in num of computation steps (computation == verifying the history, maybe optimized by composing with prev SCIP checkpoints), the issue is how big are the constants of this log size proof....
15:01 < iddo> this is for the variant without CRS
15:08 < phantomcircuit> warren, you can already uniquely identify peers fairly reliably
15:08 < phantomcircuit> they give everybody the same version nonce iirc
15:49 < gmaxwell> iddo: well for checkpoints it can be rather large, eventually it will be small relative to the blockchain. :)  But I worry about computing it just being infeasable. If it costs $1k in compute time thats doable, if it costs $1m in compute time thats right out.
15:56 < amiller> hrm, what should be the parts of a bitcoin gambling tool that plays through games of iddo's protocol?
15:57 < amiller> i am thinking it should be a self contained wallet
15:57 < amiller> because i would want to have some notion of 'sending coins to my gambling wallet' rather than integrating it with my personal bitcoind or something big like that
15:58 < amiller> really i would want this to be SPV something, it's not particularly supposed to provide bandwidth to anyone
16:05 < amiller> i guess i should study bitcoinj
16:33 < gmaxwell> iddo: I really wish people with implementations of snarks for C would release something... there are 'small' applications we could use the stuff for right away. Like proving ownership of a bitcoin without disclosing which bitcoin you own.
16:35 < sipa> i've been out for too long... how does snarks relate to scip?
16:37 < maaku> sipa: scip is snarks
16:37 < maaku> SNARKS is the general term
16:37 < maaku> SCIP is what Eli et al call their implementation of a SNARKS system
16:37 < maaku> gmaxwell: correct me if i'm wrong
16:39 < gmaxwell> sipa: SCIP is just what Eli et all call their SNARKS for C stuff.
16:40 < sipa> ok
16:40 < sipa> are they abbreviations of something?
16:40 < gmaxwell> SNARK = succinct argument of knowledge  (sometimes zk-SNARK when its also zero knowledge). succinct ~meaning that its sublinear in the witness size, argument because they are only computationally sound, they're not a proof.
16:41 < gmaxwell> (there is some proof that you cannot produce a proof (perfectly sound) which is succinct, the best you can do is computationally sound)
16:43 < gwillen> gmaxwell: is there a 30-second explanation of what 'computationally sound' means in this context?
09:33 < michagogo|cloud> - We would like to remind you that unauthorised public logging of channels on the network is prohibited. Public channel logging should only take place where the channel owner(s) has requested this and users of the channel are all made aware (if you are publically logging your channel, you may wish to	keep a notice in the topic and perhaps as an on-join
09:33 < michagogo|cloud> message).
09:33 < michagogo|cloud> (minus a few line breaks)
09:34 < andytoshi> yeah, i see it now
09:35 < andytoshi> i'll stop publishing the logs until i get an ack from someone
09:38 < michagogo|cloud> andytoshi: At the moment, it's not "someone", it's greg
09:39 < michagogo|cloud> (or jgarzik, if he decides that he wants to get freenode staff to op him in here)
09:53 < andytoshi> michagogo|cloud: did you get my message late last night, saying i fixed the donation address thing with the coinjoiner?
09:53 < andytoshi>
09:53 < michagogo|cloud> I signed and submitted
09:54 < michagogo|cloud> (earlier, when I saw that)
09:55 < andytoshi> hmm, i'm pretty sure i did as well
09:55 < andytoshi> i re-submitted just in case, otherwise i've got a new bug :(
10:00 < michagogo|cloud> just resubmitted just in case
10:01 < andytoshi> thx
10:01 < andytoshi> it looks like all the signatures are in the database, if it's not working then there's a merging problem
10:11 < michagogo|cloud> andytoshi: any luck?
10:14 < andytoshi> michagogo|cloud: yeah, the outputs are subtly different for what i signed and what you signed
10:14 < andytoshi> like, the scriptpubkeys have slightly different hex
10:15 < andytoshi> but, the DB shouldn't have accepted any such discrepancies, so i'm not sure (a) how this could even happen or (b) how it got through the site's input filter
10:16 < andytoshi> i signed 76a9143312004af0b4d2323676e488ae6900c9cb3b38c888ac:10000000
10:16 < andytoshi> u signed 76a9148c04bfe5e2a91b609b92d4f7af6cadda9d1e47e088ac:10000000
10:16 < andytoshi> oh, those are actually completely different..
10:17 < andytoshi> what i wrote there is scriptPubKey:nValue
10:21 < andytoshi> ok, this is embarassing ... i changed the output of coinjoin a few days ago, and i updated the PHP code to check errors correctly when validating unsigned transactions
10:22 < andytoshi> but forgot to update the code which validted signed transactions
10:26 < andytosh1> you submitted a signed transaction that didn't match the one offered by the site (probably because you re-submitted your signed transaction from last time, but this is a new session so the inputs/outputs got reordered)
10:26 < michagogo|cloud> I did?
10:27 < andytosh1> it appears so, yeah
10:27 < andytosh1> one moment, i'll clear out the signed transactions from the db and we can both resubmit
10:27 < andytosh1> done
10:27 < andytosh1> oops, i have to put the seed one back :P
10:29 < andytosh1> ok, can you try again?
10:31 < michagogo|cloud> done
10:32 < michagogo|cloud> andytosh1: submitted
10:33 < andytosh1> thx, got yours
10:34 < andytosh1> seems like it did not get mine..
10:40 < andytosh1> ok, now the one that i submitted, bitcoind cannot decode :} but again, php is accepting it..
10:45 < andytoshi> awesome, it went through :) tx d08ed6edab38bbd80eb96739777b096ccc654f5a1c398baeeaa11355b6d75bd6
10:45 < andytoshi> thanks a ton for testing, i'm glad we had so much bad input
11:02 < jgarzik> hrm
11:03 < jgarzik> Has anyone worked on a script form that does "<multisig> AND <multisig>"?
11:03 < jgarzik> OP_AND is disabled
11:19 < nsh> HULK SPLIT!
11:24 < gmaxwell> jgarzik: works for true false, also you can do that with OP_IF, or with just two CHECKMULTISIG VERIFY in a row
13:01 < jgarzik> gmaxwell, I was thinking "if multisig then multisig else false endif".  Two multisig in a row should work too...
17:33 < andytoshi> if i want to update my joiner to use blinded addresses, what user tools (if any) exist for this?
17:34 < andytoshi> if i write some, what papers should i read re implementing the crypto?
17:37 < nsh> andytoshi, what are blinded addresses?
17:37 < andytoshi> nsh: is a good overview
17:37 < nsh> chaum's blind sigs?
17:37 < andytoshi> yeah
17:37 < nsh> kk, reading
17:37 < gmaxwell> andytoshi: see maaku's git repo.
17:37 < andytoshi> cool, thx
17:38 < gmaxwell> (He implemented RSA blind signatures for this stuff)
17:45 < andytoshi> he has, for example, in the function _pad_message "REVIEW: I need a professional cryptographer...Does it matter in this particular applicaiton if the padding is deterministic instead of random?"
17:45 < andytoshi> if there are any professional cryptographers on here, i am curious too :)
18:25 < maaku> i asked that of gmaxwell iirc, and no it doesn't matter
18:25 < maaku> but also, it doesn't matter if it is deterministic or not
18:25 < maaku> the protocol changed a bit since I wrote that
18:40 < nsh> maaku, issue that springs to mind is that blind signing is insecure if the keys are also used to encrypt, which is generally not (so far, to my knowledge) the case with bitcoin privkeys, but worthy of consideration nevertheless
18:41 < maaku> coinjoin keys are ephemeral RSA keys used for that join only
18:41 < nsh> ah
18:42 < maaku> although I would prefer schnorr ec blind signatures using one of djb's curves, if someone went through the trouble of working out how to do that
18:43 < maaku> but yeah, throwaway keys on a different curve, so not much danger of that
18:43  * nsh nods
18:43 < maaku> i just wasn't sure if deterministic padding weakened the signature or otherwise led to any sort of attack
18:44 < gmaxwell> maaku: funny, I was going to make a comment to that effect;  "if you feel like implementing something, blind schnorr would probably be better"
18:44  * nsh reads
18:46 < maaku> all the pieces are there, I think, but I wouldn't trust myself to put them together
18:46 < maaku> I'm an informed user of crypographic systems, not an experienced practitioner of the art
18:47 < maaku> but RSA is hard to f@&# up
18:48 < gmaxwell> Hm? ha. Thats exactly the opposite of my view.
18:48 < jrmithdobbs> rsa is pretty easy to fuckup
18:48 < gmaxwell> RSA is pretty easy to F^$%# up and EC systems tend to be harder
18:48 < jrmithdobbs> especially if you have to write it for multiple different hw platforms or runtime environments
18:48 < gmaxwell> "Oh you thought you were signing? HAH No. You were decrypting things for me. Sucks to be you!"
18:48 < maaku> i meant not implement correctly -- fewer moving parts with rsa
18:48 < jrmithdobbs> ya
18:49 < jrmithdobbs> that ya was to gmaxwell's comment
18:50 < jrmithdobbs> maaku: a lot of the errors you can make implementing rsa are less immediately obvious but more completely destructive to the security of your protocol/use
18:50 < maaku> jrmithdobbs: i'm aware
18:50 < gmaxwell> maaku: well fair enough, though once you have the primitives already
18:50 < andytoshi> i'd be interested in looking at schnorr signatures, i've got a few papers about them backlogged
18:52 < maaku> gmaxwell: yeah that's what i'm saying - i don't trust myself to modify djb's sources to do schnorr blind sig and trust that it actually *is* correct signature primatives
18:53 < maaku> but if someone where to write that, it'd be easier and safer to integrate into coinjoin implementations (and faster, and higher secuirty level .. really no downsides)
18:54 < gmaxwell> maaku: well I believe that no changes are required in the validator, so that should help gain confidence that its correct.
18:55 < gmaxwell> e.g. it should just need a blind/unblind/and blindsign function (and the latter only because the normal signing functions do the hash internally).. and the result should be verifyable with an unmodified code.
19:02 < adam3us> maaku: i might be persuaded to try that (EdDSA ==EC Schnorr blind sig)
--- Log closed Tue Dec 17 00:00:02 2013
--- Log opened Tue Dec 17 00:00:02 2013
00:20 < gmaxwell> ugh.
00:22 < Luke-Jr> gmaxwell: well, Gavin did encourage it in his blog
00:24 < gmaxwell> mostly ugging at advocating it for "Logins to websites without passwords" and "pseudonyms" where encryption is entirely the wrong tool, and the requirement to have 'spent' from it is completely unnecessary because signmessage already does those things, and a lesser ugh at the address reuse that implies.
00:25 < gmaxwell> it's also probably only about 50 lines of code, just seems weird to me to see people making annoucements for such small things.
00:25 < Luke-Jr> I was ugging at the data-in-bitcoin-blockchain :P
00:26 < gmaxwell> they aren't putting any data in the blockchain yet.
00:27 < gmaxwell> all they're doing is using as a addr to pubkey service and doing encrypted messages using ECDH with that pubkey.
00:27 < Luke-Jr> O.o
00:29 < gmaxwell> Luke-Jr: mind giving a polite response on the loging / identity points  pointing out that doing that via signmessage is already a widely established practice, doesn't require making transactions, carrying around the public key explicitly, or consulting (centeralized) databases?
00:31 < Luke-Jr> gmaxwell: well, this claims to be the inverse?
00:32 < Luke-Jr> oh, you mean just respond to that point
00:33 < gmaxwell> yea. I don't see any reason why you'd use something based on this over signmessage, but there may be people who see this post (even the author) who is unaware of signmessage.
00:35 < andytoshi> istr altoz being around for a long time, he should be aware of these things..
00:36 < Luke-Jr> gmaxwell:
00:37 < gmaxwell> Thanks.
17:14 < jtimon> gmaxwell: interesting prediction, but you've said two options, so that's my point, we can't predict the future of hardware, what architecture are we anti-optimizing against?
17:15 < sipa> i'm not sure it matters
17:15 < jtimon> yeah gmaxwell xmm mmx
17:15 < gmaxwell> jtimon: we? I think it's all stupid regardless. :)
17:16 < gmaxwell> as I said, I don't think arch targeting can prevent there being at least a small constant improvement from dedicated implementations. Since mining is ~near perfect competition that small factor is enough to generally exclude the non-specialized stuff regardless.
17:16 < gmaxwell> And so simple circuits like SHA256 at least improve equality of access.. anyone can design a sha256 asic which is pretty competative, (well if not actually fabricate it themselves)
17:17 < gmaxwell> vs if you really did build something that required AMD scale engineering, then you'd much more likely have a hardware monopoly or near so.
17:17 < gmaxwell> simple fast circuits also have fast verification, which is very helpful too.
17:18 < jtimon> ok, so I see you have even more reasons than me against the "quest for the perfect mining function"
17:19 < gmaxwell> I think that like a lot of things in engineering you can only optimize so far and then its all just messy tradeoffs.
17:19 < sipa> heh, maybe we need an altcoin optimized for ASICs
17:20 < gmaxwell> DES POW.
17:20 < sipa> where the PoW function is has a trivial optimal circuit design
17:20 < jtimon> targeting GPU-friendly but ASIC-hard is specially odd for me since 1) as you said the later doesn't really exists 2) GPUs are already a market with concentrated production (the problem suppesedly solved by "hardness")
17:20 < jtimon> sipa there's one alt named ASICcoin
17:21 < gmaxwell> DES sboxes make for trivial combinitoric logic, it's much slower on current cpus/gpus than it is in direct hardware all other things equal.
17:22 < gmaxwell> the sha256 circuit is really straight forward already. You can get some gains by careful staging to equalize latencies...
17:33 < andytoshi> i have a crazy idea (involving nonexistant crypto) for a research pathway to a SNARK without forge-enabling keying material:
17:34 < andytoshi> throwing it out here because there's probably something obviously dumb about it, and you guys are good at catching that stuff
17:58 < gwern>
18:30 < jtimon> how "computer hardware" is not "theoretical computer science"?
18:32 < jtimon> oh, not experts in hardware, I missread
21:56 < gmaxwell> There was a puzzle in the MIT mystery hunt that some folks here would like solving.
21:57 < gmaxwell> oh. crud. I guess I can't post it until after the hunt is over, so forget the last line for three days.
23:38 < jcrubino> is it possible to have an address that is both a valid litecoin and bitcoin address?
--- Log closed Sat Jan 18 00:00:29 2014
--- Log opened Sat Jan 18 00:00:29 2014
00:02 < Taek42> gmaxwell what do you do for a living?
00:02 < phantomcircuit> Taek42, he works at mozilla doing stuff and things
02:24 < justanotheruser> jcrubino: no simply because of the fact that litecoins version number starts is L, not 1
02:38 < jcrubino> justanotheruser: I have a testnet address that passes validation tests by both daemon clients
02:39 < justanotheruser> jcrubino: Hmm. I suppose if both daemons ignore the version it could be valid
02:40 < brisque> justanotheruser: I explained in #bitcoin-dev that you can use the same public keys, just the address reads differently.
02:40 < jcrubino> I chaes my tail in circles while unit testing over that
02:40 < justanotheruser> what character does the testnet address start with
02:40 < brisque> m or n
02:40 < brisque> ;;bc,wiki address prefixes
02:40 < gribble> | Dec 25, 2013 ... The encoding includes a version byte, which affects the first character in the address. The following is a list of some prefixes which are in use.
02:40 < justanotheruser> brisque: I meant for litecoin
02:40 < brisque> does litecoin have a testnet?
02:40 < jcrubino> yes
02:41 < justanotheruser> brisque: yes, but I figured it would would be valid for the bitcoin daemon considering the daemon might consider the version number bad
02:42 < brisque> if the testnet prefix is the same it'll work with no problem
02:42 < jcrubino> assumming I change out the address prefix in bitcoind  to the litecoin version what else needs to change to make it litecoind ?
02:42 < justanotheruser> jcrubino: ultimately you can have a public key hash that is valid for both bitcoin and litecoin. An address is just a conversion to base 58 with a version number
02:42 < brisque> jcrubino: mainly just the POW system and the logo.
02:43 < jcrubino> does a non mining  daemon  verify the pow or does it just relay ?
02:45 < brisque> ever node validates the POW of every block
13:21 < justanotheruser> If it is possible to have a PoW that only has a maximum of like 5% improvement from CPU to ASIC, is that beneficial?
13:27 < nsh> justanotheruser, in general, no.
13:31 < maaku> justanotheruser: the best you could probably do is several multiples, maybe an order of magnitude
13:46 < justanotheruser> maaku: eh, I disagree. If the hashing function takes up a lot of code and uses many different RISC instructions, then you could use an ASIC, but it would might prohibitively expensive because you have to have so much circuitry to have the hash function implemented.
13:46 < justanotheruser> s/takes up a/uses a
13:48  * nsh frowns
14:03 < adam3us> justanotheruser: the hashing function would have to be very dynamically dependent on the instructins, or it can be special cased; even then someone can make the minimal unrolled cpu strip out everything else and put that circuity down redundancy	as many times as it will fit.	i think inevitably almost, hw wins, by a decent margin
14:06 < adam3us> maybe another direction is a FPGA friendly design, and hope ASIC/FPGA advantage will narrow as a trend.
14:06 < justanotheruser> adam3us: Yeah dynamically dependent instructions would be better. If you made it use all instructions, and it involved storing data in the registers, etc wouldn't the ASICs essentially be effecient CPUs?
14:07 < gmaxwell> why does this pow wanking keep going on here?
14:07 < gmaxwell> I can't imagine a less interesting subject.
14:07 < gmaxwell> Does anyone here even care about it?
14:07 < adam3us> potentially.  however its a bit of a weird cpu.  it doesnt mind the input being a counter, and 99.99999% of the outputs are thrown away
14:08 < justanotheruser> adam3us: maybe the PoW could require all the outputs.
14:09 < justanotheruser> One problem I see with this is verification taking a long time
14:09 < andytoshi> gmaxwell: +1, guys we had a long long discussion about this yesterday and completely overwhelmed my ability to follow the entire -wizards scrollback
14:09 < gmaxwell> I just don't even understand why it's being discussed, since I don't think anyone here even thinks its actually all that important.
14:10 < gmaxwell> (though maybe my tolerance is limited because I'm only looking in here once/twice a day because I'm busy elsewhere right now)
14:10 < justanotheruser> gmaxwell: It seems one of your altcoin ideas linked in the topic involves a modified PoW
14:10 < adam3us> maybe we need a #bitcoin-pow-wankery ;)
14:11 < gmaxwell> justanotheruser: I specfically avoided this kind of BS on that list. All the 'modified pow' there were achieving some other purpose than architectural overoptimization.
14:11 < adam3us> justanotheruser: many of the alts sole 'hook' (aka fake argument for existence/sales pitch) is a different pow for "decentralization"
14:12 < gmaxwell> I think there is no end to what you can discuss in that space, and the arguements that its a useful tradeoff are very hard to make a clear argument for.
14:12 < gmaxwell> It's just the kind of superficial thing that people can discuss forever.  e.g. "random POW generator"
14:12 < justanotheruser> adam3us: I agree it doesn't save electricity or anything like that. People just end up spending money on the hardware instead of the electricity.
14:13 < adam3us> justanotheruser: so at a high level, it would not have to be so slow to verify just because it depends on the dynamic execution of a randomly generated machine code I think
14:13 < adam3us> justanotheruser: seems to me asic-hardness ends up using more electricity typically
14:15 < jtimon> justanotheruser when your ASIC competitors are doing 4% profits, will you mine at -1%?
14:16 < justanotheruser> jtimon: ASICs probably wouldn't give them 4% profits because they would have to buy new hardware
14:16 < adam3us> but its probably more fruitful towards decentralization to try find ways to put diseconomies of scale into the protocol somehow or make bitcoin less vulnerable to 25/33/50% attack, selfish mining and policy/censorship with any level of centralization, then maybe we dont even care
14:16 < justanotheruser> The ops here seem to want us to change the topic though.
14:16 < jtimon> profits = gains after all costs, including capital costs
14:17 < justanotheruser> jtimon: I don't understand why you defined profits. It doesn't really change anything about what I said.
14:18 < adam3us> as i recall no one found a good answer to the 25/33% attack, and ghash is at 34% now coincidentally
14:19 < justanotheruser> adam3us: what's the 25/33% attack? Just them being able do a large reorg some of the time?
14:19 < gmaxwell> it's the argument that pow-wanking for foo-hardness is irrelevant becausing the perfect competition of mining will drive even marginally less efficient out of business. You can debate how much slop there is... but whever you decide it won't be a huge amount.
19:50 < jtimon> I'm not saying it's not a difficult problem, I'm saying you can model the filter with against random curves without modeling any mining economics
19:51 < gmaxwell> No you can't. A filter with overshoot behaves very differently in a non-linear system than does one which is critically damped.
19:51 < jtimon> there could be an earthquake destroying 40% of the hashrate and you should be preapared as well
19:51 < phantomcircuit> gmaxwell, is there a cap on how large the change in difficult can be for any one period? (either up or down) ?
19:51 < gmaxwell> What I'm pointing out is that some filters can actually cause system failure under some mining economics models.
19:51 < gmaxwell> phantomcircuit: yes, 4x.
19:51 < phantomcircuit> oh
19:51 < gmaxwell> (in both directions)
19:52 < phantomcircuit> so that's effectively only relevant for down
19:52 < jtimon> gmaxwell I think all filters could fail under certain conditions
19:52 < gmaxwell> the box filter is probably unconditionally safe.
19:52 < jtimon> you must chose the conditions you're not prepared for
19:52 < gmaxwell> jtimon: forget "prepared", I'm pointing out that some designs can fail when nothing changes or goes wrong.
19:54 < gmaxwell> In an enviroment where miners turn off when not profitable and turn on when profitable, a design that has overshoot can drive the system into instability. miners turn on, diff goes up, but it goes up too much and then even more miners turn off. then when it goes down it goes down by too much and more miners turn on, and each swing a great portion of the
hashrate is being pulled into the oscillation.
19:54 < jtimon> I haven't studied any of the filters so I believe a box filter could be better and there's designs that can failt with a constant hashrate
19:54 < midnightmagic> keynesian beauty contest to the rescue?
19:54 < midnightmagic> :-)
19:54 < jtimon> but when's the point in chosing those?
19:55 < gmaxwell> jtimon: I think the design in freicoin is one that can fail with constant hashrate!
19:55 < jtimon> gmaxwell you can also manually change diff with a hardfork
19:55 < gmaxwell> (it has a pretty substantial overshoot)
19:56 < jtimon> oh, I see
19:56 < jtimon> I didn't know
19:56 < gmaxwell> jtimon: which is part of the reason that worrying about black swans is probably a waste of time, esp if the result is something thats riskier.
19:56 < jtimon> like most times, it's a tradeoff
20:00 < jtimon> in any case, maybe you're right that a less "responsive" filter is better long term, with a mature market without so much subsidy
20:01 < jtimon> but in this case (allowing bitcoin asic miners to come and go, but not to mine both at the same time) we desperately needed something more prepared for wild swings
20:03 < gmaxwell> my complaint there is not about responsive.
20:05 < maaku_> gmaxwell: the overshoot is not that substantial
20:05 < maaku_> the prarameters themselves are slightly underdamped
20:05 < maaku_> and the overshoot comes from the 144-block window
20:06 < gmaxwell> maaku_: Hm. from the FIR filter I saw you using before it could be as high as 20%, IIRC though perhaps it got changed?
20:06 < maaku_> so with big square-wave changes, it takes a dozen or more blocks to react
20:06 < maaku_> no, it hasn't changed.
20:07 < maaku_> i just have a different opinion of those numbers - overshooting by 20% when someone is toggling an order of magnitude more hash power than your entire network is pretty good, imho
20:07 < maaku_> we were <1Th/s, and getting hit by 10Th/s chain hoppers
20:10 < gmaxwell> thats not what overshoot means, thats called group delay when it takes a long time to react at all.
20:11 < gmaxwell> Overshoot is when it does react that it can react more than the change.
20:12 < maaku_> yes, well you want a little bit of that
20:12 < maaku_> you want it to be underdamped, slightly
22:37 < justanotheruser1> How many inputs and how many outputs can be in a transaction? Is there a limit on this other than 1mb?
--- Log closed Sat Jan 25 00:00:57 2014
--- Log opened Sat Jan 25 00:00:57 2014
01:31 < maaku_> justanotheruser: 18,446,744,073,709,551,615
01:31 < maaku_> you hit the 1mb limit long before then, however
03:07 < adam3us1> so i think i found a way to (network) efficiently and securely do SPV for single use addresses.  now that i thought about it I dont see why i didnt see it before as it an application of NIFS which i described up as a problem statement of in 1996, and found a mechanism for in 1998 (novel use of IBE) and Boneh found a more efficient building block for in 2001 (the weil pairing)
03:08 < adam3us1> NIFS
03:10 < adam3us1> it was thought up to provide forward secrecy for email where there is no interactive communication.  read that.  its basically like a public derivation variant of HD wallet concept but where anyone can be after the fact given a private key
03:17 < adam3us1> hmm maybe not ... gotta think more about this (just woke up:) i am thinking weil pairing gives the extra flexibiliy so you can have someone derive a public encryption key for you from a reusable encryption pub key and the previous block number, then do a derivation from the reusable address with a random factor by sender, encrypt factor with the derived
pub enc key, and then afterwards you can derive the corresponding private dec key and s
03:18 < adam3us1> and therefore the query (the private key) could be unique to the block only, obviously very compact, useless for correlating with other blocks, and non-interactive
03:20 < gmaxwell> well, we can do what tor is looking to do with hidden services but its not blind to someone who knows your address.
03:21 < gmaxwell> hm. interesting yea okay
03:22 < adam3us1> yes ok i think brain woke up, its not NIFS its a diff problem statement a variant without the forward-secrecy as you need random lookup in the tag space, and to be able to safely send people the private key
03:22 < gmaxwell> so how about this:  take the reusable address scheme,  but make the ECDH  pubkey   be  pubkey + H(blocknumber)*G
03:23 < gmaxwell> the problem there is that it has the private key unzip attack that BIP32 has.
03:23 < adam3us1> gmaxwell: basically each user is their own IBE server, they publish the IBE params as their reusable public address
03:23 < gmaxwell> yea, I don't think this is doable without pairing
	the EC addition way to do it has the unzip attack.
03:23 < adam3us1> gmaxwell: so with IBE your identity is your key, so encrypt with the pub key derived from the previous block hash as "identity"
03:24 < adam3us1> gmaxwell: then do the normal sender choose rndom factor, encrypt factor with the derived pub key, ten to delegate a per block decrypt capability, you send the node the corresponding private key that you derive using your IBE private key.
03:24 < adam3us1> gmaxwell: agreed
03:25 < gmaxwell> then again the pairing is only needed for recognition, so it could be employed here.	it would allow you to produce unique per block recognition keys. Someone you gave your reconigition private keys to could only reconize your transactions that used those keys.
03:25 < adam3us1> gmaxwell: unfortunately that lets weil-pairing crypto into the tent
03:25 < gmaxwell> But its only for privacy, I'm okay with that, but it's an implementation barrier.
03:25 < adam3us1> gmaxwell: yes.
03:26 < gmaxwell> (IMO thats how we should be using pairing in cryptosystems: for lower value applications, and solving things that can't be solved any other way)
03:26 < adam3us1> gmaxwell: well its a start, a proof of concept that its possible.  petertodd started to think it maybe provably not, but that seemed wrong to me, and its a good thing he asked the q of can u prove it not, cos it triggered me to think in the other direction :)
03:27 < adam3us1> gmaxwell: yeah, if it has a sane failure mode.  there maybe ways to contain the failure a bit with normal mechansims eg a few IBE keys or such
03:28 < adam3us1> gmaxwell: also i think IBE is technically overkill we dont really need a comm channel, that is a side effect of the previous mechanism.  so we may be able to do better.
03:29 < adam3us1> gmaxwell: we just want a per block discriminant private key, we dont actually need to allow the node to decrypt something, it can give it to the SPV node and it can decrypt it, itself
03:29 < gmaxwell> well really what we want is a BIP32 like derivation which doesn't have the unzip attack.
03:29 < adam3us1> gmaxwell: exactly.
03:31 < adam3us1> gmaxwell: i dont think u can do it like that tho, because thats what i was trying to do with NIFS and I made and broke a few mechanisms 1996 and concluded you cant do it with DL, hence the IBE connection to NIFS 1998, and then Boneh weil pairing 2001 made it secure/efficient (but esoteric)
03:33 < gmaxwell> ::nods::
03:34 < adam3us1> gmaxwell: but this seems something with lower requirements, more like a new problem statement, so maybe something below IBE can be found.  anyway i was excited to have a proof of concept, even weil pairing using... have to think about that next step more :)
03:35 < gmaxwell> I'd thought about using the prior block as an identity parmeter but I didn't see how to get away from simulation by anyone who knew the address... the IBE approach indeed would work.
03:39 < gmaxwell> petertodd: to decode for you, since you may not be familar with IBE stuff: The idea is that the user has a master private key, which results in a master public key. Anyone can take a prior block hash and combine it with the master public key to get a session pubkey which could be used to encrypt a chaincode included in an OP_RETURN.   Using the master
private key the user can derrive the session private key, which can then be used to ...
03:39 < gmaxwell> ... reconize transactions using the same session key.
economy from the blockchain is actually an important enough property, kinda ...
18:37 < gmaxwell> ... weird that you couldn't though!
18:38 < petertodd> maaku: for instance a really extreme example is to create a consensus system with no concept of coins at all, that does nothing more than map H(program)->Eval(program), if the program can access blockchain data as part of it's execution, the program itself can implement a bitcoin-like currency!
18:38 < petertodd> maaku: (sorry, that's commit to (H(program), input arguments)->Eval() to be exact)
18:38 < gmaxwell> "best part of this is that you already need 16GB to store the blockchain," ... ::sigh:: this isn't true, and it's also why I was asking about pruning in zero cash. Seems that they don't realize you can prune simply because the reference software doesnt'.
18:39 < petertodd> gmaxwell: or worse, have their marketing hats on...
18:39 < gmaxwell> I don't see any easy and catch free way to get pruning into an anonymous coin though.
18:39 < gmaxwell> petertodd: nah I just don't think they know a lot of people don't.
18:39 < petertodd> gmaxwell: ugh, pruning is in the satoshi whitepaper...
18:40 < gmaxwell> you think they really read it?
18:40 < petertodd> gmaxwell: the interesting part isn't that you can do pruning, but the extent to which the fact that you can is a bad thing
18:41 < gmaxwell> in any case, for these anonymous coin ideas what you end up having to have is a database of encrypted coins which have been created, and another database of non-encrypted coins that have been spent.
18:42 < maaku> petertodd: ok, i understand the feature request now. do you know a way in which this might be implemented?
18:42 < gmaxwell> The ZK proof when you spend is of a statement like  "This decrypted coin exists in encrypted form in the encrypted coin database". And then the newly decrypted coin is added to the database of spent coins.
18:42 < petertodd> gmaxwell: though the database can be split up; you can think of both databases as cryptographic accumulators supporting VerExists() and conversely VerNoExist(), and thus get succinct proofs of either for SPV.
18:43 < gmaxwell> so you can't prune the encrypted coin database because you can't tell which entries have been spent. And you can't prune the spent coins database because then the coins could just be respent.
18:43 < gmaxwell> The coins database can be append only, but the spent coins database needs an efficient VerNoExist() so it must be key ordered.
18:44 < gmaxwell> key ordered makes it hard to outsource efficiently. (requires tracking the network)
18:44 < maaku> petertodd: if script was homoiconic it would be easier to attach a script which takes the transaction as input and outputs scripts to be attached to the outputs
18:44 < maaku> and those could be carried forward
18:44 < petertodd> maaku: well, in Bitcoin you need a very invasive soft-fork. vitalik's ethereum is in those directions, but the implementation is yuck
18:44 < Alanius> couldn't one store the spent coins in a merkle mountain range? Or am I mixing things up here?
18:45 < petertodd> gmaxwell: right, with spent that's the same problem as UTXO proofs. although you can design it so that the spent database need not be held in entirely for any one miner
18:45 < maaku> Alanius: "the spent coins database needs an efficient VerNoExist() so it must be key ordered"
18:45 < Alanius> ah, mmr'
18:45 < Alanius> s do not allow proof of non-existence?
18:45 < petertodd> Alanius: MMR can be used for unspent only, and I'm going to be very interested to find out if that's what they did
18:46 < petertodd> Alanius: they do, but the proof-of-non-existance is O(m log n) in size for a span of m blocks
18:46 < petertodd> Alanius: which you can do in zk-snark fashion, but that's costly
18:46 < maaku> petertodd: i think that's misleading from the context of his question
18:46 < maaku> Alanius: you can only prove non-existence based on what is being indexed
18:47 < maaku> MMR is indexed based on insertion order
18:47 < maaku> so you can prove, for example, that no coin was spent in between two adjacently spent coins
18:47 < jtimon> petertodd: I like a generic scheme too, I'm just not contrained to softforks, seriously I don't know what your claim is yet what solution and what problem are you referring to from my link?
18:47 < maaku> which is pretty useless
18:48 < Alanius> maaku: thanks! very intuitive explanation :)
18:48 < maaku> jtimon: he wants to attach arbitrary validation rules to outputs, and have those propogate in arbitrary ways in future transactions
18:48 < petertodd> maaku: but that's the thing, it's *not* useless, if you can prove when the coin was created, you naturally have a reasonable limit on the non-existance proof, which is a way that you could get something akin to pruning in zerocoin
18:48 < petertodd> maaku: basically the cost to make the zk-proof would increase as the coin gets older, but my understanding is that cost blows up very fast with current zk-snark technology
18:49 < gmaxwell> yea, so my thought for pruning is that when you create a coin you could created it with a generation number (which is made public by the ZK proof)
18:49 < gmaxwell> where 'generation number' means like "what month was it created in"
18:49 < petertodd> gmaxwell: yup
18:50 < gmaxwell> and then you can say that coins become unspendable after so many months, allowing you to prune both data sets.
18:50 < gmaxwell> But its kinda ugly.
18:50 < Alanius> that would partition the anonymity set
18:50 < gmaxwell> as it reduces your anonymity set and makes your coins expire.. and we can't even tell how many coins have expired!
18:50 < petertodd> gmaxwell: but why make them unspendable? just force you to prove correct manipulation of the spent set in your tx
18:51 < gmaxwell> petertodd: hm. and store the new spent set root? so you never close off an old spent set, it just becomes more espensive to spend from it?
18:51 < gmaxwell> I suppose thats true.
18:51 < petertodd> gmaxwell: well, doesn't even have to be more expensive, just more annoying
18:52 < gmaxwell> You still have the anonymity set reduction though, alas.
18:52 < petertodd> gmaxwell: basically if you're spent token set is a single radix tree, then you have a bunch of data that needs accessibility, to do better, shard that
18:52 < petertodd> gmaxwell: sure, but it's still easily inline with what coinjoin can do (anonymity set of tx's happening at roughly the same time)
18:53 < gmaxwell> oh it's much better since same time could be defined to be a month or more.
18:53 < petertodd> exactly!
18:53 < gmaxwell> it's still not free however.
18:53 < petertodd> and you want some amount of time anyway, as mining needs to imply at least having the data, so you want mining to be tied to, say, the last month of data
18:53 < gmaxwell> also there are some other tradeoffs which come into play.
18:53 < petertodd> ?
18:54 < gmaxwell> The ZK proofs are going to be most efficient if they have no branching, just a constant number of hash evaluations and some muxes to get data on the right side of the hash input.
18:54 < gmaxwell> One of the plus sides of pruning is that it should make the ZK proofs faster.
18:54 < petertodd> gmaxwell: so make a tree of every month from now until eternity
18:55 < petertodd> ok, sure
18:55 < gmaxwell> "once we have these coins we put in the hash tree; 64-depth key (2^64); when want to redeem; reveal the serial number, and can reveal 64-hashes before in the tree; "
18:55 < gmaxwell> (quoting from the talk)
18:55 < gmaxwell> sounds like they fixed the tree size at 64 deep so that they'd 'never' run out of room.
18:55 < petertodd> (note how they must have some mechanism to make collisions hard...)
18:56 < gmaxwell> With pruning we can do better and say, have a 2^33 deep tree. Which is fine for a months of transactions.
18:56 < petertodd> (oh, actually, no that's not true, you don't need that)
18:56 < petertodd> true, although the risk of accidentally picking someone elses serial number goes up
18:57 < gmaxwell> petertodd: no need to have a risk of that, you just use a >128 bit random serial number.
18:57 < gmaxwell> one turn of the compression function takes 512 bits.
18:58 < gmaxwell> In there you have to fit the value of the coin, a P2SH hash for the pubkey needed to spend it, and a serial number.
18:58 < petertodd> gmaxwell: wait, so how does that help? the tree is indexed right, so if the first 33 bits match I have a problem
18:58 < jtimon> for scalable "anonymous" transactions, more than zerocoin-like stuff I like petertodd's inputs only approach with an expiry on the UTXI entries
18:58 < gmaxwell> petertodd: no no, it's insertion ordered.
18:59 < petertodd> gmaxwell: oh right, doh
18:59 < petertodd> gmaxwell: quite correct
19:00 < petertodd> gmaxwell: well basically, the depth of that tree is purely your anonymity set
19:00 < gmaxwell> yes
19:00 < gmaxwell> say a coin looks like this [128 bit serial number, 64 bit future extensibility, 64 bit value, 256 bit P2SH hash]   you add it to an insertion ordered tree.
19:01 < petertodd> jtimon: it's only scalable if you can figure out the right mining incentives and solve the data-hiding attack sufficiently
19:01 < gmaxwell> And then to emerge COIN  you just produce a ZK proof that  H(COIN)  is in the tree.. which takes Log2(size) hashes under the ZK proof.
19:01 < gmaxwell> so if you require multiple trees for pruing purposes, then you can make them reasonably small at the cost of reducing the anonymity set.
19:03 < jtimon> petertodd, I don't know the data-hiding attack, but from what I hear from maaku what you're talking about is new, can I read a summary somewhere?
19:03 < petertodd> jtimon:
15:11 < maaku> jtimon:
15:11 < TD> also i doubt any such system would be generic
15:11 < adam3us> gmaxwell: see i optimized the zkp range proof a lot manually in problem specific ways and still came to 1.5kB
15:11 < jtimon> thanks maaku
15:11 < TD> but sure, we can call them SNARKs instead
15:12 < adam3us> gmaxwell, TD: so i must be being dumb if their compiler can outperform me :)..  but yes i stayed well clear of pairing
15:12 < TD> they use a lot of very complicated techniques
15:13 < TD> i only understand some of it
15:13 < amiller> with pinocchio you can create a proof for SHA1 in 15 seconds on a single thread desktop computer
15:13 < amiller> i'm pretty tinyram beats that
15:13 < gmaxwell> and the proof is a couple pairing group elements.
15:13 < adam3us> TD: its very powerful	if that scales, so we can forgive pairing
15:13 < adam3us> gmaxwell: thats amazing
15:14 < TD> i thought it was 8 elements
15:14 < adam3us> and is this non IP-encrusted?
15:14 < warren> My BFL arrives today, far too late to be useful.
15:15 < gmaxwell> Well they have another backend that uses fiat-shamir with locally testable codes... the proofs are bigger but not astronomically large.
15:15 < adam3us> warren: still waiting for mine its been stuck as "fulfilled" but not shipped
15:15 < gmaxwell> (like zerocoin size)
15:15 < amiller> adam3us, there are currently three competing snarks projects, tinyram  pantry and pinocchio
15:16 < gmaxwell> adam3us: I did some searches a while back and didn't find anything, but who knows what of their optimizations they may have patented in the last year.
15:16 < adam3us> do yu know if any of them have not covered it with lots of patents
15:16 < warren> adam3us: I missed the "use paypal tos to force BFL refund" thread by 1 day.
15:16 < amiller> adam3us, of these tinyram isn't out yet, pantry is fully open source, pinocchio is mostly open source except for the backend which they're working on reimplemnting open source
15:16 < gmaxwell> If they do, it'll be sad because the history of crypto says that patented crypto is dead on arrival.
15:16 < adam3us> warren: i missed that outright... bought a part upgrade to the 600GH and left order for the smaller 5GH
15:17 < adam3us> gmaxwell, amiller, TD: ok you convinced me I have to learn what they are doing!
15:18 < amiller> adam3us, this is the GGPR scheme underlying pinocchio and pantry
15:18 < adam3us> jtimon: i think the committed tx topic did not continue when you lost connection
15:18 < jtimon> I still don't understand commited coins, gmaxwell perfectly explained my worries "he's asking about the case where you are d in a chain of hidden spends.   a->b b->c c->d  And he's confused about how you know that a->q  didn't happend first."
15:19 < gmaxwell> jtimon: when you are d, and get paid by c you demand he provide you the required keys to trade your payment back to entirely public inputs.
15:19 < amiller> adam3us, actually GGPR underlies tinyram as well
15:19 < adam3us> jtimon: yes so the thing is if a->q happened it would be on the block chain, the encrypted/hashed tx and a second H(a), the sender must prvoide info to convince you that isnt the case, ie that that is a forgery/spam
15:19 < gmaxwell> jtimon: and when you do so, because you have a's public key, you can see that a->b is the first a spend in the chain.
15:20 < warren> adam3us: I sold this BFL on ebay.  The first attempt failed with no bids.  The second attempt succeeded with a bid.  BFL forced the first expired listing offline with a "trademark/counterfeit" claim while leaving the high priced successful bids untouched...
15:20 < adam3us> warren: wow thats hostile
15:20 < jtimon> so a->b is in hidden form in the chain
15:20 < warren> I'm pretty sure that's abusing the law to manipulate perception of value.
15:21 < jtimon> b->c must also be in hidden form in the chain, right?
15:21 < adam3us> yes
15:21 < adam3us> it not offchain, its onchain but in encrypted/hashed form
15:21 < adam3us> such that anyone can see which are spends of the same key, they just dont know which key
15:22 < jtimon> and when I receive C->D, C also gives me proof that a->b, b->c and c->d where actually signed properly
15:22 < jtimon> were
15:23 < gmaxwell> well he gives you the keys required for you to be able to check for yourself. (it's not in zero knoweldge)
15:23 < adam3us> jtimon: yes, he just gives you a sym key that allows you to decrypt
15:23 < adam3us> jtimon: you can validate it yourself then as the bit of the block chain you care about is now decryptable and visible to you
15:24 < jtimon> so now I want to pay D -> E in public form
15:24 < gmaxwell> you would make those secrets public at that point, so the whole network could validate what you wanted before.
15:24 < jtimon> couldn't C try to publicly pay C -> C2 first ?
15:24 < adam3us> jtimon: you have to publish all the committed ones or the recipient otherwise needs keys for a-<c
15:25 < adam3us> jtimon: no because of the trick that a public spend correlates with the committed spends
15:25 < adam3us> as a public spend incudes pub key (not just address), and H(pub) can be calculated fro it, and H(pub) is attached cleartext to each committed spend
15:25 < jtimon> but no one is seeing any relation between hiden (commited is confusing sorry) spends
15:26 < jtimon> ok, so every hiden spent refers to the previous one
15:26 < maaku> hidden is a much better term
15:26 < jtimon> explicitly
15:26 < gmaxwell> jtimon: to make d -> e in public you disclose the keys, so the relations then become clear.
15:26 < maaku> yes, these are not blinded
15:27 < jtimon> but not until I publicly pay d -> e ?
15:27 < gmaxwell> right.
15:27 < jtimon> then at any time c -> c2 or b -> b2 could be bradcasted
15:27 < jtimon> no?
15:28 < maaku> yes, but it would be meaningless
15:28 < gmaxwell> No.
15:28 < gmaxwell> (as maaku says)
15:28 < adam3us> not really because people receiving them can see they are spent
15:28 < gmaxwell> Because everyone with the keys can see which comittments were first.
15:28 < maaku> c2 or b2 would have the keys necessary to go check the chain and realize they were double-spent
15:28 < adam3us> as with (c->c2) in clear form, you know public key of C, and that is attached to the original spend as H(c)
15:28 < gmaxwell> and the hidden -> public validation checks this too.
15:28 < adam3us> eeven if they didnt
15:29 < jtimon> ok, so then every hiden spent references the previous hiden spent
15:30 < adam3us> jtimon: the recipient of a hidden spend needs keys back to the first non hidden ancestor
15:30 < adam3us> jtimon: actually with optimiation its just one sym key you disclose at any time
15:30 < jtimon> let's say I have d -> e (public) prepared at home but I chose not to broadcast it until next week
15:30 < adam3us> jtimon: the sym key gives you enough to navigate backwards, decrypt, then validate normally
15:30 < gmaxwell> yea, because you could change the keys in the encrypted data.
15:31 < jtimon> there's 3 possibilities
15:31 < gmaxwell> s/change/chain/
15:31 < gmaxwell> jtimon: I think you've thought yourself into a rut, this isn't that complicated.
15:32 < adam3us> jtimon: i think the thing your maybe missing is that, a public spend is also validated against its inputs, and the inputs are encrypted and so its rejected
15:32 < jtimon> 1) When miners receive public(C -> C2), they realise it is invalid because something in hidden(C->D) indicates it
15:33 < jtimon> hidden(C->D) is already in the chain
15:33 < adam3us> jtimon: think you meant c->d2, yes they can see tht hidden(c->d) was with the same key c as clear c->d2 so its invalid
15:34 < jtimon> ok, I got it
15:34 < adam3us> jtimon: so if clear spend of c->d2 comes after hidden spend c->d then d2 is a double spend and rejected; its interesting because in its hidden form the miner knows almost nothing so he can apply no policy
15:34 < gmaxwell> it would still work if they couldn't however, certantly easier that they can.
15:34 < jtimon> but no, I meant c2 to express that belongs to the same person
15:35 < jtimon> so, c->d publicly states {C, H(C->D)}
15:35 < adam3us> gmaxwell: ? what mean "it would still work if they couldn't however, certantly easier that they can."
15:36 < adam3us> hidden(c->d) = E(tx), H(c) approximatel
15:36 < jtimon> isn't this also traceable?
15:36 < gmaxwell> adam3us: I mean the requirement that miners can reject a double spend isn't a strict requirement. So long as the reciever can identify the first spend thats in the chain thats enough for the scheme to work.
15:36 < adam3us> jtimon: so if you send c->d2 publicly now anyone can compute H(c) and see wait that was alrady spent
15:36 < gmaxwell> jtimon: once the data is made public, sure.
15:36 < adam3us> gmaxwell: ah yes
15:37 < adam3us> jtimon: before its public its utterly hidden except to the people in the path
15:37 < adam3us> jtimon: you cant even tell is a path, the hidden tx are opaque blobs and H(c) is useless if you dont know c
15:38 < adam3us> amiller, gmaxwell, TD: surely SCIP-coin can be a game changer if there is an efficient non-patented version.  or maybe the community can buy them out :)
15:39 < gmaxwell> then the other conversation we had was where I pointed out that using a sufficiently powerful (tm) zero knoweldge proof system you could do the private->public change without making the keys public. (I wrote about this at length in a forum thread of its own)
15:39 < gmaxwell> ( )
15:40 < adam3us> gmaxwell: think i missed that forum thread sounds like what you said above about SCIP
10:19 < gmaxwell> he doesn't agree, sadly. E.g. he has a definition of 'fully rigid' that doesn't include setting the base point:
10:19 < gmaxwell> I'll forward you email. one sec.
10:19 < adam3us> gmaxwell: i think we've got the same assumptions but to say it is easy to get two base points G & H which you can readily see no one knows the private key for (eg G=hash2curve(pi), H=hash2curve(e) for pi & e)
10:20 < adam3us> gmaxwell: i mean no one knows the discrete log of them to anything in particular, and certainly no one knows x st H=xG
10:21 < gmaxwell> adam3us: sure, but you have to pick your base point that way.. and it doesn't appear that anything anyone is likely to use right now does.
10:21 < adam3us> gmaxwell: i mean otherwie its a joke find H=hash2curve(pi), compute x=random, then set G=x^-1H => H=xG
10:21 < gmaxwell> adam3us: thats what I sent DJB.
10:21 < adam3us> gmaxwell: holy moly i am going to hit DJB! shame on twitter
10:22 < gmaxwell> (I mean I sent him an example sage notebook where I do exactly that, G=x^-1H )
10:25 < gmaxwell> I can agree with him that it's not the most important thing... but it's also so easily avoided as an issue.  I suspect he may have been disinclined to agree with me because his curves wouldn't meet the criteria (I have no clue where his base points came from).
10:27 < adam3us> gmaxwell: reading this bit now "What about rigid choices of base points?" from
10:28 < gmaxwell> Oh, wow, he must have added that after my email discussion with him!
10:30 < adam3us> gmaxwell: hmm he still disagrees however, he claims it doesnt matter however this maybe another one of those "depend what the use case is" things.  to me i think the base should be fairly chosen or even  a small set of fairly chosen base points should be presented
10:31 < adam3us> gmaxwell: thats rather narrow minded - if someone needs G & H then they cant use his G.  they have to ignore it and safely generate two more
10:32 < adam3us> gmaxwell: which is a big onus to put on the implementor now they have to get into complex EC math arguments and understand the curve generation and limitations.  big area for mistake or community rejection of their proposal
10:34 < gmaxwell> adam3us: I think the smallest possible x / y for performance reasons (makes a multiply easier) isn't /terrible/. I didn't realize thats what he'd done for his own curves.
10:34 < gmaxwell> But yea, I'm glad you agree that its stupid to not get this right.
10:35 < adam3us> gmaxwell: : oh thats not too bad.  u have to consider also that someone could adapt the curve params to have a known discrete log small x,y.  but as the curve params are chosen deterministically with rigid criteria and plausible seed
10:36 < adam3us> gmaxwell: then its probably ok
10:36 < gmaxwell> adam3us: yea, funny that I managed to not gather that from his emails. I only realized it after reading the update to the page and then looking at the values.
10:37 < adam3us> gmaxwell: he probably never said it - unstated assumption
10:42 < cfields>;a=commit;h=0cb112f7400187275da81a05a9ad0534f1430139
10:42 < cfields> all determinism problems in binutils (that i'm aware of) fixed.
10:42 < sipa> \o/
10:44 < adam3us> btw about bitcoin implies need for end2end airgap model, someone i talked to said they discovered an egress vpn tunnel via their custom firewall scripts (pretty hard core security geek to notice) within a few ays of talking to me.  seems like skype is a risk suggest not running it at all, running in vm (maybe there are people with skype & vm escape zerodays)
or running it on a burner laptop on a different network literally
10:44 < adam3us> for people who seemingly are incapable of installing jabber client & otr because they want to do bitcoin stuff, but thats too complex :|
10:46 < adam3us> advice: paranoia *= 2 if you have bitcoins non airgapped, exchange accounts with bitcoins or doing bitcoin dev work.  my prediction this security attack to the level of being willing to burn 0days to get into suspected intersting places ramping up
10:48 < adam3us> even airgapped bitcoins are at risk if you spend them.  you need some better way to check the deposit address on exchanges.  they need to use unique per user chain codes
10:48 < K1773R> setup the honeypots!
10:54 < gmaxwell> I've been using canary coins for a long time, never had one trigger, so I don't know if they work.
10:55 < adam3us> probably IMO baseband processor hacked or other smart-phone vector to attack google authenticators are the next step.	it'll take the shine out of bitcoin if non-tech users get ripped (or even reasonably tech people who dont know how to setup hard core secure environments)
10:55 < gmaxwell> (canary coins = leave an easily found unencrypted wallet.dat on bastion hosts; hopefully someone who compromises the host moves the coins right away thus alerting you)
10:57 < adam3us> gmaxwell: yes.  there maybe different attacks tho - random ones, and targeted ones aimed at people with known early bitcoins or who might be suspected to have early bitcoins.  unfortunately i am in the suspected but actually not - have to tolerate the attacks, but without the coin hoard :)
10:58 < adam3us> and we saw jdillions pgp was compromise and his private decrypte msgs posted on the forum.  pgp on line computer is probably not good in this environment
10:58 < gmaxwell> adam3us: well thats true for lots of us. I worry about people following me home. It's not nice to fear that some idiot might think that mugging you might yield a hundred million dollars .. without actually having the hundred million dollars. :P
11:01 < adam3us> gmaxwell: precisely. you cant afford or dont want to spend 1/3 your salary in using 100-millionaire private security type setups (body guards). so its kind of a shitty situation.  you are exposed to the risks without the upside.
11:02 < adam3us> gmaxwell: this is why my bct sig line said for a long time "I am not satoshi" => i dont have many coins
11:03 < cfields> hmm, who should i ping about gitian stuff?
11:03 < gmaxwell> devrandom
11:03 < cfields> i need a raring builder
11:03 < cfields> ok. he comes around irc, right?
11:04 < cfields> nm, i see him in -dev
11:04 < adam3us> also OS upgrades are stupidly insecure.  they are checking signatures not hashes.  they cant check hashes because the new module wasnt coded at the time.  we need something like laurie's cert transparency for OS patch hash transparency; as is possibly a weak point is the ubuntu/fedora etc package builder, or for anything x509 code signed another hacked CA
11:05 < cfields> ping Luke-Jr
11:10 < adam3us> so what about end to end address security. if you and another user have a trezor.  say you need to pay someone 1btc or something non-trivial how do you know you have the recipients address, if you are using an online computer to create the offline signable transaction
11:11 < adam3us> seems like you need to use an address signed by the sender's base keypair (and encrypted with your base keypair) for end2end privacy and address authenticity
11:13 < adam3us> new armory feature I think  you could make it a non-transferable signature probably would be slightly better if the payment request receiver is airgapped.
11:13 < adam3us> maybe this could be done as a payment request extension
11:14 < petertodd> adam3us: addresses aren't useful; identities are
11:14 < petertodd> adam3us: people keep trying to re-invent PGP...
11:14 < adam3us> this bitcoin thing is getting ahead of its own operational security tools - trajectory could be disrupted, or stupid central trust solutions or static addresses used as a counter-measure
11:15 < adam3us> petertodd: right, but when you send someone address via an unsecured connection and online computer (which maybe subject to 0-day compromise even with best precautions as the bitcoin stakes increase)
11:16 < adam3us> petertodd: currently you make no attempt to prove the identity owning the address to the offline wallet abot to make thepayent.  yu just read if off the screen of a potentially compromised system which can put someone elses address on teh screeen
11:16 < petertodd> adam3us: yeah, but doing fancy crypto with addresses doesn't change a thing - the address still doesn't involve a human-meaningful identity
11:16 < petertodd> adam3us: well yeah, that's what the payment protocol is for, and for the decentralized case, add OpenPGP support and teach TREZOR about the WoT (have fun with that!)
11:17 < adam3us> petertodd: well there's no trust anchor.  in the same way we exchange pgp fingerprints, we need to exchange like static vanity/random encryption address, and use that for encryption
11:17 < adam3us> petertodd: pff payment protcool is signed by an online ssl signing key
11:18 < petertodd> adam3us: sure, but would you rather exchange a single purpose bitcoin addr or a actually using for stuff in general pgp fingerprint?
11:18 < adam3us> petertodd: i bet 99% of web servers will sign it with their existing SSL key
11:18 < petertodd> adam3us: that's the only way it could possibly work
11:18 < petertodd> adam3us: payment protocol doesn't do any good if the identity involved != the identity of the website the user just visited
11:18 < petertodd> adam3us: sad but true
11:18 < jgarzik_> adam3us, scrolling back a bit, what do you mean RE OS upgrades when you say "they cant check hashes because the new module wasnt coded at the time."
11:19 < adam3us> petertodd: what i mean is we have the infrastructure available, but just lack the tools.  offline wallet use base address as identity, but hash on biz card, pgp sign as attribute etc
11:19 < jgarzik_> adam3us, RPMs sign file hashes
03:36 < gmaxwell> amiller: you may find interesting:  looks like somewhat strong evidence of a 25% hashpower miner using it to exploit a gambling site.
03:36 < gmaxwell> (I'd say conclusive, but I think it's at least slightly plausable that someone else is framing them)
03:41 < michagogo|cloud> gmaxwell: could you give an example of a way they could be framed?
03:42 < michagogo|cloud> Finding their mining node or something?
03:42 < gmaxwell> e.g.
03:42 < gmaxwell> 3. Going further, I found the address the earnings from attack were sent to: 12e8322A9YqPbGBzFU6zXqn7KuBEHrpAAv
03:42 < gmaxwell>
03:42 < gmaxwell> And then part of these funds (125 BTC) was sent to's mining address:
03:42 < gmaxwell>
03:42 < gmaxwell> ...
03:42 < gmaxwell> The attacker could have just paid some of their loot to to make it look like they were in on it.
03:44 < phantomcircuit> gmaxwell, that's a lot of coin to frame them
03:44 < gmaxwell> To be clear: I think it's more likely that the simpler explination is correct. I'm just trying to behave responsibly by making it clear that I haven't seen enough to eliminate all doubt.
03:45 < gmaxwell> phantomcircuit: if you're a competing pool... and the funds were the procedes of an attack.. I don't see why losing half of them to frame someone wouldn't be a great plan.
03:46 < phantomcircuit> there isn't really anybody competing with them
03:46 < phantomcircuit> iirc most of their hashing power is from
03:46 < phantomcircuit> who aren't going to care about this at all
03:47 < gmaxwell> also, I expect that if there are attacks going on whats actually happening is that is doing hashpower for hire instead of attacking themselves.
03:48 < gmaxwell> which would also explain all the evidence and changes the surface of culpability somewhat. (and more importantly, teaches us a slightly different lesson)
03:49 < phantomcircuit> gmaxwell, 45k transaction fee
03:49 < phantomcircuit> heh
03:49 < gmaxwell> e.g. the payments aren't to frame, they're payments for the hashpower they bought.
03:49 < gmaxwell> step 1) buy hashpower for a small markup over its worth, step 2) double spend the crap out of some shitty gambling site, step 3) profit.
03:51 < gmaxwell> just requires someone with a bunch of hashpower which is greedy or stupid enough to go along with people buying their hashpower. Sadly, lots of people sold hashpower on pirate40's service (confirmed by the SEC).
03:53 < gmaxwell> another interesting point is that they could have profitably (well, positive EV) performed this attack even if the gambling site had been required 6 confirms, if they really did have 25% hashpower behind the attack.
03:54 < gmaxwell> (25% reverses 6 confirms 5% of the time)
03:55 < michagogo|cloud> gmaxwell: so I'm guessing house edge is <5%?
03:55 < phantomcircuit> gmaxwell, except that screwing with unconfirmed transactions isn't likely to freak anybody out
03:55 < phantomcircuit> screwing with 6 confirm transactions is
03:56 < michagogo|cloud> Also you have the coinbases that you lose if you fail
03:56 < gmaxwell> michagogo|cloud: yea, these betting sites always have really small edges, enough that they almost certantly fail the for the largest bets they allow
03:58 < gmaxwell> michagogo|cloud: yea, you just need the attack to be profitable enough that you offset the coinbase loss expected. Which you can do because the absolute return on the attack is infinite (well, bounded by the casino's bank account, maximum bet size, and number of txn you can put in a block) even though the relative return is only some percentage.
03:59 < gmaxwell> this isn't to say that attacking 0 confirmed stuff isn't much better for the attacker, it is... but just 6 confirms doesn't stop such an attack from being postive EV if you can buy the hashpower to do it at a small markup.
04:01 < gmaxwell> Because the site does 0 confirm you can double spend them with no hashpower at all. I don't really understand why the attacker bothered with the hashpower.
04:01 < gmaxwell> Your success rate is lower, sure, but your costs are lower.
04:01 < warren> Despite this, people don't seem concerned about the real problem, massive centralization.
04:02 < warren> And I'm thrilled by the huge positive response to the p2pool grant yesterday.
04:02 < warren> <crickets>
04:02 < phantomcircuit> gmaxwell, the obvious answer is because they already had it
04:04 < gmaxwell> warren: dude, no one gives a shit about technology except us. :(  This is why I think paying people to mine on p2pool is important.  Or rather, it's not that people don't care, it's that it's really mentally expensive to sort this stuff out so people don't think about it.  If you tell them upfront that they'll make more by switching to p2pool, then they
don't have to think through the other stuff.
04:05 < phantomcircuit> lol it's funny cause really nobody cares
04:05 < warren> gmaxwell: make p2pool more scalable and easy enough for a caveman, maybe with no apparent share orphans/DOA with share merging, and tell them the pool's fees are lower than anything else, and then entice people to join with random donation subsidies.
04:06 < warren> currently I'm not confident that donating is well spent to attract miners who will stay
04:06 < phantomcircuit> warren, people are hella lazy
04:06 < phantomcircuit> once it's setup nobody is changing shit
04:07 < warren> it's rather scary that things are moving beyond mere centralized pools ... huge hashrate for hire
04:07 < gmaxwell> warren: perhaps but it will be months at best before its not a huge pita. and most of that isn't fixing p2pool. The fact that people are trying to run their mining on hardware that can't run bitcoind is at least as big of a barrier as anything inside p2pool.
04:07 < gmaxwell> warren: most people using bitcoin have no idea what role mining fills in the system.
04:07 < warren> gmaxwell: indeed
04:08 < gmaxwell> I reported here week before last of my expirence at the SV bitcoin users group. Lots of exicted people
 even generally technically competent ones (uh with technical CVs that include a lot of php and ruby...), almost none with any real clue how bitcoin works.
04:08 < gmaxwell> Even miners often have no clue what role mining serves.
04:09 < warren> past assumptions always assumed that large quantities of greedy miners will secure the network
04:09 < warren> centralized pools broke that
04:09 < warren> and greed can lead to even worse things
04:10 < gmaxwell> well, someone made the mistake of assuming miners were rational and well informed.
04:10 < michagogo|cloud> 11:05:45 <warren> gmaxwell: make p2pool more scalable and easy enough for a caveman, maybe with no apparent share orphans/DOA with share merging, and tell them the pool's fees are lower than anything else, and then entice people to join with random donation subsidies.
04:10 < michagogo|cloud> AIUI, p2pool's model inherently has many stales
04:10 < gmaxwell> the fucking stales are irrelevant. gah. stop @#$#@$ derailing things with that warren.
04:10 < warren> michagogo|cloud: please don't get into this right now, you're demonstrating the most common misunderstanding of p2pool
04:11 < gmaxwell> warren: and you encouraged him to accidentally! see how that works?
04:11 < michagogo|cloud> But the payout mechanism means that all that matters is your stales aren't proportionally more than others'
04:11 < michagogo|cloud> Okay, sorry
04:12 < gmaxwell> michagogo|cloud: :) if nothing else there is a major UI problem there though. Because it's hard to get people to as sophicated an understanding as that.
04:12 < michagogo|cloud> Lol, #$#@$ got detected as a channel
04:13 < warren> one of the proposed counter-measures against the selfish miner thing was the honest pools forming a cartel.  If p2pool were to grow huge, that would become impossible.  Now that being possible at all is scary.
04:20 < warren> gmaxwell: I don't see any fix for the greedy miners seeking profit by selling their hashes issue.
05:52 < adam3us> so is there any reason not everyone is mining on p2pool?
05:53 < sipa> compexity & variance
05:54 < gmaxwell> Yep, plus ignorance and lazy.
05:54 < gmaxwell> People think pool fees of 3% aren't much...
05:55 < warren> adam3us:
05:55 < sipa> when they're less than your monthly variance, you won't notice it anway :)
05:55 < gmaxwell> (but really, it's a lot more work to use: you have to run bitcoind.. which is like a day plus of install time and 15 gb of disk space and means you can't run on a rasberry pi)
05:55 < gmaxwell> (then you have to run p2pool, which is at least pretty easy)
05:55 < adam3us> to me 3% is phenomenally high, maybe i should start a pool with lower fees that refuses no GBT miners
05:56 < gmaxwell> vs: plug in miner, type in url. Recieve bitcoins.
05:56 < gmaxwell> adam3us: then you're suspect because you charge too little, obviously the majority of people paying 3% or more are getting something of value!
05:56 < gmaxwell> plus for non-PPS pools, being a small pool means you have enormous variance, you're objectively less good.
05:57 < gmaxwell> (or at least, very small pool)
05:57 < gmaxwell> (once you're finding a block a day the variance is probably not so bad)
05:57 < adam3us> gmaxwell: yeah the reality of decisions people make is sooo stupid that moderately smart people cant even comprehend or predict the market outcomes
05:57 < warren> sigh, I really thought at least one person would have donated there.
19:46 < petertodd> what's nifty about it, is a core bit of the trust would be the exact same merkle-sum utxo tree that Bitcoin itself might have one day
--- Log closed Mon Apr 15 21:30:49 2013
--- Log opened Tue Apr 16 07:52:17 2013
--- Log closed Tue Apr 16 07:52:45 2013
--- Log opened Tue Apr 16 07:53:09 2013
--- Log closed Wed Apr 17 00:00:52 2013
--- Log opened Wed Apr 17 00:00:52 2013
--- Log closed Wed Apr 17 01:04:57 2013
--- Log opened Wed Apr 17 16:25:13 2013
--- Log closed Thu Apr 18 00:00:54 2013
--- Log opened Thu Apr 18 00:00:54 2013
--- Log closed Thu Apr 18 00:58:33 2013
--- Log opened Thu Apr 18 01:13:52 2013
22:03 < realazthat> sipa: ping
--- Log closed Fri Apr 19 00:00:55 2013
--- Log opened Fri Apr 19 00:00:55 2013
--- Log closed Fri Apr 19 02:38:04 2013
--- Log opened Fri Apr 19 02:44:28 2013
03:23 < sipa> realazthat: yes?
03:23 < realazthat> I had a question but I'm following the boston situation :P
03:24 < realazthat> O
03:24 < realazthat> er
03:25 < realazthat> I'll ping you when I wake
--- Log closed Sat Apr 20 00:00:56 2013
--- Log opened Sat Apr 20 00:00:56 2013
--- Log closed Sat Apr 20 00:19:43 2013
--- Log opened Sat Apr 20 00:45:29 2013
--- Log closed Sat Apr 20 01:23:01 2013
--- Log opened Sat Apr 20 01:28:14 2013
20:46 < vazakl-> sup
--- Log closed Sun Apr 21 00:00:58 2013
--- Log opened Sun Apr 21 00:00:58 2013
--- Log closed Mon Apr 22 00:00:59 2013
--- Log opened Mon Apr 22 00:00:59 2013
--- Log closed Mon Apr 22 02:09:04 2013
--- Log opened Mon Apr 22 04:14:23 2013
--- Log closed Tue Apr 23 00:00:00 2013
--- Log opened Tue Apr 23 00:00:00 2013
--- Log closed Tue Apr 23 02:54:37 2013
--- Log opened Tue Apr 23 03:09:51 2013
03:09 ! [freenode-info] if you're at a conference and other people are having trouble connecting, please mention it to staff:
15:13 < DrChill> About to make a bot that buys and sells +0.75%, thoughts? It would get the average price after a successful buy+sell, and then use that to make the next trade
15:14 < realazthat> so you make money assuming bitcoin goes up
15:14 < realazthat> eventually
15:14 < realazthat> in that case, why not just buy and hold?
15:14 < realazthat> hmm dunno
15:15 < DrChill> It would buy low and sell high but in small increments
15:15 < DrChill> So even if the market is stable, it would profit
15:15 < realazthat> try it on old data :D
15:16 < DrChill> Indeed, I used to do something like this on a game, and made some profit doing it, should be fun to make :)
15:18 < realazthat> lol
15:49 < sipa> DrChill: off topic here
15:50 < DrChill> sipa: Ah, ok, sorry
--- Log closed Wed Apr 24 00:00:01 2013
--- Log opened Wed Apr 24 00:00:01 2013
--- Log opened Wed Apr 24 10:04:23 2013
19:11 < amiller> i've been working on a couple new thoughts
19:11 < amiller> about incentive modeling
19:11 < amiller> i think the coinbase maturity time is hamrful
19:11 < amiller> i'll explain why
19:11 < amiller> lets say for now my model is some mix of attacker / honest / rational miners
19:12 < amiller> where all of the miners have to pay their mining costs, and the key thing about the rational ones is that they have to earn at least enough profit to pay off their costs otherwise they don't participate
19:13 < amiller> what we want, and what seems to generally be the case, is that it's rational to act like the honest nodes, in other words building on the longest valid chain you know about
19:14 < amiller> and basically the reason why that's rational is because if you mine on any smaller chain, it's more likely that someone else will extend the other block rather than yours so it will be wasted
19:14 < amiller> this breaks down under some conditions.
19:14 < amiller> the particular scenario i want to focus on is when there is an enormous anomalous fee paid in a single block
19:15 < amiller> think of a million dollar transaction fee
19:15 < amiller> suppose someone mines that block and claims that whole fee
19:16 < amiller> you have a choice of either trying to mine your own block and claim the fee for yourself or building top of that other guy's claim
19:18 < amiller> if you assume everyone else is honest, then you stand a lot more to gain by working on your own block
19:18 < amiller> that means it is not a nash equilibrium to work on someone else's block.
19:18 < amiller> ok so
19:19 < amiller> on the other extreme, you have to consider that even if you succeed at mining the block, it's possible other people won't extend yours anyway
19:19 < amiller> so!
19:20 < amiller> what's the optimal behavior/
19:20 < amiller> you try to mine on the other block
19:20 < amiller> but if you succeed
19:20 < amiller> you take only a tiny bit of the fee for yourself!
19:20 < amiller> you broadcast a new transaction that puts most of the enormous fee back into the mempool!
19:21 < realazthat> hehe
19:21 < realazthat> or,
19:21 < amiller> now everyone would be fighting over that block more than yours
19:21 < amiller> so the nash equilibrium is when you take exactly what the cost of the work is
19:22 < amiller> because that's when no one has any incentive to remove your work for only a marginally higher rewards
19:22 < realazthat> you "make a deal" with a bunch of mining coops to fork at that very block, giving rogues a chance at that fee
19:22 < realazthat> or is that one of your suggestions
19:22 < realazthat> mm nvm
19:22 < realazthat> I think its the same thing
19:23 < amiller> now notice how the coinbase maturity prevents the nash equilibrium strategy from being reached
19:24 < amiller> because the only way someone could create that offshoot transaction to keep progress going forward
19:24 < amiller> is if you have unbounded budget in reserve
19:24 < amiller> because you can't use your coinbase transaction that earns the huge fee to create a transaction for them to include in the next block
19:25 < amiller> therefore the coinbase maturity actually *encourages* anti-consensus behavior
19:25 < amiller> it makes it impossible to take anything less than the whole damn rfee
19:25 < amiller> thus greatly increasing the value in quibbling over a big fee
20:20 <@gmaxwell> amiller: for some time I've wished that half the fee paid out in this block, and half of the rest paid out in the next block and so on.
20:21 <@gmaxwell> amiller: but this creates incentives to pay fees externally.
20:21 < amiller> i think my solution is great
20:21 < amiller> it means it's an auction
20:21 < amiller> you should take as much of the fee for yourself as you can except to the extent it makes it more likely for someone else just to outmine you
20:21 < amiller> actually i can be a litlte more specific than that
20:22 < amiller> nvm no i can't
20:25 <@gmaxwell> amiller: I don't think that actually matters, you'd just force people to pay you out of band instead of via direct fees.
20:26 < amiller> gmaxwell, i don't see what you mean
20:27 <@gmaxwell> amiller: the equlibrium state is that there are no fees in transactions at all, and people are just paying miners via some other means.
20:29 < amiller> i don't see why that's an equilibrium either
20:30 < sipa> i think the equilibrium state is that people who care about security, run a miner themself
20:30 < sipa> to get their own transactions mined
20:31 < amiller> i don't see how that helps security either
20:32 < amiller> anyway there's at least two different types of roles here, the miners and the users, and for the sake of the discussion i originally meant to hold the users constant
20:32 < amiller> where they pay whatever the fees are worth and the only way to do it is via transaction fee
20:33 < amiller> i don't understand how the ability to pay people out of band changes it or why that's cheaper/preferable
20:33 < amiller> or why mining your own transactions helps anything
20:36 < sipa> 'equilibrium' != 'helps'
20:37 < sipa> (but i'm not very knowledgeable about this, so if you don't agree, assume i'm wrong)
20:40 <@gmaxwell> amiller: because in my example there are no 'fees', and so incentive to orphan transactions.
20:42 < amiller> gmaxwell, i don't understand how this side payment mechanism works, so i don't really understand what you mean
20:43 <@gmaxwell> amiller: E.g. you send me shares and I pay you with regular bitcoin transactions just for virtue of trying to mine my transaction.
20:44 < amiller> and that's more cost effective than attaching a fee to a transaction
20:44 <@gmaxwell> it removes any orphaning incentive.
20:47 < amiller> sorry what's an orphaning incentive
20:48 < amiller> the only reason to pay tx fees is to be included in the next block as opposed to some later block right
20:55 <@gmaxwell> 16:14 < amiller> this breaks down under some conditions.
20:55 <@gmaxwell> 16:14 < amiller> the particular scenario i want to focus on is when there is an enormous anomalous fee paid in a single block
20:55 <@gmaxwell> 16:15 < amiller> think of a million dollar transaction fee
20:55 <@gmaxwell> 16:15 < amiller> suppose someone mines that block and claims that whole fee
20:55 <@gmaxwell> 16:16 < amiller> you have a choice of either trying to mine your own block and claim the fee for yourself or building top of that other guy's claim
20:55 < amiller> oh i see
20:57 <@gmaxwell> also on that subject petertodd has suggested that all users should nlocktime their transaction at the earliest height they think they could be reasonably mined at... so the chain must move forward to gobble up those fees.
20:57 < amiller> so my solution is for the miner who mines to put the rest back as a fee for the next miner to take
20:57 < petertodd> keep in mind, the worst case scenario only happens with optimal miners who have actually implemented code to do all this magic stuff. If you make it nearly always not worthwhile that code won't exist.
17:22 < sipa> bitcoin (at the protocol level) isn't designed for microtransactions
17:27 < phantomcircuit> arbart, trust a third party
17:27 < phantomcircuit> remember that the transactions are micro
17:30 < sipa> #bitcoin-dev please, btw
17:31 < arbart> sipa, cool, that is what i was wondering then i guess
17:31 < arbart> and alright, what is the purpose of this channel then, I thought it was similar?
17:33 < Luke-Jr> this channel is more like extreme advanced stuff that isn't really practical :p
17:33 < arbart> well that is what I like :)
17:33 < sipa> arbart: oh, i misread your line
17:34 < sipa> i thought you said "what is the state of enabling microtransactions", which would apply to bitcoin-as-it-exists today
17:34 < sipa> for state-of-the-art, there are some more interesting ideas
17:34 < sipa> like probabilistic transactions
17:34 < arbart> yes, now you are talking :) why i came here
17:36 < gmaxwell> probablistic transactions are more of a social/political challenge than a technical one. (I think the lottery protocols iddo/adam3us worked on can basically be applied directly to create a probablistic payment)
17:37 < arbart> ah interesting, i didn't find this before, now searching 'probabilistic transactions', i find much stuff! sipa, thank you already!
17:37 < sipa> arbart: gmaxwell certainly has more state about it than i do
17:39 < arbart> gmaxwell: what is the social/political challenge you see with it?
17:39 < Luke-Jr> arbart: 'probabilistic transactions' essentially means 9 times out of 10, you get nothing, and the 1 other time you get a penny
17:40 < gmaxwell> arbart: Many people seem to not regard a probablistic payment as a payment.
17:41 < arbart> ok, i'm starting to see. reading right now.
17:43 < sipa> gmaxwell: many seem to not regard playing lotto as paying tax either
17:46 < gmaxwell> sipa: People are implementing batch DSA verification in this thread:
17:46 < arbart> it is interesting so far :)
17:46 < arbart> i understand it now
17:47 < sipa> gmaxwell: how do they overcome not knowing R.y?
17:47 < arbart> i think i am in -wizards and not -dev is because stuff like that gmaxwell is good to have, but not enough a solution, something more extreme :) is needed
17:48 < gmaxwell> sipa: brute force.
17:49 < arbart> i suppose it is hard to tell though, that looks interesting, and combined with pruning and all, might be enable native nanotransactions
17:50 < petertodd> arbart: pruning doesn't make the bandwidth problem go away unfortunately
17:50 < gmaxwell> sipa: basically you guess the sign and test and apparently this still comes out ahead.
17:50 < gmaxwell> arbart: native nanotransactions
17:50 < gmaxwell> doesn't really sound sensible in a global consensus system.
17:50 < arbart> :)
17:50 < gmaxwell> Now, you can do things to perform them non-globally and that perhaps becomes more interesting.
17:50 < arbart> hmm :)
17:50 < petertodd> arbart: now, an interesting question is if you really need global consensus? I think there are blockchain structures that don't
17:51 < arbart> ahh, right
17:51 < gmaxwell> So there are a couple paths to relaxing that which have different tradeoffs.
17:51 < petertodd> arbart: right now just trusting a third-party is probably far more practical
17:51 < arbart> maybe global checkpointing, but only local is interested in the details usually, etc?
17:52 < petertodd> arbart: trusting third-parties and non-global-consensus blockchains have interesting convergence re: security I suspect
17:52 < gmaxwell> are you just stringing words togeather? :P
17:52 < arbart> i understand the third-party thing, another avenue im interested in
17:52 < petertodd> arbart: global *ordering* is a better term
17:52 < petertodd> arbart: heh, lets see if I can explain my pet idea to you re: tree-chains... so imagine you have a blockchain, and you merge mined two child chains with it, left and right.
17:52 < arbart> only out of the necessity you think is there
17:52 < petertodd> arbart: you know what merge-mine means?
17:53 < arbart> ok, i get that term
17:53 < arbart> petertodd: not yet
17:54 < petertodd> mining: I find a pow solution so that my block will be part of the consensus
17:54 < petertodd> merge-mining: the rules of the system let me re-use a pow solution from a different consensus system, letting me do one bit of work, yet get two blocks from two different systems
17:54 < arbart> ok, intuitive :)
17:55 < petertodd> merge-mining is implemented by just letting you prove the block solution for sytem #2 by showing a merkle path through some tree that terminates in the blockheader for system #1
17:55 < petertodd> (namecoin does this)
17:56 < arbart> ok, i was guessing that, so i think i got it :)
17:56 < petertodd> right, so we have the parent chain, and two child chians, left and right, got that? you can mine the parent chain, or the parent chain and the left chain, or parent and right chain (in our system)
17:57 < arbart> petertodd: was just about to prod you :)
17:57 < petertodd> basically it's *exclusive*, you can only mine the left *or* right child chain (or neither)
17:57 < arbart> oh ok, noted
17:58 < petertodd> this means the work done on these child chians will tend to be half that of the parent (assuming the reward is halved for instance)
17:58 < petertodd> however, this also means that a given miner only needs the data, and thus bandwidth, cost of the parent and one child. so the total # of transactions in both children can be higher and the system still works
17:59 < petertodd> the downside is that transactions in either child chain have less security, it only requires 25% of the hashing power to reorg that chain as the parent chain
17:59 < petertodd> got that?
17:59 < arbart> oh wow, yes, a load balancing mechanism :) thinking about the security aspect though
18:00 < petertodd> yeah, so we've figured out how to make it more scalable, now, what about the security? well, lets make a new rule! if a pow solution for a child chain *also* meets the difficulty of the parent, we say that block is fixed - it's only allowed to be reorganized if the parent chain itself gets reoganized
18:01 < petertodd> now it takes 50% of total hashing power to attack the child chain right? nope
18:01 < petertodd> can you guess why?
18:01 < arbart> i guess im missing the reorganized part
18:02 < petertodd> reorg just means work is done to extend a block other than the current best block, so when your node learns about the longer chain, suddenly the shorter one is made invalid by definition
18:02 < arbart> well at least because only half the network is working on each side of the chain?
18:02 < petertodd> remember, the problem bitcoin is trying to solve is consensus on what's the longest chain
18:02 < arbart> ah nice okay, was just missing that definition
18:02 < petertodd> arbart: sure, but an attacker can still get some hashing power somehow and reorg one of those child chians, and they only need 25% of the total hashing power to do that
18:02 < arbart> or word i mean
18:03 < petertodd> good
18:03 < arbart> ah right, half of half, got it now.
18:03 < petertodd> yup
18:04 < Luke-Jr> petertodd: you coming to Miami?
18:04 < petertodd> so here's the question: with this fancy "parent chain locks things" scheme, why can the child chain be still attacked with just 25% hashing power?
18:04 < petertodd> Luke-Jr: isn't that, like, right now?
18:04 < Luke-Jr> petertodd: tomorrow :p
18:04 < petertodd> Luke-Jr: heh, nah, tomorrow's my last day of work, couldn't make it
18:05 < petertodd> Luke-Jr: how long does it go? I guess I could strictly speaking... :P
18:05 < Luke-Jr> Saturday and Sunday is the main conference! :p
18:05 < petertodd> Luke-Jr: heh, nah, too tight
18:05 < arbart> hmm, that is a sucky result, a good question to analyze, in order to make sure it is right :)
18:05 < Luke-Jr> Friday is just the pre-conference thing
18:05 < petertodd> arbart: Well, lets think this through: what does attack mean anyway?
18:06 < petertodd> arbart: So, I could attack the chain by making only empty blocks and make it useless, I could also attack it by reorganizing it and double-spending transactions... but there's one other thing I can do.
18:06 < arbart> well the value of what they are attacking is also half i suppose. that counts for enough to throw the game theory?
18:06 < Luke-Jr> petertodd: the first case is debatable
18:06 < petertodd> arbart: maybe! but what if they're just assholes and want to burn the world?
18:07 < petertodd> arbart: we might as well know how much said assholes need to spend
18:07 < arbart> so the one you didn't list is to just not allow new txs to be added?
18:07 < petertodd> Luke-Jr: for sake of argument, we'll say empty blocks are an attack
18:07 < petertodd> arbart: yup
18:07 < gmaxwell> "making only empty blocks and make it useless"
18:07 < arbart> ok, heh, that is the main one i knew about
18:07 < petertodd> arbart: oh, sorry, no, there's one I didn't list that's more subtle
18:08 < arbart> petertodd: ok, i understand, and agree with that knowledge being valueable!
18:09 < petertodd> arbart: I'll give you a hint: this rule where a particularly good PoW "locks" in the chain, how would you actually implement that?
18:10 < arbart> oh my, so put in their own entire child chain?
18:10 < petertodd> well, here's the big thing: in this scheme I'm assuming that miners mining these child chains also have full consensus on the parent, and all associated data
18:10 < arbart> i wondered about the exact implementation of what you asked there, but did not forumlate or see how it is done yet.
18:11 < petertodd> yeah, implementation is critical
18:11 < arbart> ok,
18:11 < arbart> i was thinking it wouldn't be that easy for my fear there
12:39 < petertodd> Luke-Jr: Like it or not sometimes there are *very* good reasons to be able to prove that the whole of Bitcoin was able to see your data.
12:40 < Luke-Jr> petertodd: not good reasons to force the whole of Bitcoin to see/store data they never consented to see/store
12:41 < petertodd> Meh, Bitcoin can be a better financial system with some of these uses.
12:42 < jgarzik> Luke-Jr, disagree.  Plenty of uses for timestamping.  That alone could revolutionize accounting and finance, in a way that bitcoin-the-currency doesn't IMO
12:42 < jgarzik> gotta strike a balance.  the majority of users just want to transfer or hold bitcoins-the-currency.
12:42 < Luke-Jr> jgarzik: timestamping does not require cluttering the bitcoin blockchain
12:43 < Luke-Jr> just shove a hash in the merged-mining merkletree and that's it
12:43 < jgarzik> require? no.  no other chain has the same strength, so rational economic actors will look at the strongest chain.
12:43 < jgarzik> yes, if there was an alt-chain for data, that all pool ops carried, things would be different
12:43 < petertodd> Luke-Jr: There are applications beyond timestamping you know - announce/commit sacrifices are a perfect example where genuine provably visibility is absolutely vital.
12:44 < Luke-Jr> petertodd: those are just timestamping too afaik
12:44 < petertodd> Luke-Jr: No they aren't: timestamping the announce is useless, you *must* prove that the whole of Bitcoin had the opportunity in advance to mine it.
12:45 < Luke-Jr> hmm
12:45 < Luke-Jr> how would a pre-announce merged-mined block not work for that?
12:47 < petertodd> Luke-Jr: Because if the alt-chain is merge mined by, say, 25% of mining pools your sacrifices are already so dubious as to be nearly worthless.
12:47 < petertodd> Luke-Jr: You need strong convincing evidence that the transaction really was visible to all.
12:47 < Luke-Jr> petertodd: not really. even 25% gives you 1 in 4 blocks
12:48 < Luke-Jr> you just need to wait 1-4 blocks additonal
12:48 < Luke-Jr> hmm
12:49 < Luke-Jr> yeah, I think it should be fine
12:49 < Luke-Jr> I do see another problem that affects it regardless of where the pre-announce is done..
12:49 < petertodd> Luke-Jr: It has nothing to do with waiting; the issue is that with 25% a 12.5% pool has sufficient hashing power to 51% attack the proof-of-visibility chain and create sacrifices that were never publicly announced and thus aren't true sacrifices at all.
12:50 < Luke-Jr> petertodd: tie the POV chain to the BC chain
12:50 < Luke-Jr> POV blocks are only valid if they're in the BC chain
12:50 < Luke-Jr> in fact, POV doesn't need a chain of its own at all
12:50 < petertodd> Luke-Jr: Again, that's irrelevant. You need to show that the chain was public knowledge.
12:51 < Luke-Jr> ok, so then make POV a chain again, and each POV block confirms the previous was visible
12:51 < petertodd> Only with a very high participation rate among Bitcoin miners is the proof any good, and frankly at that point you're in the same situation you were before with bloating up a blockchain...
12:52 < Luke-Jr> not the same situation, no
12:52 < Luke-Jr> *users* don't need it
12:52 < petertodd> That's the thing, all it confirms is that x amount of hashing power saw a given transaction, if that x is even just 25% of the main Bitcoin blockchain the proof is already pretty dubious.
12:53 < petertodd> Announce/commit sacrifices already have the issue where you really need to discount them by 50% from the get-go to be sure, and at least 10% or so even if you aren't being cautious.
12:54 < Luke-Jr> why can't you just have a rule that the redemption of a send-to-any must occur in a separate block from the send-to-any itself, to be valid?
12:54 < petertodd> Well, indeed, any type of sacrifice to mining fees, with the possible exception of ones that are only spendable way in the future - months - which can't be done with the current scripting system.
12:55 < petertodd> Luke-Jr: That's what I proposed on the mailing list, and that's a soft fork. The other way is to do the sacrifice as a anyone-can-spend in the coinbase tx.
12:56 < Luke-Jr> petertodd: it's not a soft fork, it just has a risk some miner is a jerk and screws you :p
12:56 < petertodd> Luke-Jr: um... yeah... That's about a 100% risk if fidelity bonds are used even just a bit.
12:56 < petertodd> Luke-Jr: Who doesn't want free BTC?
12:57 < Luke-Jr> too bad there's no nLockTime for scriptPubKeys :P
12:58 < petertodd> Yup...
12:59 < petertodd> Anyway, point is, that's just one example where visibility proofs are essential, and there are a whole lot more out there... dismissing any and all data from the blockchain goes too far.
13:10 < Luke-Jr> I still see no need for it to be part of the BC blockchain
13:11 < Luke-Jr> a merged mine chain can be just as effective while not forcing itself on people who have not agreed to it
13:20 < petertodd> Like jgarzik said with this stuff you want to go for the strongest blockchain, and that'll be Bitcoin. Even merge mining doesn't help there because you are never going to get 100% participation, and if you do, it's damn near equivalent to putting it in the blockchain anyway.
13:22 < Luke-Jr> only equivalent for miners, not for everyone else
13:23 < Luke-Jr> and forcing people to do things against their consent is not justified to get 100%
13:23 < petertodd> Pff, don't give me that consent crap. If you want to enforce that, enforce it with code.
13:23 < Luke-Jr> exactly my point
13:24 < Luke-Jr> POV code should be written so that people can't force others to participate against their consent.
13:24 < petertodd> People run code that accepts arbitrary data right now; to say they aren't consenting to what the code they are running allows is silly.
13:24 < Luke-Jr> ie, if you don't use the merged chain, I won't recognize your proof
13:24 < petertodd> No, Bitcoin-Qt should be written to match what the users wish to consent too.
13:24 < Luke-Jr> petertodd: no, it isn't silly
13:25 < Luke-Jr> yes, gmaxwell proposed a solution to fix this problem on the Bitcoin side
13:25 < petertodd> If we wanted to govern ourselves by social rules we would be using something other than Bitcoin...
13:25 < Luke-Jr> Bitcoin != anarchist
13:25 < petertodd> yup, and gmaxwell's solution works well and if the userbase wishes to they can use it - if you are so concerned about this go and implement that solution!
13:26 < gmaxwell> feh. never that simple.
13:26 < petertodd> But don't give me crap about consent when people are willingly running code that works otherwise.
13:26 < gmaxwell> In a frictionless enviroment what you say is true, but we're not in a frictionless enviroment.
13:28 < gmaxwell> It's not like accepting my hash preimage stuff
 even if it were all implemented and tested
 is costless. A lot of people would resit it because they're simply unsure or don't understand the implications, even people who are very concerned about people stuffing troublesome data on their disks.
13:28 < gmaxwell> Go look at all the sites that will not pay to 3xxx adddresses. :(
13:28 < petertodd> That is true, but going and pouting that people are putting data in the blockchain obviously doesn't stop people from doing so - technical measures stop people.
13:29 < gmaxwell> I don't agree completely. Society is part of how this works too. Pouting influences behavior, including technical ones.  It may, in fact, be a necessary precondition to deploying the technical solution.
13:30 < gmaxwell> We have lots of tools in our toolbelt, and we'd be fools to not use all of them because we've fixated on a particular kind of tool being right for a particular kind of problem.
13:30 < gmaxwell> Though, let me go back here a bit
13:31 < gmaxwell> If you're talking about data which is on the order of
 32 bytes/txn ... well, you cannot securely bind a transaction to external data any smaller than that.
13:32 < petertodd> Don't get me wrong, I'm not going to say social measures are useless, my point is that they have proven to be not very useful again and again to anyone who has a reason to go against the social measures.
13:32 < petertodd> They're fine for discouraging people working on hobby projects, but that's about it.
13:32 < gmaxwell> Once you start getting bigger you have to worry that (1) deployment of the preimage stuff will actually break your system, (2) desire to preserve your system (I haven't followed the discussion, I assume you were talking about buting sacrifices in pubkeys?) might be used to argue against preimages, which kinda sucks.
13:33 < petertodd> gmaxwell: Well I was mainly using it as an example where you need a genuine proof-of-visibility and anything less just doesn't work.
13:33 < gmaxwell> amusingly I think that social measures are more effective against businesses han hobby projects
 the latter is in a better position to say "fuck you, I don't care what _anyone_ thinks"
13:34 < petertodd> gmaxwell: In response to Luke's assertian that merge mine chains and merkle-trees for timestamping is always good enough.
13:34 < petertodd> The problem is in Bitcoin businesses are often totally anonymous, and the issues where the social measures matter are complex technical things.
13:35 < gmaxwell> petertodd: ultimately any idea that depends on getting unjammablity from bitcoin is really fragile, I think. Simply because capacity will kill you if nothing else does.
13:35 < gmaxwell> meh. doesn't really matter if they're anonymous or not, I can deny a business income by social ostracism of their _customers_.
13:35 < petertodd> On the other hand if you can architect in a way where limited capacity is ok, it's the best solution out there.
20:12 < maaku> oh i meant lazy vs strict parameter evaluation (e.g. Haskell)
20:12 < jrmithdobbs> after doing nothing but writing haskell for the last 2 months
20:12 < jrmithdobbs> lol
20:12 < sipa> tree pieces are delimited by choose operators
20:12 < maaku> yes you definately need lazy/short-cut conditionals
20:12 < petertodd> gmaxwell, sipa: remember that one potential way of doing this is rather explicitly with OP_EVAL and OP_HASH160 (essentially)
20:13 < gmaxwell> sipa: I think you could go further and have two kinds of choose operator, one that hashes and one that doesn't.
20:13 < sipa> gmaxwell: well there can be a regular ifthenelse operator
20:13 < sipa> that has no choose magic
20:13 < gmaxwell> right. fair enough.
20:14 < sipa> i'm saying the same thing i think
20:14 < sipa> except choose is special in that it explicitly takes a hash as argument, and not an expression
20:14 < gmaxwell> Right.
20:15 < petertodd> sipa: note that simple if-else-endif isn't sufficient if scripts or script fragments can return a value before reaching the end of the block - you might not want the rest of the block to be public
20:15 < sipa> but so is const or access, they don't take subexpression eithet
20:15 < sipa> petertodd: these are not imperative programs, there is no return operator
20:16 < sipa> they're just expressions
20:16 < petertodd> sipa: right
20:16 < gmaxwell> petertodd: even if there were you could always wrap hte hidden data with another choice.
20:16 < petertodd> gmaxwell: true
20:17 < sipa> yeah, choice is there to hide pieces of the script
20:17 < sipa> either because they are large
20:17 < sipa> or because they are private
20:17 < petertodd> sipa: hmm... so when is choice not something you can do with an if block?
20:19 < gmaxwell> (kind of a fun thing where we could make standard addresses  a choice with ecdsa in one branch and then a hash based quantum hard signature in the other... and if there is a compromise of ECDSA we soft fork to deny ecdsa redemption while people redeem coins via the hash based signing.)
20:19 < sipa> i don't think it's really an if in any caze
20:19 < sipa> let me come up with an example
20:19 < sipa> to do a 1-of-2 multisig
20:20 < sipa> let's say scriptA is something that fetches a sig from the stack and verifies it with pubkeyA
20:20 < maaku> hrm. I just realized that by executing code from the stack Joy/Cat makes it difficult to Merklize...
20:20 < sipa> scriptB is the same, but for pubkeyB
20:20 < petertodd> sipa: right
20:21 < petertodd> maaku: you can still merklize the initial code up to where the stack is executed
20:21 < jtimon> maaku: that seems right, I guess AST-script it is
20:21 < sipa> now you construct a script of the form choice(scriptA,scriptB), and put its merkle root in the output
20:21 < sipa> however, to spend it
20:22 < sipa> you either use choiceL(scriptA,hash[scriptB])
20:22 < sipa> or choiceR(hash[scriptA],scriptB)
20:22 < petertodd> sipa: see, I'm not sure how that's any different from IF <executed ops> ELSE <hash> ENDIF
20:22 < petertodd> sipa: which is how I always envisioned MAST to work
20:22 < sipa> it's an if then else, but the if/else is hardcoded
20:23 < sipa> it cannot be an expression
20:23 < sipa> its runtime semantics is just the identity
20:24 < sipa> it only affects how the hash of the script is computed
20:24 < sipa> note that choiceL(scriptA,hash[scriptB]) evaluates to just scriptA
20:25 < petertodd> right, and by that I mean in the binary representation of a script, you'd have some way to signify a IF code block that must never be executed, followed by the hash, vs. one containing actual opcodes
20:25 < sipa> right, but i don't like to think of it in term of executable operations
20:26 < sipa> it's just a tree with certain parts covered, by giving a hash instead
20:26 < petertodd> well, we're using similar words for the same thing :)
20:26 < sipa> sure
20:27 < sipa> but i think your original question really was
20:27 < petertodd> see, my real point is, with merklized forth it gets even more sophisticated, because your symbol table is hashes of code, and potentially at runtime you'd do something more sophisticated there just get some chunk of code dynamically
20:27 < petertodd> yet you can still arrange such that code that's never executed is never provided
20:27 < sipa> that's over my head :)
20:28 < sipa> anyway
20:28 < sipa> one question is if there are other merkle-choosing-like operations possible
20:28 < sipa> which do not mimick if-then-else
20:29 < sipa> i think if you have some for(i in [0..n], f(i)) operator
20:29 < petertodd> sipa: tl;dr: forth can do the magic that lisp can do, not with macros, but with self-modifying code
20:30 < sipa> with n a constant integer
20:30 < petertodd> right
20:30 < sipa> then you can have a merkle version of it as well
20:30 < sipa> that takes the hash of the non-evaluated loops
20:30 < petertodd> and for that matter, you can do tail-recursion for loops too...
20:30 < petertodd> and that can still be merklized
20:31 < sipa> without needing to reveal how many loops you wanted to be possible
20:31 < gmaxwell> sipa: well ... if you have a homorphic hash you can do 1 of N execution more efficiently. Though I'm not aware of any way to do that which we'd consider in scope for this discussion.
20:32 < sipa> haha
20:32 < maaku> petertodd: how are you going to merklize forth?
20:32 < maaku> ah, are you thinking of replacing a quoted block with its merkle hash?
20:33 < petertodd> maaku: remember, we're merklizing the potential code that can be run
20:34 < petertodd> maaku: so if you end up with code that defines new symbols, but doesn't use those symbols, then the symbol definition doesn't actually need to happen if that particular execution trace doesn't use them
20:35 < gmaxwell> sipa: so, linear iterative compression.
20:35 < gmaxwell> say you have some straight line code that can stop at some point.
20:35 < maaku> petertodd: ok, in Joy at least "if/else" is handled like so (I think it's the same for Forth): <predicate-evaluation> [quoted-true-block] [quoted-false-block] OP_IF
20:36 < maaku> in other words, push the code on the stack before execution
20:36 < petertodd> maaku: correct
20:36 < maaku> so I suppose we can replace the branch not taken with OP_RETURN (when executing), plus an affixed hash value for what was there
20:36 < gmaxwell> ins0 1 2 3 4 5 6 7 8	      you compute  H(ins0....H(6|H(7|H(8))...)	and then if you execute and run to step 4 and stop, you'd provide  0 1 2 3 4 H(5...H(8)).
20:37 < maaku> ok that would work
20:37 < petertodd> maaku: and a symbol is a chunk of code, so you have <predicate> Symbol1 Symbol2 OP_IF, and symbol2 never executes, then where the symbol is defined in the first place can be replaced with just the hash of the opcodes that would have been put there
20:37 < gmaxwell> I think that structure is not equal to choices.
20:37 < sipa> gmaxwell: that's exactly what i meant
20:37 < sipa> with the for loop
20:37 < gmaxwell> okay, good then I came about to the same thought.
20:37 < gmaxwell> is there something that generalizes those two? are there more?
20:38 < sipa> very good question!
20:38 < sipa> but it's really about some parametrizable control flow
20:38 < sipa> oh um
20:39 < sipa> this is an expression language
20:39 < sipa> a for loop doesn't really make sense
20:39 < sipa> but you can replace it by a fold
20:39 < sipa> fold(3,f,x) computing f(f(f(x)))
20:40 < petertodd> sipa: you know, you can replace a for loop with repeated opcodes, and zlib compression...
20:40 < sipa> where that recursive hashing becomes much more apparent
20:40 < maaku> jtimon: see above ^^
20:40 < jtimon> yeah
20:41 < sipa> petertodd: that doesn't allow hiding the number of iterations from the root hash
20:41 < jtimon> "Combinators in Joy behave much like functionals or higher order functions in other languages, they minimise the need for recursive and non-recursive definitions."
20:41 < jtimon> maybe it's relevant although I'm starting to get tired and following your interesting conversation gets harder
20:41 < petertodd> sipa: ah, your example of a for loop is to loop based on a stack constant, not a symbol constant?
20:42 < sipa> petertodd: based on a constant given in the spending script
20:42 < petertodd> sipa: yeah, that's different
20:42 < sipa> petertodd: but NOT given in what goes in the root hash
20:42 < gmaxwell> fundimentally the _maximum_ depth of the loop could be hidden. (mean I can describe a language that allows this)
20:42 < petertodd> sipa: yup
20:43 < sipa> yes, you need to know a maximum iteration count
20:44 < sipa> but you don't have to reveal it
20:45 < gmaxwell> might be interesting to describe a hash based winternitz compressed signature in this language, assuming there exists an OP_PUSH_TX_HASH ... I propose that if our choice operator(s) are good then a maximally efficient winternitz signature will be completely natural.
20:46 < sipa> .. you lost me
20:47 < gmaxwell> sipa: you know how a lamport signature works, right?
20:48 < sipa> more or less, yes
20:48 < gmaxwell> for each message bit x, reveal either preimage_x or H(x) depending on if the message bit is 1 or 0. The public key is just the root hash over this data.
20:50 < sipa> hmm
20:50 < sipa> i need to see that on paper
20:50 < sipa> but now now
20:50 < gmaxwell> winternitz optimization:  take your message bits in groups of
 4 bits.  so your 256 bit message becomes 64  4 bits words.   you have then 64 preimages.  H( ... 16hashes total ..H(H(preimage_n)))  and your message word selects how deep in this structure you reveal.
20:51 < sipa> right
20:51 < sipa> so you weigh a smaller signatures over deeper hashes
14:37 < adam3us> petertodd: in the next round everyone gets as many votes as they have on their public key and the result defines which tx is first
14:37 < adam3us> (its all random anyway, it doesnt even matter which is first, just that one is chosen)
14:37 < petertodd> Interesting! That could be a decent way to reduce variance, although sounds like distributing the blocks for them to be voted on could be bandwidth intensive.
14:38 < adam3us> if the reward comes direct, maybe people can direct mine
14:39 < petertodd> (FWIW, fpga hardware is in the realm of 10x to 100x less efficient than ASICs depending on what you are trying to do; the FPGA's are commodity assumption is a lot easier to meet - maybe litecoin scrypt is already there)
14:39 < petertodd> adam3us: an idea I had was for the tx merkle tree to include pow
14:40 < petertodd> adam3us: like, every node on the tree would be able to include a specific pow, and you would sum total work
14:40 < petertodd> adam3us: makes it easy for anyone to do the pow for their own transactions, but the validation of the pow has to be reasonable efficient
14:42 < petertodd> (conveniently medium to high-end FPGAs these days all come with blockrams scattered over the die surface)
14:43 < petertodd> (sizes tend to be in the dozens to low hundreds of KiB per block ram, same size as litecoin scrypt assumes)
14:44 < petertodd> (the block rams however are themselves *not* as efficient as dedicated ASICs, because modern memory uses unique IC processes that verge on black magic; I'd have to investigate more to get an idea of what kinds of cost ratios are involved here and what they'd look like in the future)
14:49 < adam3us> petertodd: "an idea I had was for the tx merkle tree to include pow" did you see this paper by fabien coelho, i'm pretty sure you did maybe you were on the im thread when i heard a ref to it
14:49 < adam3us> "An (Almost) Constant-Effort Solution-Verification Proof-of-Work Protocol based on Merkle Trees"
14:50 < adam3us> its just  space optimization and verification time optimization over sending n sub-puzzles, but its quite nice
14:50 < amiller> i bring up that paper a lot
14:50 < amiller> (but when i do, it never solves the problem i want it to)
14:50 < adam3us> amiller: it ws probably you i heard it from
14:52 < petertodd> right, that's where I got the idea
14:52 < adam3us> anyway in principle if you can earn voting rights by making disconnected proofs of work the proofs of work are not first past th post races and could even be deterministic (0 variance)
14:53 < adam3us> an end to luck, and you pick your own work size
14:54 < petertodd> Right, but how will that avoid the fastest miner wins problem?
14:54 < adam3us> petertodd: "sounds like distributing the blocks for them to be voted on could be bandwidth intensive." well they're broadcast already for spending
14:54 < adam3us> petertodd: well there is no winner, everyone collects voting power
14:55 < adam3us> petertodd: then you take a vote on which of double-spent tx are first
14:55 < adam3us> petertodd: tx with highest (or lowest) vote wins
14:55 < petertodd> Right, but think about the mechanics a bit more: how do you come to consensus on what block you're even going to vote on?
14:55 < adam3us> petertodd: like i say i dont think it even matters which is first, just that one wins - mining is quite random - the decision is made by a random node in proportion to power
14:57 < adam3us> petertodd:yes i get what you mean, but i this case as the voting rights are disconnected from the item voted on, ou can just vote on the few tx that have any conflict (maybe) individually or a sig on a list of them
14:57 < amiller> whta bout dakami's proof of x86?
14:57 < amiller> i wanna see that
14:58 < adam3us> amiller:  dont know i just saw something vague from peter vesennes(sp?) forwared from xgbtc (ex google bitcoin list) how exclusionary!
14:58 < amiller> it's like the corollary of the no-free-lunch theorem
14:58 < amiller> everyone's optimal at something
14:58 < adam3us> amiller: i think some people are still stuck at not realizing a GPU *is* a better cpu (for mining)
14:59 < petertodd> adam3us: right, but you have to be careful to make sure that people can't reassign their votes - maybe force the pow that creates the votes reference a blockhash for timestamp that hash
15:01 < Luke-Jr> amiller: give Intel a monopoly on bitcoin?
15:02 < amiller> Luke-Jr, i wouldn't have chosen x86, presumably if you can do it for x86 you could do it for anything else too like a TI dsp which has an open spec, or arm
15:02 < Luke-Jr> ARM is even more closed than x86
15:02 < Luke-Jr> I'm not aware of any open TI dsps
15:02 < amiller> i don't even think it's a desirable property, i think bitcoin mining *should* only run on dedicated hardware :/
15:02 < Luke-Jr> perhaps a subset of MIPS would work :p
15:03 < Luke-Jr> amiller: yes, but obviously this would be defining dedicated hardware as "x86"
15:03 < petertodd> amiller: that means control of bitcoin is centralized in the hands of the 2-3 chip fab companies in the world
15:03 < Luke-Jr> back in 2009, an ideal POW would have been one where RAM *was* the ASIC; but SHA256d has caught up
15:03 < amiller> build more chip fabs then
15:04 < petertodd> amiller: the entire world economy appears to be too small to do that. seriously
15:04 < amiller> meh
15:04 < petertodd> amiller: leading edge chip fabrication facilities are insanely expensive
15:04 < amiller> perhaps those don't even optimize for the kind of thing that makes a good bitcoin miner?
15:04 < amiller> i guess that doesn't make nsese
15:05 < petertodd> I understand your concern re: hash-reenting attackers, but understand it's a trade-off. It would be *very* easy for only a few governments (probably just one) to demand that all Bitcoin mining hardware be regulated in the future.
15:06 < Luke-Jr> frankly, POW is flawed unless over 50% of the world's electric production goes into mining at the most efficient way possible
15:06 < amiller> that is only if your attacker is that big
15:06 < Luke-Jr> frankly, POW is flawed unless over 50% of the world's electric production goes into mining at the most efficient way possible
15:06 < Luke-Jr> at some point, a replacement is needed
15:08 < petertodd> Luke-Jr: nah, that's a certificational flaw, not a pragmatic one :) The flaw really is more that the effort that goes into proof-of-work is only economically, say, 1% to 10% of the value of the system per year, which means any attacker gets a fairly large ratio of value destroyed to value spent, but there's nothing new about that... (box-cutters vs. the WTF)
15:08 < adam3us> petertodd: "adam3us: right, but you have to be careful to make sure that people can't reassign their votes - maybe force the pow that creates the votes reference a blockhash for timestamp that hash" yes there would have to be a timestamp chain included in the work to define the range of tx allowed for voting, and i suppose all previous round tx need to go
in there also which comes back to how do you arrive at a serialization
15:08 < petertodd> s/WTF/WTC/...
15:09 < adam3us> amiller: re kaminksy this is what was forwarded to me email, posted by peter vessenes:
15:09 < petertodd> adam3us: yup, and it sounds like it'll be tricky to come up with a sufficiently simple system for that! though maybe just a direct timestamp chain would work, I'd have to think more...
15:09 < Luke-Jr> petertodd: I'm assuming the value goes up forever
15:09 < petertodd> it'd be really cool if a pure timestamp chain came out of this effort with a fairly short block interval...
15:09 < petertodd> Luke-Jr: ?
15:10 < adam3us> amiller: (on the ex google btc list) "   Kaminsky proposed to me a proof of execution architecture plan which
15:10 < adam3us>    sounds like it could guarantee it was running on Intel cores. I don't
15:10 < adam3us>    want to steal his thunder, but it would be a proof of work that could
15:10 < adam3us>    (provably?) disintermediate both botnet miners and ASIC companies.
15:10 < adam3us>  I've been trolling around for someone to lead a 'health of mining'
15:10 < adam3us>  committee for the Foundation, but haven't found someone willing to do the work of pulling the right folks together -- any volunteers here?"
15:10 < Luke-Jr> petertodd: at some point, it will become worthwhile to attack
15:10 < Luke-Jr> adam3us: ex google btc list?
15:12 < adam3us> sorry that was messed up, again: vesennes "Kaminsky proposed to me a proof of execution architecture plan which sounds like it could guarantee it was running on Intel cores.	I don't want to steal his thunder, but it would be a proof of work that could (provably?) disintermediate both botnet miners and ASIC companies. I've been trolling around for someone
to lead a 'health of mining' committee for the Foundation, but haven't found someone wi
15:12 < Luke-Jr> sounds like something I'm already involved in, though not as a committee
15:12 < sipa> adam3us: the foundation hasn't really had much to do with development or technical stuff
15:13 < adam3us> petertodd: "it'd be really cool if a pure timestamp chain came out of this effort with a fairly short block interval..." (yeah I know you like your timestamp server;)
15:13 < sipa> also, what do you mean by 'ex google btc list' ?
15:13 < sipa> is there a bitcoin mailing list for ex-googlers? :p
15:14 < adam3us> luke-jr, amiller, sipa: yes when my buddy forwarded it to me (I dont know how he got it because he's not an ex-googler) I was like WTF? exclusive ex-google bitcoin list? how ugly and exclusionary
15:15 < adam3us>  could imagine vessenes got the wrong idea kaminsky likes to throw off the cuff thoughts and rants without thinking them through it maybe quite an unvalidated vague design idea
15:15 < Luke-Jr> adam3us: anyhow, health of mining is right up the avenue of things I've been doing for a long time
15:15 < amiller> former-marine silk-road squad
20:20 < petertodd> CodeShark: yeah, they fucked that one up though because strings blk*.dat wasn't cut-n-paste-able
20:20 < petertodd> CodeShark: cute though
20:21 < CodeShark> the retrieval tool shouldn't rely on the blk*.dat files at all
20:21 < CodeShark> retrieval should be possible via p2p protocol
20:21 <@gmaxwell> petertodd: see, you don't need an upload tool.. you just need datacoin.
20:21 < petertodd> CodeShark: no, I just mean that bootstrapping it was tough because you had to decode the tx containing the tool yourself
20:22 <@gmaxwell> it has the tool built in.
20:22 < petertodd> CodeShark: well that's a fun one: you can easily design this stuff to be SPV compatible re: bloom filters
20:22 < petertodd> CodeShark: even easier if someone implements prefix filters
20:23 < CodeShark> right
20:26 < petertodd> gmaxwell: it's always a trade-off between fees and security of your data...
20:27 < CodeShark> well, wrt txout bloat, the most sensible "wizards" solution seems to be to decrement the output value as a function of age until it drops to zero, at which point it is unspendable
20:28 < petertodd> CodeShark: MMR TXO commitments shift storage to wallets (roughly speaking)
20:28 < CodeShark> MMR - not sure I'm familiar with that acronym
20:29 < petertodd> CodeShark: merkle-mountain-range
20:29 < CodeShark> how does that work?
20:30 < petertodd> CodeShark:
20:31 < petertodd> CodeShark: there's some ugly issues re: bandwidth storage tradeoffs however - given that miners don't actually have an incentive to broadcast their blocks to >%30 of hashing power there can be incentives to make blocks full of UTXO spends that are ancient that no-one has cached
20:32 < petertodd> CodeShark: but that's a general problem...
20:34 < CodeShark> ah yes, interesting stuff. it's too bad the forums are so cluttered with garbage
on occasion you do find good reads. I suppose I could filter by author :)
20:34 < petertodd> CodeShark: heh, well my fault for not having it writtne up as a paper yet
20:43 < CodeShark> the way things are right now, a secure signing node would have to store the complete transactions containing their outputs anyhow
20:43 < CodeShark> if for no other reason than that there's no other way for it to verify the output values
20:44 < CodeShark> so here we're also adding an O(log2) structure for proofs
20:44 < CodeShark> of existence in blocks
20:50 < CodeShark> existence of new outputs/removal of spent outputs, I should say
20:50 < petertodd> yeah, it's a fair bit of bandwidth over just the txin data
20:51 < petertodd> OTOH it is purely a tradeoff - if you have the UTXO set you don't have that cost
20:54 < CodeShark> so you would advertise whether or not you have the UTXO in the initial handshake?
20:55 < nsh> hmmm, there might be privacy implications in the negotiation
20:55 < petertodd> well, e.g. for a block being distributed if you don't have the utxo ask your peer to provide the proof
20:55 < CodeShark> asking the peer to provide the proof requires one more roundtrip
which introduces greater latency
20:56 < petertodd> CodeShark: yup, which is why you want to have as many utxo's on hand as you can store
20:56 < CodeShark> point is you could establish whether or not you have the complete utxo in the initial negotiation
20:56 < petertodd> CodeShark: but at some point you run out of space, so you drop ones that are unlikely to be spent
20:56 < petertodd> CodeShark: well you could give your peer a bloom filter of wha tyou have, for example
20:57 < CodeShark> right, something along those lines might work
20:57 < petertodd> yup, lots of options, main thing is that all those options are things that aren't forks
20:59 < nsh> perhaps it might be good to enable an ecology to these things: let various different approaches be 'right' and let natural selection on the basis of effectiveness and cost tend toward improvement
21:00 < nsh> the monocultural aspects of the bitcoin network should be whittled to a fine point of essential security and consistency
21:00 < CodeShark> problem is natural selection favors diversity (i.e. forks)
21:00 < petertodd> nsh: agreed, although people tend to complain that their wallets don't go fast :)
21:01 < nsh> mmm
21:01 < CodeShark> well, these approaches don't require block chain forks - but they do require care with protocol issues
21:02 < nsh> CodeShark, can't you look at the (hard)fork border as the boundary of an island (let's call it Coinagascar)? you can still have diversity within those confines...
21:03 < CodeShark> I suppose we could separate the core validation algorithms from the specifics of the protocol itself :)
21:03 < CodeShark> as in the specifics of networking with pees
21:03 < CodeShark> *peers
21:03  * nsh nods
21:04 < nsh> the downside is that you lose some of the shepherding function of the core dev team
21:04 < nsh> but i would anticipate that function isn't long-term sustainable if bitcoin grows into a very large ecosystem anyway
21:05 < nsh> and it's already accepted that you choosing to use one solution over another can have financial implications
21:05 < nsh> s/you //
21:18 < maaku> "In conclusion, I think that humanity should stop publishing papers about Byzantine fault tolerance. I do not blame my fellow researchers for trying to publish in this area, in the same limited sense that I do not blame crackheads for wanting to acquire and then consume cocaine."
21:19 < maaku> ah, microsoft research, how i love thee
21:19  * nsh smiles
21:21 < nsh> hah, that whole piece is great
21:21 < nsh> ( )
21:25 <@gmaxwell> it's generally true of Byzantine fault tolerance. People who shit on Bitcoin are either in denial or unaware of the complete failure that field has been.
21:26 <@gmaxwell> An endless series of impossibly complicated protocols which can only work under highly unrealistic constraints and which generally burst into flames on contact with reality.
21:32 <@gmaxwell> it's basically a field that people have been wanking on more or less ineffectually since the late 1970s, making little useful progress, and then Bitcoin comes along and delivers a working system that is secure in the anonymous model, where like everything else required previously agreed participants, requires linear communication (as opposed to quadratic
in the number of participants), and is relatively simply explained vs the charts ...
21:32 <@gmaxwell> ... in that paper. ... and did so basically as a footnote on the way to producing an entirely new kind of currency.
21:44 < nsh> reminds me of... atomic chemistry until the 1870s. decades of top scientists debating fancy models, vortex theories, all sorts of complex contrivances, and then Mendeleev comes along with the periodic table, pow!
21:49 < petertodd> gmaxwell: OTOH PoW blockchains appear to only work in conjunction with financial incentives
21:50 <@gmaxwell> petertodd: indeed, bitcoin is _not_ a fully general solution.
21:51 < petertodd> gmaxwell: though in many cases you can limit your "byzantine fault vulnerability" to a small part of software that is trusted to give an honest signature for some type of "fake work"
21:51 <@gmaxwell> it just happens to work (so far) for like ... the only application known where byzantine fault tolerance was actually a hard requirement. :P
21:51 < petertodd> gmaxwell: lol, there is that!
22:06 < nsh> serendipity
--- Log closed Wed Dec 25 00:00:25 2013
--- Log opened Wed Dec 25 00:00:25 2013
--- Log closed Thu Dec 26 00:00:28 2013
--- Log opened Thu Dec 26 00:00:28 2013
14:14 < adam3us> nxt yet another big-claim-alt?  100% proof of stake in their case and its own block chain, no source code so far.  all very confusing.  claimed market cap > mastercoin already $100mil i guess those market caps could do with some market depth caveats really
14:15 < adam3us> for the solidcoin spectators,104.0.html
14:15 < maaku> adam3us: it's pre-listed on a regular old web exchange
14:15 < adam3us> yes its unclear what if anything the price on means - could be manipulated and controlled by nxt devs with ~0 mkt depth
14:16 < maaku> presumably with withdrawls eventually being handled via a premine
14:16 < adam3us> maaku: 71 "investors" donated a total of 21 btc < 1month ago and yet the claim it has a market cap of $100m... ha ha
14:17 < maaku> personally, I never understood the utility of proof-of-stake mining in any fraction
14:17 < maaku> especially when subsidies are involved ... all sorts of bad incentives
14:17 < maaku> about all its done is distract people from the real utility of PoS
14:18 < adam3us> maaku: well superficially it sounds interesting that eg ppcoin claim that for self interest someone holding 10% of stake would not want to double spend or he'd damage value of his own holdings however, then there is an unfair mining advantage to the stake holders which is a diff problem
14:19 < maaku> adam3us: yes, but the way to achieve that control is to allow the PoS participant to vote on something akin to a checkpoint
14:19 < maaku> not to have some sort of protocol-level conversion metric between stake and hashpower
14:19 < adam3us> maaku: i presume u mean effectively different votes for validity vs reward
14:20 < maaku> adam3us: i mean a different protocol for considering best block which takes into account out-of-band stakeholder votes
14:21 < adam3us> maaku: well nxt is 100% stake.. not sure if that even quite makes sense.  the stake was bought for 21 btc in the last month!
17:04 < petertodd> tromp__: anyway, how much hardware design have you actually done? like, any at all? have you even taken a simple digital logic course and played around with some FPGAs?
17:05 < tromp__> yes i did digital logic as part of my cs curriculum
17:05 < tromp__> but never played with FPGAs
17:05 < petertodd> tromp__: yeah, digital logic, but did it talk about implementation level issues?
17:06 < petertodd> tromp__: I'd highly suggest learning about FPGAs at least before you try to design any more PoW algorithms - at least FPGAs let you see how your logic is physically synthesized
17:06 < phantomcircuit> petertodd, this seems like it would at least be better than scrypt as a memory hard function
17:07 < tromp__> scrypt isn't technically a proof of work
17:07 < tromp__> since it's doesn't have trivial verification
17:07 < phantomcircuit> main memory access with DDR3 is ~300 ns
17:07 < petertodd> phantomcircuit: maybe, but the question is memory hard actually what you want? gmaxwell's been pointing out that it's power that matters generally for running costs
17:08 < grazs> hmm, interesting
17:08 < petertodd> grazs: quite likely scrypt is actually *worse* for password hardening because it doesn't use as much power as other alternatives
17:09 < grazs> petertodd: my brain is stuck, I will meditate on this, had kind of an aha-moment though
17:10 < phantomcircuit> petertodd, if you can shift the costs from marginal to capital that is preferable as it reduces the incentive to be dishonest
17:10 < petertodd> phantomcircuit: only for non-commodity hardware
17:10 < phantomcircuit> if you've invested 10m into hardware which wont pay for itself for 10 years you're not going to be dishonest at year 1
17:10 < petertodd> phantomcircuit: for asic-soft algorithms that's a solved problem :)
17:11 < phantomcircuit> petertodd, well yes and no
17:12 < petertodd> tromp__: anyway, I gotta go - learn some more about digital logic and electronics - you need to be at the point where you can draw a reasonable design at the physical layout level, that is how the transistors are located and what wires connect what, if you want to be able to understand this stuff sufficiently
17:12 < phantomcircuit> petertodd, as it stands today the capital cost of asics is significant
17:12 < phantomcircuit> buttt
17:12 < phantomcircuit> that's going to change
17:13 < phantomcircuit> power costs are already significant but not the most significant
17:18 < tromp__> if anyone else has feedback on Cuckoo Cycle, i'd love to hear about it
17:19 < tromp__> it can't get much worse than being told it's the exact opposite of asic-hard :)
17:21 < azariah4> would the proposed ethereum contracts make sense if a contract is run on each node receiving a tx?
17:21 < nsh> additionally, it causes terminal cancer in puppies and war orphans
17:21 < nsh> :)
17:21 < azariah4> it seems they would need some way to only run once, or atleast on a limited number of nodes, with e.g. SNARK so other nodes can verify instead of actually running the script
17:22 < azariah4> especially given the fee per op/storage scheme
17:27 < tromp__> i've seen mention of SNARK proof size being very manageable at 288 bytes, but what's not clear to me is how much time the verification takes and whether that's practical
17:28 < tromp__> AFAIK ethereum is vague on how the processing fees for running scripts are actually distributed and to whom
17:28 < tacotime_> SNARK verification at 288 bytes is trivial
17:29 < tacotime_> But the parameter file size is not iirc
17:30 < tacotime_> For the zerocash implementation, the parameters file for their functions was over a gigabyte.
17:30 < nsh> closer to 2Gb iirc
17:32 < nsh> (i still can't intuit what this public parameters file _is_ -- how it's used as a resource...)
17:32 < azariah4> I suppose the fee scheme for contracts in ethereum could be made so that fees for a script can only be collected by the miner who mined the block containing the tx triggering the contract
17:32 < azariah4> that would make it unlikely (but not impossible of course) for other nodes to run the script
17:34 < tacotime_> nsh: gmaxwell probably knows more about what the parameters files do exactly, I still don't totally understand SCIPs.  My understanding (which could be totally incorrect) is that for any given program you need to generate these parameters and disseminate them with the code you wish to have executed and verified.  Then they are used (how?) when you issue
arbitary inputs to the code to
17:34 < tacotime_> generate proofs that verify your given output.
17:35 < tacotime_> And that the parameters file must arise from a trusted source.
17:35 < nsh> ack to all of that
17:36 < nsh> but in terms of the proving and verifying algorithms: what use they make of the pubparam data
17:36 < nsh> i should just read the papers harder :)
17:37 < tacotime_> I'd love to do that if I didn't have all these other things to do for my grad studies in another field. :P  If you figure it out, ELI5 it to me
17:37 < tromp__> so the parameter file is like a proof template that require further specification of 7 "points" that  get encoded in 288 bytes
17:40 < nsh> okay, but what does template mean in terms of to a mathematical process?
17:40 < nsh> s/ to//
17:44 < tromp__> i imagine it's like the these steps in the case of an ECDSA "contract" where (r,s) are the additional points
17:44 < tromp__> those steps are a lot shorter than 1Gb though
17:44 < nsh> andytoshi can explain!
17:45 < nsh> in zk-SNARKS, andytoshi: what is the it, algorithmically, about the public-parameters that is used in the proving and verifying processes?
17:45 < andytoshi> hi nsh, my logs only update every 12 minutes so i don't have any context
17:46 < nsh> i've been trying to get a handle on what is special-and-super-handy about the big public parameters in zk-SNARK systems
17:46 < andytoshi> one sec, i have the snark paper right in front of me..
17:46 < nsh> so far i have a sense that it's some kind of common 'landscape'
17:47 < nsh> and the proof delineates a set of points that allow traversal of the landscape, with traversal being tantamount to verification of the computation's integrity
17:48 < nsh> but that's a long way from groking (and probably wrong, anyway)
17:48 < andytoshi> well, it's similar. the first step in the snark proof is to translate from ordinary C into an arithmetic circuit
17:48 < andytoshi> an arithmetic circuit is a directed acyclic graph where each node is labelled by a semiring operation (addition or multiplication)
17:49 < andytoshi> so you can construct polynomials in terms of that, and it turns out you can translate any bounded running-time program into such a circuit
17:49 < andytoshi> so the "landscape traversal" is just following the dag
17:50 < andytoshi> but there is some more complication because of the memory. circuits do not really encompass reading/writing to memory so there is additional work to do to verify that every read matches an earlier write..
17:50 < nsh> right
17:50 < andytoshi> but in some sense that is incidental, the conceptual miracle happens even without memory
17:50 < nsh> so what is contained in the 1.7Gb pubparem file? and why is it all needed?
17:51 < tacotime_> Is certainty in the case of SCIPs probabilistic for some proof of execution?
17:51 < andytoshi> tacotime_: yeah. but according to the baysians all proofs are probabilistic anyway so this is no problem :)
17:51 < tacotime_> Heh.
17:52 < andytoshi> nsh: sorry, i'm flipping through the snark paper to look at how they compute the execution trace to see if there is some 'simple' idea which gives the compression
17:53 < andytoshi> gmaxwell might know this better than i, it deals heavily in linear pcps which i had never heard of before this paper. so that's some background reading i have to do..
17:56 < andytoshi> Section 3 Verifying Circuit Sat via Linear PCPs is the relevant part of the ben-sasson paper @ it has a 'high level' overview but i haven't read it well enough to summarize what's going on
17:58 < azariah4> this paper has some nice gems, hehe
17:58 < azariah4> "Concrete implementations are upper-bounded by computer memory size (and ultimately, the computational capacity of the universe), and thus their asymptotic behavior is ill-defined."
17:58 < azariah4> :D
18:05 < nsh> (dropped out for a moment there; local network troubleshooting for a stupid blue-ray player)
18:06 < andytoshi> what is the last thing you heard?
18:06 < nsh> --
18:06 < nsh> <andytoshi> nsh: sorry, i'm flipping through the snark paper to look at how they compute the execution trace to see if there is some 'simple' idea which gives the compression
18:06 < nsh> <nsh> k
18:06 < nsh> [..]
18:06 < azariah4> andytoshi: they mention memory consistency though
18:06 < nsh> <andytoshi> Section 3 Verifying Circuit Sat via Linear PCPs is the relevant part of the ben-sasson paper @ it has a 'high level' overview but i haven't read it well enough to summarize what's going on
18:06 < nsh> --
18:06 < azariah4> in 2.3.2
18:06 < nsh> (missed the whatever was in the ellipsis)
18:07 < andytoshi> nsh: ok, that's the last thing i said.    azariah4: yeah, of course, they solved that problem. but it's not relevant to conceptual questions about snarks
18:07 < andytoshi> nsh: also i said
18:08 < andytoshi> gmaxwell might know this better than i, it deals heavily in linear pcps which i had never heard of before this paper. so that's some background reading i have to do..
18:11  * nsh nods
18:11 < nsh> thanks in any case
19:38 < adam3us> gmaxwell: so set r'=R.x, and find a new Q' =cQ that matches ie its true that sR=H(m)*G+rQ' = sR=H(m)*G+r*c*Q
19:40 < adam3us> gmaxwell: for that to work rc = r', so c=r'*r^-1 mod n; now you have a standard DSA sig but on a multiple of the recipients public key, the factor c is secret as the random factor in the chameleon hash
19:45 < adam3us> gmaxwell: forgery by the recipient would be again sR=?H(m)G+rcQ to find a different c' that matches a different H(m') ie to find sR=?H(m')G+rc'Q but as the recipient knows d from dG=Q he can write that sR=?[H(m')+rc'd]G vs [H(m)+rcd] so H(m')+rc'd=H(m)+rcd, so c'=(H(m)-H(m')+rcd)/rd
19:45 < adam3us> gmaxwell: seems to work (though I am tired so i may have screwed something)... did you have an app in mind?
19:46 < adam3us> gmaxwell: maybe more direct bitcoin integratability because it already understands and serializes ECDSA sigs?
19:46 < gmaxwell> adam3us: yea my thought there is that people already have ECDSA code, so a chameleon hashs based on one would be easy to integrate.
19:47 < adam3us> gmaxwell: makes sense and kind of convenient it provisionally seems to work
20:05 < Luke-Jr>
--- Log closed Sun Oct 27 00:00:48 2013
--- Log opened Sun Oct 27 00:00:48 2013
05:47 < gmaxwell> adam3us: thank you very much for the crypto-anarchy explination on the forum. It's good to have someone post a structured view, instead of responding to that kind of complaint with "omg fight opression!"
10:47 < adam3us> gmaxwell: some people seem to say hal finney is not pro crypto anarchy I saw, but from what I recall of old cypherpunks posts he has really calm principled/reasoned arguments for why privacy is essential, because you need cryptography to enforce what are actually legal rights strongly etc, and he implemented and operated the first PGP based anonymous remailer,
and RPOW and he was i think the first PGP employee after zimmermann also, its very
10:48 < sipa> its very[...]
10:48 < K1773R> 512 line limit of IRC :P
10:48 < K1773R> s/512/512 chars per/
10:49 < K1773R> seems like a poor irc client :S
10:49 < sipa> i know few that deal well with overlong lines by default
10:50 < adam3us> its pidgin/linux hmm:... he (Finney) implemented and operated the first PGP based anonymous remailer, and RPOW and he was i think the first PGP employee after zimmermann also, its very hard to argue with things the way he puts them
10:51 < sipa> who is 'he'?
10:51 < adam3us> hal finney
10:51 < sipa> hmm, i don't understand
10:51 < adam3us> sipa: we were talking about explaining motivations for cryptographic privacy and I was saying i thoght hal finney does a nice job
10:51 < sipa> ah, by "hard to argue with" you mean "he is right"?
10:52 < adam3us> sipa: oh yes... i mean it sounds so reasonable and logical and non-controversial that the opponent is going to sound like an idiot or churlsih to disgree :)
10:52 < sipa> right, got it
10:53 < sipa> "hard to argue with" sounded like "so stubborn you don't want to argue with"
10:53 < adam3us> sipa: whereas as gmawell said most people say things like "beat state" and what not and then people with statist view lose sight of reason
10:54 < adam3us> sipa: nah - i never actually met him in person, but net the net he is the nicest fellow, least likely to get in a flame war, and actually doing a lot of privacy useful coding, so productive on the "cypherpunks write code" scale also
10:55 < sipa> scale also[...]
10:55 < sipa> wait, that is actually the end :)
10:55 < sipa> sorry, misparse
11:00 < adam3us> sipa: it was in relation to this bitcointalk thread
11:01 < adam3us> sipa: which was about chameleon hashes from greg but rapidly diverged into politics when someone said "what you want to forge a contract?? thats illegal" as a complete mismatch of understanding
11:01 < HM2> Snow Crash is an awesome book
11:01 < sipa> i remember why i stopped reading the forum :)
11:01 < HM2> The Baroque Cycle series is also great
11:03 < HM2> I can't remember if it was one of the BC books or Cryptonomicon that had the offshore data haven project
11:03 < adam3us> sipa: its almost funny, advanced math & bitcoin limits mixed with "doh" level newbies he he
11:04 < adam3us> HM2: i think that might've been cryptonomicon yes - very cool, like the pirate bay they are also jurisdiction hopping seemingly successfully for many years playing whack-a-mole, or havenco was the closest thing on the offshare oilrig/micro-nation-state
11:07 < HM2> this Chameleon hash thing sounds interesting
11:07 < HM2> it effectively turns the terms of the contract in to a key, right?
11:08 < adam3us> HM2: i love the line in snow crash where they run into the "president of the united states" and no one knows who he is or cares - sort of like the token "president" of somalia he's only president in his own mind as the state is a distant memory
11:08 < HM2> lol i don't recall that
11:10 < HM2> hmmm
11:12 < adam3us> HM2: so the idea which was greg's is that alice & bob can have a contract but keep the contract private, and bob cant tell other people the contract because he has the private key to could forge any contact
11:14 < adam3us> HM2: and yet if bob cheats and doesnt fulfill the contract alice can shame him by revealing the contract, it must be true because either that is the contract, or bob forged it; if bob forged it he's renegning on the contract and if he doesnt forge it alice has some proof that can convince others of what bob agreed to
11:15 < adam3us> hm2: its a bit like a non-transferable signature, except then either party could forge the contract, so alice cant prove anything to other people to shame bob and tarnish his reputation for cheating
11:16 < adam3us> hm2: so its forgeable, but only by bob some kind of mix of a hash function on one side and a non-transferable sig on the other; quite a nice building block
11:17 < HM2> How does the public remediate contract disputes exactly?
11:18 < HM2> If Alice is selling Bob something then either Alice can access the wallet and complete the contract or some public action + Bobs proof of contract can
11:18 < adam3us> HM2: they dont exactly, but if bob has a nice ebay-style rating there is a threat that alice can prove things to other people if he cheats, so he has an incentive to play nice
11:19 < adam3us> hm2: oh yes, the relation to the contract hash, is that in order to cash the payment, bob effectively demonstrates he has the hash, because he has to multiply the base address by it
11:19 < HM2> right so it's not a system to prevent you from being screwed over, like a reversal in a blockchain like system? it's just a reputation system
11:20 < adam3us> hm2: so he cant deny all knowledge as everyone can see the cash in his address and the tx which can be seen to hash from the contract to his address
11:20 < adam3us> hm2: yes its interesting because its simultaneously private (because its non-transferable) and yet there is still a threat of revealing the contact
11:20 < adam3us> hm2: contract
11:21 < HM2> right but if Alice sells Bob a TV and Bob claims he he never received it but Alice took the money, and Alice said Bob did receive it. what do you gain? it's still open to dispute
11:21 < adam3us> hm2: its unusual because normally its either non-transferable or its signed (non-repudiable) and yet like OTR you dont want non-repuiable signatures published or the other party to renege on the implied privacy
11:22 < adam3us> hm2: yes greg on the post mentioned if its a physical item or a matter of opinion kind of contract you might add an arbitrator
11:22 < HM2> what kind of contracts actually benefit then?
11:22 < adam3us> hm2: but if its straight up swap 1BTC for 150 LTC
11:23 < adam3us> hm2:  well that could probably be done atomically, but where you are relying on reputation and want contract privacy
11:23 < HM2> hmm
11:23 < adam3us> hm2: i mean the thesis is that private contacting parties should not have to tell anyone about the contents of their contract
11:23 < adam3us> hm2: so maybe alice doesnt know bob that well and doesnt quite trust him not to blab and show everyone else the ebook she bought because its racy
11:24 < adam3us> hm2: with normal signed contracts bob can prove that because alice signed her order, so bob can embarrass her
11:25 < adam3us> hm2: with chameleon hash based sig, bob cant really do that because bob can make that contract say whatever he wants (he can forge it), so no one will necessarily believe him as there is no transferable proof
11:25 < HM2> oh i'm slowly getting it
11:25 < HM2> so you have a transaction that can be shown by one party to be for anything
11:25 < HM2> and by the other for one specific thing
11:25 < HM2> is that about it?
11:25 < Luke-Jr> sounds useless <.<
11:26 < adam3us> hm2: so far thats standard non-transferable sig (opposite of non-repudiable sig), but the interesting new feature is that in addition to that, alice can actually prove bob accepted the contract so the power to prove things is asymmetric
11:26 < adam3us> hm2: yes
11:26 < HM2> big words like repudiable don't do well for me on Sundays
11:26 < Luke-Jr> lol
11:27 < adam3us> luke-jr: spoilsport - actually i think probably it should be the default sig in smart contracts / bitcoin script! you do want the mechanism to not have unintended side effects for the users
11:27 < HM2> oh
11:27 < HM2> so how does one construct a Chameleon hash with ECs? I understand basic EC algebra
11:27 < Luke-Jr> adam3us: a contract you cannot prove the contents of cannot be enforced, thus has no purpose
11:27 < adam3us> hm2: you dont want that should say
11:28 < adam3us> luke-jr: but you can prove it (alice can)
11:28 < adam3us> luke-jr: its just bob that cant
11:28 < Luke-Jr> adam3us: a one-sided contract is nasty enough already
23:37 < petertodd> gmaxwell: so is this partial UTXO mode scary enough that you'd rather not see it happen or what? I figure long-term we need UTXO posession proofs for miners, and it pushes decentralization by making it easier to run a full-node
23:38 < petertodd> gmaxwell: I really like how it lets those nodes do useful work for the network - relaying tx's increases your anonymity set, and they can serve SPV nodes just fine
23:39 < petertodd> gmaxwell: heck, add a way to make bogus tx's expensive and they can even relay any transaction, or just rely on how the proofs that a tx was bogus just give the partial-UTXO holders information they would have retrieved later anyway
23:39 < petertodd> (needs a relatively expensive *spent* UTXO map, but that map can be distributed)
23:39 < gmaxwell> I don't see why it would hurt.. but if there were a committed utxo you could relay any transaction just by getting the membership proofs for its inputs.
23:40 < petertodd> gmaxwell: yes, that too, and it'd lead to a mode of use more applicable to adding committed UTXO later
23:46 < Luke-Jr> petertodd: should I post "needs rebase" to all your open pullreqs that need it, or can I just make you a list here?
23:47 < petertodd> Luke-Jr: nah, add it to the pullreqs
23:47 < Luke-Jr> k
23:51 < petertodd> Luke-Jr: nLockTime rolling for mining - what timespan do miners actually change the timestamp when doing this?
23:51 < petertodd> Luke-Jr: er, nTime rolling...
23:51 < petertodd> Luke-Jr: and is time rolling now obsolete?
23:52 < Luke-Jr> petertodd: in practice, I'd say it varies :/
23:52 < Luke-Jr> time rolling isn't obsolete, but not implemented with stratum yet
23:52 < petertodd> Luke-Jr: we talking seconds, tens of seconds? minutes?
23:52 < Luke-Jr> it's somewhere near the top of my BFGMiner todo
23:52 < Luke-Jr> petertodd: I would be surprised if ntime was off by more than 5 minutes
23:52 < petertodd> huh, I thought it was actually common
23:53 < Luke-Jr> stratum regressed a lot of progress that had been made with getwork :/
23:54 < petertodd> I was thinking it could be interesting to do a high-resolution timestamping facility by taking the best pow known for every second basically
23:54 < Luke-Jr> well, you might still get a lot of variety from fast pools
23:55 < petertodd> Yeah, it's no good if people need time rolling.
23:55 < petertodd> (although another non-rolled header could be acceptable)
23:57 < petertodd> See, it'd be possible for nLockTime w/ time-based locks to create some really ugly incentives for miners to mine blocks at thelimit of the 2hr window - a timestamping chain could provide a way for nodes to at least detect that their clocks are off, especially given how peers can mess with them.
23:58 < petertodd> It's still dodgy though... I was thinking if nLockTime-by-time inclusion was based on the previous block timestamp it'd be ok, but that still leaves large miners with incentives to screw with the 2hr window, never mind how it can reduce competition if there exists clock skew in the mining nodes.
--- Log closed Wed Jul 17 00:00:57 2013
--- Log opened Wed Jul 17 00:00:57 2013
00:01 < petertodd> (remember that if this is a timestamping facility any node wanting to know the current time simply gets a nonce timestamped, and then they know what time it is!)
00:11 < Luke-Jr> I don't see how nLockTime can discourage forward-dating blocks
00:11 < Luke-Jr> and there is no 2hr window backward..
00:12 < Luke-Jr> well, I guess if miners are behaving there is <.<
00:19 < petertodd> The problem is a block being created with nTime > actual time, and the incentive is to get a head start on other miners to put, say, a high-fee nLockTime in the block you are creating.
00:21 < Luke-Jr> petertodd: but nLockTime only sets a minimum time, it cannot set a maximum
00:22 < petertodd> but that's it, if I have a 1BTC fee tx, with nLockTime expiring in two hours, why not take the increased orphan chance and set nTime on my block to two hours ahead/
00:22 < petertodd> ?
00:22 < petertodd> yet if we allow that incentive, it's very bad for consensus
00:23 < gmaxwell> ha. We can fix.
00:23 < gmaxwell> it's a soft forking fix.
00:23 < gmaxwell> use the last blocks ntime, not this one.
00:23 < Luke-Jr> is sipa's secp256k1 branch reasonably stable?
00:23 < petertodd> gmaxwell: that's what I said...
00:24 < gmaxwell> petertodd: sorry I just read the last couple lines.
00:24 < Luke-Jr> petertodd: AFAIK we already don't relay transactions with time in the future?
00:24 < gmaxwell> petertodd: well I agree. (or not even the last block
 it could use the minimum time)
00:24 < petertodd> gmaxwell: The problem is, that's only a fix if mining power is well distributed, it actually makes things worse because if there is a lot of profit to be gained the miners with a lot of hashing power still have the incentive, and it's to a much greater degree. (their orphan rate is less)
00:24 < Luke-Jr> gmaxwell: the minimum time will be earlier than the last block's :p
00:25 < gmaxwell> Luke-Jr: sure, but that doesn't change it really. Presumably if people start locking in the future miners will run nodes that take what they get and selfishly horde them, creating incentives for all miners to run good collection networks.
00:25 < petertodd> Luke-Jr: sure, but there are lots of ways to learn that a tx exists
00:26 < gmaxwell> petertodd: one of the reasons that the min is important there is because (1) it's hard to advance, and (2) when you advance it you raise the difficulty.
00:26 < petertodd> gmaxwell: I was working on figuring out the expected return - the math is really ugly
00:27 < gmaxwell> petertodd: a worst case expected return may be easier.
00:27 < petertodd> gmaxwell: Worst case is easy - your block is orphaned.
00:28 < petertodd> gmaxwell: See the issue is that once I find a block, the other side needs to find two blocks to beat me. As time goes on more of the other sides hashing power will accept my from the future block as valid, so then you get the next level where the remainder needs three blocks and so on.
00:28 < petertodd> gmaxwell: Pretty sure it can't be done as a closed-form equation.
00:30 < petertodd> gmaxwell: I don't think minimum time works either, because you still get to manipulate it by creating blocks in the future, although the ability too is definitely less. If I could show you'd need >50% hashing power to do anything interesting I'd be set.
00:31 < Luke-Jr> petertodd: hmm, is block-uneconomic-utxo-creation basically just an older revision of what Gavin did in 0.8.2?
00:31 < gmaxwell> petertodd: moving the minimum time forward needs the coperation of >50% of the hashpower over the small median window.
00:32 < petertodd> Luke-Jr: It's what Gavin did but non-hardcoded. I'd emphasize the better, not the older. :P
00:32 < Luke-Jr> petertodd: will you be rebasing it despite its closed status?
00:32 < Luke-Jr> actually, what about Gavin's is hardcoded? <.<
00:33 < petertodd> gmaxwell: Yeah, but you have to assume a steady stream of these incentives.
00:33 < gmaxwell> petertodd: right, so you have some force that turns all miners into a conspiracy.
00:34 < petertodd> gmaxwell: exactly
00:34 < petertodd> gmaxwell: nLockTime by time should have never been added in the first place, but it's such a nice idea on the face of it
00:35 < Luke-Jr> softfork so nLockTime requires data on what block a transaction was created at, and enforces the 10 min per block <.<
00:36 < petertodd> Luke-Jr: ?
00:36 < Luke-Jr> petertodd: for example, if you nLockTime for 1 day from now, it also enforces 144 blocks passing too
00:37 < Luke-Jr> so block count must be >now+144 AND time must be >now+24h
00:37 < Luke-Jr> not perfect, but might help
00:37 < petertodd> Still doesn't help in the usual case where mean interval is < 10 minutes, because you're back to only caring about time.
00:38 < Luke-Jr> usual now, but not eventually
00:38 < petertodd> Right, you've solved half the problem, when measured over the entire lifespan of Bitcoin, and only approximately half. :P
00:39 < Luke-Jr> theory is so much nicer than practice <.<
00:39 < gmaxwell> I'm forgetting why this is a problem again?  If miners mine blocks early, people will just artifically inflate their times or switch to height locking.
00:39 < petertodd> The problem is you're incentivising miners to make the 2hr window for block acceptance effectively shorter.
00:39 < petertodd> Thus requiring accurate clocks for consensus.
00:39 < gmaxwell> if miners do this consistently they'll drive difficulty up too which wouldn't be in their interest.
00:39 < Luke-Jr> ^
00:40 < petertodd> gmaxwell: It's only a fixed 2hr offset, that just drives difficulty up by 0.5%
00:40 < Luke-Jr> and on top of that, you'd just end up treating nTime with a minus-2-hours :p
00:41 < Luke-Jr> if everyone does it, it's predictable.
00:41 < petertodd> More to the point for any individual miner the marginal difference if they do it is effectively zero.
00:41 < gmaxwell> consider, why why cant the 2 hour window be 24 hours?
00:41 < petertodd> Luke-Jr: But that's the problem, if everyone does it, and people respond, then you can extend the interval even further!
00:41 < Luke-Jr> petertodd: how?
00:41 < petertodd> gmaxwell: It should have been more like 24 hours in the first place...
00:42 < Luke-Jr> you don't change the 2h rule
00:42 < Luke-Jr> you just assume miner times will always be up against it
00:42 < gmaxwell> Luke-Jr: move your clock/window forward so you dont reject stupid blocks.
00:42 < petertodd> Luke-Jr: Again, the issue is the effect on *consusus*. I don't care when the tx gets mined, I care that miners are incentivised to break consunsus for anyone without NTP.
00:43 < petertodd> The problem is no matter *what* the window is, there is an incentive to mine as close to the window as possible to accept a tx sooner than your competitors.
07:22 < adam3us> petertodd: yes but that way lies doom unfortunately, if the tx and users continue to scale
07:23 < petertodd> adam3us: do you understand how TXO commitments can be re-worked into a shardable blockchain?
07:24 < petertodd> adam3us: nah, $20 uncensorable transactions of unseizable electronic money is a pretty damn good outcome. Be nice if we can do better than that, but just that alone is pretty good.
07:24 < adam3us> petertodd: i think vaguely is there a forum link or search term?
07:24 < adam3us> petertodd: $20 i agree
07:24 < petertodd> I've explained it in IRC, haven't written anything up on bitcointalk
07:25 < petertodd> Yup. The real danger with off-chain stuff isn't that transactions will be expensive, is that they'll be too cheap! Bitcoin's inflation rate goes to zero in the long run, and at some point the minimum reward to miners will become low enough that the security of the whole system is threatened.
07:25 < adam3us> petertodd: well one argument could be for unseizable digital scarcity wealth storage and not high tx  at all, that is interesting in itself even without p2p tx at any high volume beyond a few tx per year per user
07:26 < petertodd> yup
07:26 < petertodd> you can always build upon that layer
07:26 < adam3us> petertodd: interesting observation, yes offchain success threatens chain security at the limit
07:27 < petertodd> Yeah, on the other hand, what matters isn't what transaction fees are, but rather what profit margin there is. Or to be exact, how much money is uselesslessly spent on overhead rather than mining itself.
07:27 < adam3us> petertodd: without naming names some people seem a little impatient and short-termist and they may steer things into dangerous directions without really thinking things through - i do like how you focus n the long term big picture
07:27 < adam3us> petertodd: its like chess, you dont win by looking at the next move, but at the end game from the start
07:28 < petertodd> People without a good understanding of economics have often argued that we need larger blocks because we need lots of transactions so the fees can support miners, but if those fees go into network bandwidth and harddrives, we haven't gained anything.
07:29 < adam3us> petertodd: and there is lots of scope for extremely plausible long term thinking sabotage disguised as rational short-term pragmatism; i get of assertive short-termists who cant explain or dont wish to entertain long term implications
07:29 < petertodd> For sure. There's a lot of pressure in this community for people like me to stop talking so much about the long term and focus on "real world engineering", but that's the kind of thinking you see at web 2.0 startups, and they have an alarming tendency to die early deaths.
07:30 < adam3us> petertodd: /i get ^suspicious of^ assertive.../
07:30 < petertodd> Ha, for sure, once you start assuming possible malice all this stuff gets really ugly. :P
07:30 < adam3us> petertodd: precisely
07:31 < petertodd> Reminds me: the more I think about it, the more I think I should be encouraging abuse like timestamping and data-in-the-chain so we get a good understanding of the parameters of that abuse before making decisions based on assumptions about what demand there is to do such things.
07:31 < adam3us> petertodd: i've been through a few startups, and without embarrassing the guilty, a guy who wanted to code and stop wasting time thinking and architecting the right solution, within 1year it deadended
07:31 < MoALTz> one idea is that some coin gets lost in every transaction, as well as fees. reason: the "loss" is actually donating value to the network as compensation for bandwidth, hard-drive storage, cpu usage; the losses mean that all the remaining coin gets more valuable
07:32 < petertodd> adam3us: Absolutely. This isn't a standard engineering problem where the solution space is well understood.
07:32 < adam3us> petertodd: it only didnt get ugly at company future level cos i rewrote it from scratch in a 80/hr week skunkworks
07:32 < adam3us> petertodd: 1 week of the right thing vs 1 year x 10 people of "stop talking big picture write code" ... thats the true picture
07:33 < petertodd> adam3us: Heh. Another case in point: maaku has spent a lot of effort implementing UTXO commitments with authenticated radix trees, and meanwhile I come up with TXO commitments seem to have made all that effort obsolete.
07:33 < petertodd> A month in the lab saves a day in the library. :/
07:33 < MoALTz> writing code that does something is indeed better. i need to do more of that.
07:35 < petertodd> Equally though, code is needed too... The lesson is just to understand the problem well before you start getting into code.
07:35 < adam3us> petertodd: that company later sold for $100m that probably wouldnt have happened w/out that rewrite... startups are full of random unproductive "code fast" shit that amazingly frequently ends up in the dustbin, ZKS was like that also
07:35 < adam3us> petertodd: exactly
07:35 < MoALTz> petertodd: easy to overdo it the other way
07:35 < adam3us> petertodd: problem is its very very hard to see any big improvement
07:37 < adam3us> petertodd: i think because of the interconnected cross dependencies; each important piece is fulfilling 3 or 4 functions, and while each function could get scaling by omiting a feature you cant change anything because overall it only just works with all the cross deendencies in place
07:37 < petertodd> MoALTz: The problem with my way is it's hard for people who don't understand the issues in great detail to tell the difference between smart people thinking hard about a problem, and wasting time doing nothing of real value. Code on the other hand can be evaluated for volume relatively easily.
07:38 < adam3us> petertodd, MoALTz: i can actually code, damn fast too; but mostly i am trying to solve the hard problem - if i crack a hard problem, will be coding like a demon :)
07:38 < petertodd> adam3us: Yup. I run into that at my day job all the time, because our system is extremely tightly coupled and unavoidable so. I've quite literally done projects that involved 8 months of design, followed by a week or two of implementation, with the implementation working pretty much perfectly the first time.
07:39 < adam3us> MoALTz: but yes there are multiple pressing issues that have gotta be worked on now that are defined
07:39 < MoALTz> adam3us: i tend to think of ideas, test them in my mind a lot, but cannot keep myself coding up a test implementation for them long enough to test them
07:39 < petertodd> adam3us: I've also had projects with 8 months of implementations, followed by realizing that was all a waste and I should have done a month of design up-front.
07:40 < adam3us> petertodd: a problem in startup culture that contributes is that management thinks of the work so far as "investment" so they cant change path even when they see the writing on the wall that this is a very bad path
07:41 < adam3us> petertodd: when hat you've done so far turns out to be wrong, yo need to be willing to rip it up and start again, they rarely can do that
07:41 < adam3us> petertodd: so ayway more back ontopic: i was wondering about disentangling bitcoin mining dependencies
07:41 < petertodd> Yup. I'm lucky to have a boss who's willing to accept that sometimes you've got to throw away what you've done, but even then it's hard.
07:42 < adam3us> petertodd: as i think in isolation nicer things can be done, just not on the interdependent version
07:43 < adam3us> petertodd: eg if you're talking about reward only (not relating to validation) you could probably direct mine with 0 variance work and no need for mining pools
07:43 < petertodd> Ok, before you get too deep, so lets check: what are the main functions of mining?
07:43 < adam3us> petertodd: so leads to can you separate reward from validation
07:43 < adam3us> petertodd: confusingly many :)
07:43 < petertodd> Yeah, reward != validation.
07:44 < petertodd> OTOH, in practice you need things like tx fees so you can figure out which tx should be in a block.
07:44 < adam3us> petertodd: so reward, blockchain evolution voting, spv client validation, sybil attack defense
07:44 < adam3us> petertodd: did i miss some?
07:45 < adam3us> petertodd: ah yes you reminded converging on a block definition
07:45 < petertodd> See, you're talking about a level farther removed than what I would have said.
07:45 < petertodd> For instance, proof-of-publication is really important.
07:46 < adam3us> petertodd: ah yes arbitrating which tx is first in double spends
07:46 < petertodd> Right, so timestamping.
07:46 < adam3us> petertodd: i was thinking one way to look at it is (apart from spv validation) bitcoin is actualy implementing a timestamping service
07:46 < petertodd> But do you understand what's so important about proof-of-publication? (or to be exact, proof-of-readership)
07:47 < adam3us> petertodd: and actualy something slightly more also: a namespace (like a timestamp but where names are strictly and cryptoraphically  first come first served)
07:48 < adam3us> petertodd: maybe .. are you saying like wht defines a tx as confirmed is taht you see it (and not a double-spend) in the block chain
07:48 < adam3us> petertodd: i think it cn be equated actually to an auditable namespace, where the "name" is the txout
07:48 < petertodd> See, proof-of-publication/readership is what makes timestamping useful to prevent double-spends.
07:49 < petertodd> Do you understand why?
07:49 < adam3us> petertodd: do spell it out, its probable we are saying the same thing, but with different terms; i call that an application of an auditable namspace
23:42 < petertodd> same
23:42 < gmaxwell> petertodd: well look at my example and tell me how a merkle tree would work there?
23:43 < petertodd> oh, wait, stupid, I missed the S doesn't know c part somehow...
23:43 < petertodd> yeah, it's useful in that case
23:43 < petertodd> hmm... how about querying the UTXO set without telling the server what you are querying?
23:45 < gmaxwell> what would you query it for?
23:45 < petertodd> check that a txout is in the set, and thus a transaction someone handed you is valid
23:46 < gmaxwell> so one problem is say you get a hit ... now you say, okay give me the full transaction.
23:46 < gmaxwell> oops the server says, nah that was a fake hit I don't have that txout.
23:47 < petertodd> I'm more thinking you have a contract with a third-party UTXO database provider, and you want to know if a customer's transaction is valid, and neither you nor the customer has a UTXO set (so the customer can't give you a UTXO proof directly)
23:48 < petertodd> Only really useful if you have a safe zero-conf system of course...
23:49 < petertodd> Though it'd be useful for checking fidelity bonds.
23:51 < gmaxwell> In general I could see how this would be useful for a very large database to prevent censorship.
23:51 < gmaxwell> though how do you not get them to censor in advance when constructing the filter. hm.
23:51 < petertodd> Selective censorship
23:51 < petertodd> (client selective)
23:51 < gmaxwell> ah right.
23:52 < petertodd> Given how dodgy anonymous com channels are, that's a really useful thing to be able to do.
--- Log closed Wed Jul 24 00:00:18 2013
--- Log opened Wed Jul 24 00:00:18 2013
00:29 < amiller> hrm, hrm, just how strong is SPV anyway
00:29 < amiller> it's actually really secure
00:29 < petertodd> define "really"
00:30 < amiller> by the ordinary bitcoin assumptions, 51% etc etc, the problem with SPV isn't that a client might get duped or double spent
00:30 < amiller> the bigger problem is that "mining" as an SPV client is irresponsible and a public hazard, which could ruin the 51%
00:30 < amiller> the bigger problem is that "mining" as an SPV client is irresponsible and a public hazard, which could ruin the 51
00:30 < amiller> (er up arrow mistake)
00:31 < amiller> if 51% of miners do full validation and not just SPV, then the point is SPV is safe for everyone else
00:31 < petertodd> so lets say I accept transactions with one confirmation, and you've figured out what node I'm using, how secure is SPV for me in terms of cost to attack me?
00:31 < amiller> one confirmation doesn't count
00:31 < petertodd> why?
00:31 < amiller> it's still 6 or whatever, you have to do a risk calculation
00:31 < petertodd> why is it 6?
00:31 < petertodd> what not 5? or 7?
00:31 < petertodd> or 144?
00:31 < amiller> i carried on a thread once trying to analyze this
00:31 < amiller> 6 is just a social norm
00:32 < petertodd> did you analyze it in terms of probabiity, or cost?
00:32 < amiller> but really you could treat it as a risk management problem
00:32 < amiller> both
00:32 < amiller> cost is basically measured in time
00:32 < petertodd> no, cost is measured in money
00:32 < amiller> the longer you wait, the more of a hassle it is, and the more likely it's not suitable
00:32 < petertodd> lol, "hassle" has nothing to do with attacks
00:32 < petertodd> be precise, how much money does it cost you to attack me, and under what assumptions?
00:33 < amiller> petertodd, the only real interesting thing i came up with is that it isn't even the cost of attacking *you*
00:33 < amiller> it's more about the likelihood of getting swept up in an attack aimed at someone else
00:33 < petertodd> ah, you're getting closer to understanding this...
00:33 < petertodd> so what happens to this cost stuff if the attacker is attacking n targets at once?
00:33 < amiller> my basic model is an attacker with a budget and a time window
00:34 < amiller> i let the attacker have infinite hash power, but not an infinite amount of energy
00:34 < petertodd> how many targets does this attacker have?
00:34 < amiller> the target is some fraction of all the double spend opportunities in whatever time window they're successful in mining an "attack fork"
00:34 < petertodd> right, so your attacker can pay $x/second worth of electricity to get y hashes/second
00:35 < amiller> the attacker can purchase B hashes and he gets them all at once
00:35 < petertodd> heh, you've even more optimistic than I'm talking about, but go on
00:35 < amiller> so fix the network's hash rate, and the attacker's budget B. now the attacker has to pick a time window and a probability of success
00:36 < amiller> one thing i like to consider (i think someone else has talked about this recently) is a doomsday attack where someone makes a credible threat that they're going to reverse 24 hours of blockchain history
00:36 < amiller> beeginning on Jan 1 or something like that
00:36 < amiller> everyone knows (or believes) in advance that doublespends will be possible during this time
00:37 < amiller> (maybe there's some anonymous dropbox where you are supposed to spend your doublespend transactions)
00:37 < amiller> the point of this thought experiment is that the attack might not even need to be skillfully coordinated
00:37 < Luke-Jr> amiller: that'd be a difficult situation to double-spend in
00:37 < amiller> if you had an attack fork, maybe you can just get everyone to doublespend each other
00:37 < petertodd> hang on, go back a second, so how are you calculating return for the attacker against my SPV example?
00:38 < petertodd> what specifically is the attacker doing for that matter?
00:38 < amiller> petertodd, ok ok so i went on a tangent to describe the enormous attack that gets everyone to double spend everything
00:38 < petertodd> remember, I'm an SPV client
00:38 < amiller> the more realistic one i guess is that the point is an attacker pays for and mines an attack fork, and then tries to do some big double spending at that time
00:39 < amiller> petertodd, SPV or not, the point is you go find all the merchants you can
00:39 < petertodd> again, I'm an SPV client, why bother double-spending me at all?
00:39 < amiller> that are willing to make big irreovacalbe actions after some number of blocks
00:39 < petertodd> why not make a block that meets difficulty, and is filled with transactions that are fake?
00:39 < amiller> where that number of blocks is less than what you can mine with your attack budget!
00:40 < amiller> petertodd, the point is, if there's a merchant that lets you drive off with a ferrari after 6 blocks, and you are able to in a timely fashion produce 7 blocks before everyone else makes 6, then you can win a ferrarri
00:41 < petertodd> you're making a lot of assumptions
00:41 < petertodd> I can be much more clever than just trying to double-spend
00:41 < amiller> what else would you do
00:41 < amiller> what else would you need to do
00:41 < amiller> you could double spend money you don't even have
00:41 < petertodd> as I said, I can make blocks that are filled with completely invalid transactions creating money out of thin air
00:41 < petertodd> SPV clients can't tell the difference
00:41 < amiller> sure, good point
00:41 < amiller> that... definitely decreases the cost of an attack
00:42 < petertodd> indeed
00:42 < amiller> especially since if the attack fails in the ordinary double spend case you'd have a lot more to lose.
00:42 < petertodd> doesn't take much to sybil the network, after all, I might have other uses for that capability like trying to figure out who is making what transactions
00:43 < amiller> still, if you can achieve anything against this SPV client, you could also double spend the ordinary clients
00:43 < amiller> and double-spend is still a serious attack
00:43 < amiller> the real havoc is if SPV clients mine.
00:44 < petertodd> the thing is, against an SPV client I don't even need the money, and can launch my attack against a huge number of targets at once, so even if there's a tiny chance of success for any one target I win overall
00:44 < petertodd> (again, goes back to sybiling the network)
00:44 < petertodd> I don't need a 100% sybil
00:45 < amiller> petertodd, it's still very expensive for you to make an attack fork...
00:45 < amiller> a successful attack is more profitable if there are lots of SPV merchants, yeah
00:45 < petertodd> it is *right now*, it might not be in the future as fees become more important, and we don't know
00:46 < petertodd> heck, I could probably pull all this off in a real-life scenario, by, say, controlling the wireless network at a "satoshi circle" event and MITMing everyones android phone
00:47 < petertodd> "Gee, confirmations sure are taking awhile today aren't they?"
00:47 < amiller> it's quiet, too quiet.
00:47 < petertodd> Play it carefully and I can make it look like I lost money in the attack too so it's not obvious who actually made it happen.
00:48 < petertodd> In this scenario 10% of the hashing power would probably be enough for a real-life attack.
00:48 < petertodd> Heck, 0% given people accept zero-conf...
00:48 < amiller> yes
00:48 < amiller> so!
00:48 < amiller> lets say you're going to do a risk analysis
00:48 < amiller> lets say you're about to exchange 1 btc for cash
00:48 < amiller> how long should you wait?
00:48 < amiller> even if you're a full client
00:49 < petertodd> The best way, is for me to check their government issued photo ID and take a picture of it so I can report the counter-party to the police.
00:49 < amiller> heh, so we get as far as we can with the crypto and let government registries pick up the slack :p
00:50 < amiller> i'm not comfortable with protocols for which i don't have a model (not that i have a satisfactory one for bitcoin, which definitely makes me uncomfortable)
09:32 < adam3us> tacotime_: it was the same story again with larimer/protoshare/invictus momentum "cpu only" memory hard PoW, someone showed a few weeks into an impressively large VPS rented power driven difficulty ram that it was duh TMTOable and so worked just fine in GPU
09:32 < tacotime_> He did release some really broken source code, but then just fucked off
09:32 < tacotime_> If it's parallelizable, I find it difficult to believe that a GPU won't run faster even if you need memory
09:33 < tacotime_> GPU vRAM bandwidth is always going to be greater than the DDR3 bus on the main board
09:34 < adam3us> tacotime_: they tend to need unique memory per mining instance, so momentum aimed for 750MB but then someone TMTO'ed that with bloom filter in place of hash-table.  (unreliable but much smaller hash-table)
09:34 < tacotime_> So when I hear about "dagger" I don't pay much attention either... implement it on GPU and play with it for a couple weeks, otherwise don't say it's hard to run on any single piece of hardware
09:34 < tacotime_> mm
09:35 < adam3us> tacotime_: yes.  but GPU ram bus is wider.. like 256-bit, 384-bit etc vs CPU at 64-bit cache line.  so that erodes a bit of the throughput.  and the access is random and usually like 64-bit word size (or should be for this reaso)
09:36 < adam3us> tacotime_: 256-bit might be quite ideal for dagger :) its a merkle tree.
09:38 < adam3us> tacotime_: the only thing dagger is adding is to use coelho's use of fiat-shamir to make verification faster (and a few more links in the tree to make calculating all merkle steps slightly less skippable) its mostly a tweaked coelho merkle PoW.  i mentioned the coelho merkle pow to vitalik its where he got the idea from.
09:40 < killerstorm> hi. does anyone have an idea when OP_RETURN outputs will be usable on the mainnet?
09:41 < jtimon> adam3us, tacotime_ : that's the problem. The story seems plausible, but solidcoin is not a reputable source...
09:41 < jtimon> adam3us, tacotime_ : the fact that "you would be making mining bitcoin and selling them for ltc if you really want the ltc" (I read that somewhere)
09:42 < jtimon> adam3us, tacotime_ : seems to point out in that direction, if ltc mining was less competitive, it should have been more profitable
09:42 < jtimon> maybe it was just a botnet what caused that
09:44 < adam3us> killerstorm: i am guessing that is a color coin related question ;)
09:46 < killerstorm> adam3us: yep. it's possible to do coloring without it, using otherwise unused nSequence is appealing, but people freak out and ask about OP_RETURN
09:47 < killerstorm> also it looks like non-tech people think that use of OP_RETURN makes protocol better and more legitimate :-/
09:48 < jtimon> which reminds me...adam3us seems like enabling "joyscript" in all assets, but disabling the ops needed for quines/covenants on the hostcoin would be a good compromise
09:49 < jtimon> adam3us: you know I don't share yyour same fears, but we don't know of any use case that requires covenants in the hostcoin
09:49 < jtimon> killerstorm: yeah, some freicoiners thought it would allow people to use the chain for messaging, files...
09:51 < adam3us> killerstorm: here's some replayed history from a few days back
09:51 < adam3us> (06:42:24 AM) justanotheruser: "So, with some reluctance, I recently merged
Relay OP_RETURN data TxOut as standard transaction type.
09:51 < adam3us> (06:42:36 AM) justanotheruser: So will it be standard in .9?
09:51 < adam3us> (06:42:52 AM) Luke-Jr: hopefully not
09:51 < adam3us> (06:43:04 AM) gmaxwell: 21:38 < gmaxwell> as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out.
09:51 < adam3us> (09:46:35 PM) adam3us: gmaxwell: "as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out." dont object to backing out (say NO to block-chain spam!), but what are they saying missing context?
09:51 < adam3us> (10:37:04 PM) gmaxwell: adam3us: there have been a number of articles about how bitcoin has been "upgraded" to enable "distributed storage" and such horrifying things like that.
09:51 < adam3us> (10:40:32 PM) adam3us: gmaxwell: ah yes.  its a scary situation indeed.  the flip side is there are then people who will stego encode then in multisigs if you dont, and create needless non-compactable TXOs and on.
09:52 < adam3us> (10:41:17 PM) gmaxwell: adam3us: thats why I didn't oppose it initially. Though the trade off of people thinking it is a good non-antisocial and supported application is concerning.
09:52 < adam3us> (10:41:39 PM) gmaxwell: Esp what happens if abusive use arises and it must be turned back, but there is also non-abusive use?
09:52 < adam3us> killerstorm: (end of few days old discussion paste)
09:54 < jtimon> I don't see it as such a bad thing, I think timestamping is a legitimate use of the chain, but it's sad how people understand it
09:55 < jtimon> about using the nsequence fields...I don't know, some people want to use it for microtransactions channels
09:55 < jtimon> I think the probable solution is for microtransactions to be directly off-chain, but I don't know...
09:55 < adam3us> jtimon, killerstorm: coloring is lower bandwidth than mastercoin (which sends even bid and meta-messages over the blockchain) but its still in theory non-btc tx bandwidth use.
09:56 < adam3us> jtimon: time-stamping at least typically is putting a single hash which is the merkle root of many documents
09:57 < jtimon> adam3us: yeah, I don't think you need to allow more than a single hash after return
09:57 < killerstorm> adam3us: by the way, gmaxwell mentioned that P2SH^2 would make storing data in blockchain impossible, but this is not true, it just makes it more expensive: people can simply 'mine' hashes which have prefixes they need and share data through those prefixes.
09:57 < jtimon> being not in-chain validated, it can be transffered off-chain as well
09:58 < jtimon> p2sh^2 ??
09:58 < killerstorm> jtimon: as far as I know, nSequence is basically dead, it was a bad idea in the first place. It is possible to do same thing (but better!) using multi-signature scripts.
09:58 < adam3us> killerstorm: yes this was mentioned somewhere.  he viewed it as closer.  also there are multiple stego encoding opportunities, eg unused not obviously invalid 1 of 2 multisig addresses etc.	but just because you could stego encode with increasingly lower bit rates doesnt make it a good thing :)  was talking about this with petertodd in the mastercoin
context.. for them they'd as well use a separate merge mined chain IMO
10:00 < jtimon> killerstorm oh, this doesn't use replacements
10:00 < jtimon> I guess nobody has a use for it then
10:03 < jtimon> adam3us do you know of any proposed use of replacements? this needed it?
10:04 < jtimon> well, that can be replaced with coinswap, which doesn't need nseq iirc
10:08 < adam3us> jtimon: i dont know, others would know better
10:09 < adam3us> jtimon, killerstorm: i think killerstorm implemented atomic swap in is chromawallet (color coin wallet) if i recall the announce
10:10 < jtimon> adam3us but that is atomic swap between colors in the same chain
10:10 < jtimon> the link and coinswap is cross-chain
10:11 < killerstorm> transaction replacements are usable under condition that all miners are honest. this just doesn't make any sense.
10:11 < jtimon> well, coinswap can also be used in the same chain for mixing
10:11 < killerstorm> trading-across-chains doesn't need replacements
10:12 < jtimon> killerstorm: yes, you're completely right, miners should just get the transaction with higher fees when they receive double-spends
10:51 < jtimon> I guess we should just remove the seq field in freimarkets...
11:10 < adam3us> jtimon: the seq field was designed for revisable bids?
11:11 < TD> it is designed for mempool replacement
11:11 < TD> basically for high frequency trading between a set of parties (to use satoshis terminology)
11:14 < jtimon> adam3us, TD: yes, but as killerstorm says there's no reason for a miner to accept seq=5 over seq=3 if seq=3 has a hegher fee
11:16 < TD> of course there is
11:16 < TD> this kind of nonsense reasoning about game theory is so destructive
11:17 < TD> the reason is that if useful and compelling apps rely on that functionality, that increases demand for bitcoin and thus the value of their fees and inflationary rewards
11:17 < TD> miners are not thinking only 20 minutes into the future, you know
11:17 < TD> it's sort of like saying "bitcoin can't work because miners have incentive to merge together and then do 51% attacks to double spend"
11:18 < TD> what we actually see is the opposite, where pools throttle themselves if they get too big because to do otherwise would hurt the value of their money
11:18 < pigeons> the same pool that did double spend?
11:18 < pigeons> or facilitate it i mean
11:19 < TD> other pools have done the same thing in the past
11:19 < TD> deepbit, btc guild etc
11:19 < gmaxwell> deepbit was DDOSed off the network for a week solid when it reached 50% I don't believe it ever regulated itself.
11:21 < gmaxwell> I'd like it to be true, but the self regulation is not working well, it's not like 40% is at all okay. stole several hundred btc from betcoin dice when it had just 25% (possible due to betcoin accepting unconfirmed) and then continued to grow to >40% after that.
11:21 < gmaxwell> I dunno about the game theory stuff, I agree it's wankery. But at the same time the observed behaviors are not good either.
11:21 < TD> correctly configured incentives don't magically make better solutions appear though
11:22 < gmaxwell> We agree.
11:22 < gmaxwell> (well you and I at least on that. :) )
16:57 < tholenst> actually, until here you don't need so much; you only need to be able to call ECDSA_CHECKSIG directly, and then you can do it similar to detecting a SHA256 collision
16:57 < sipa> (i'm also not convinced about the usefulness, but that's another matter)
16:58 < tholenst> but -- the problem is that the money which is supposed to back your transaction might be gone once you detect the double spend. For this you need more, and weirder opcodes
16:59 < sipa> well if it's gone, it's gone
17:00 < sipa> going beyond the basic rule of "a coin can only be spent once" is dark magic
17:00 < tholenst> i adhere to that basic rule
17:01 < tholenst> the basic idea is: if you spend a "backing coin", you can only spend it in such a way that for the next... say 100 blocks, it still remains a backing coin
17:01 < tholenst> and only after that it can become a usual coin
17:02 < sipa> mhmm... dark magic :)
17:03 < tholenst> i don't think there's anything dark there
17:03 < sipa> (not impossible, and not necessarily a problem, but i think the consequences become horrible to reason about)
17:04 < tholenst> no, why? will you be happy if i give a proof of some good properties?
17:04 < sipa> no need to convince me :)
17:04 < sipa> it's just interesting to think about
17:04 < tholenst> i seriously think it would be a good idea to have it implemented
17:04 < sipa> as in it means the the spending transaction, as long as the backing coin that can spend from under it, even confirmed, is not actually spendable
17:05 < sipa> or at least, losing fungibility
17:05 < sipa> (those coins would be worth less than other coins)
17:05 < sipa> as they're less certain
17:05 < tholenst> no, you can move them back to normal coins, it just takes 100 blocks
17:05 < sipa> so
17:06 < sipa> you pay me, by spending coins C1, and sending me a coin C2
17:06 < nsh> so wait, we get complete anarchy with a BBC broadcast-loop that removes all the vulgarity and orgies?
17:06 < sipa> as long as C2 is buried less than 100 blocks deep
17:06 < sipa> C1 persists in some form
17:06 < tholenst> no no, I don't send you coin C2; I send you C1, and if I double spend C1, you get to destroy C2
17:06 < sipa> C1 belongs to you, it's the original coin you had
17:07 < sipa> there's nothing special with it, and it's buried 10000 blocks deep
17:07 < tholenst> I own both C1 and C2
17:07 < sipa> wait, what?
17:07 < sipa> i'm not following
17:08 < tholenst> the idea is: in order to pay you with C1, i need to back up the payment with C2. C2 has a different PKScript, which makes it a "backing coin"
17:08 < sipa> wait, let's talk about transactions instead
17:08 < sipa> you create a transaction which spends C1, and what else?
17:08 < tholenst> ok coin = txout
17:08 < sipa> yeah
17:09 < tholenst> I give you a PubKey2-signature of "If you find 2 PK-1 signed messages you may destroy the txout C2"
17:10 < tholenst> "PK-1 signed" is supposed to mean "signed with the same key as C1 is"
17:17 < andytoshi> ok, and C2 needs to be a special invalid-for-100-blocks output?
17:18 < andytoshi> it'd be neat if you could mark outputs as "cannot be spent with fewer than N confirms"
17:18 < tholenst> yes
17:19 < andytoshi> this is cool, i definitely think it changes coin properties too much to be bolted into bitcoin, but istm that it makes sense
17:20 < sipa> istm?
17:20 < andytoshi> as sipa says, there are cases when a "double spend" is a legitimate thing to occur, so these would need to be special transactions
17:20 < andytoshi> it seems to me
17:21 < tholenst> yeah one has to be careful with it; note though that if you can wait a bit (100 blocks) with the double spend, you can first move C2
17:22 < andytoshi> yeah, the receiver of the funds would estimate how long the tx will take to confirm, and require C2 have that many "cannot spent until" ticks left
17:22 < tholenst> anyhow, I plan to write a detailed proposal... I think it's worth it even if it doesn't go into bitcoin. it would finally be some real selling point for an altcoin, imo
17:23 < andytoshi> that'd be great
17:23 < andytoshi> if you can, explore the consequences re fungibility of locking coins like this
17:23 < tholenst> can you elaborate what you mean by that?
17:24 < andytoshi> well, if some coins can be spent quickly and others can't, the quick-spendable ones are more useful
17:24 < nsh> we need an playpit/sandbox for alt-experimentation
17:24 < andytoshi> so rather than "a coin is a coin is a coin" different coins might have different values
17:24 < andytoshi> otoh if they are locked in place, it's hard to claim they have any value, so maybe it's fine
17:24 < andytoshi> nsh: perhaps BlueMatt's thing will give that to us :}
17:25 < nsh> mm, unfortunately as stands it only changes the (mostly) boring things
17:26 < tholenst> well, you  just need 100 blocks to get the backing coins back into normal coins; that's not even a day wait.
17:26 < andytoshi> sure, but given that's apparently popular, i'm sure if you gave BlueMatt a patch he'd inject it into the alts for a few days
17:26 < tholenst> it seems people are already fascinated by BlueMatt's thing :)
17:26 < nsh> haha
17:26 < nsh> i suppose there's no shortage of volunteer test subjects
17:27 < andytoshi> tholenst: ok, another thing to think about is what happens if there is a reorg, and the block at which the coin becomes normal changes
17:27 < nsh> quick, before we end up with ethics panel!
17:27 < nsh> good point
17:27 < tholenst> yes, ok
17:28 < andytoshi> nsh: people releasing cryptographic software without understanding it, and then goading people into putting money into them, are evil, there's no ethical concern in fucking with them
17:28  * nsh smiles
17:30 < Luke-Jr> andytoshi: evil is evil, even if the victim is guilty of evil things themselves
17:31 < andytoshi> Luke-Jr: fair enough
17:31 < andytoshi> tholenst: so, my specific concern is: suppose a coin becomes valid at block 300000, then i spend it in the next block
17:32 < andytoshi> some reorg happens and now the coin becomes valid at block 300005
17:32 < andytoshi> what happens to my spend?
17:32 < sipa> if the coin creation is reorganized, the spending of it is certainly reorganized too!
17:32 < tholenst> maybe bad things? but for that a 100 block reorg needs to happen, and then bad thing happen anyhow
17:32 < andytoshi> sipa: that's my thought, yeah, but it makes reorgs more complicated
17:33 < sipa> i doubt it
17:33 < Alanius> andytoshi: well, as long as they use the power of argument and not of coercion, I'm not sure "evil" is the right word
17:33 < sipa> let's not go there
17:33 < nsh> +1
17:33 < sipa> andytoshi: if everything is defined within one chain, there should be no problem with reorganizations
17:33 < sipa> but i'm not sufficiently understanding the scheme
17:34 < andytoshi> well, i spend something at block 300000, but suppose suddenly it is invalid until block 300500 (this is an extreme case)
17:34 < andytoshi> so suddenly my payment is invalid, and i have a window in which to double-spend
17:34 < sipa> that cannot happen without invalidating the spend as well
17:34 < sipa> as the spend happens after the creation
17:35 < sipa> ah
17:35 < andytoshi> yeah, so this complicates analysis and i think also has consequences for fungibility of recently-valid coins
17:36 < tholenst> I am not sure i understand your problem. Do you agree this only happens if the reorg is something like 100 blocks deep?
17:36 < andytoshi> but i also suspect this is fixable while still retaining the benefits of tholenst's trickery
17:36 < andytoshi> tholenst: yeah, it'd have to be deeper than the coin's invalid-until-N-blocks count
17:36 < andytoshi> so maybe we could require all transactions which do this to have N higher than 100
17:37 < tholenst> ok, i didn't think too much about that yet.
17:37 < andytoshi> or maybe, rather than saying "invalid until 100 confirms" you say "invalid until block 300000" and hardcode the 300000
17:37 < andytoshi> then you don't care about when the tx is actually mined, so there is no concern about reorgs
17:37 < tholenst> you could do that, but then you have to renew the backing txouts periodically; I don't like that
17:38 < andytoshi> well, you'd have to do this anyway i think
17:39 < tholenst> I think it makes sense at this point if I write down the proposal in more detail.
17:39 < andytoshi> yeah, it'd be good to have something precise to discuss
17:41 < tholenst> the input was useful to me anyhow :) more to think about, ty!
17:41 < nsh> what's the distribution of reorg heights?
17:41 < nsh> any theoretical basis for calculating that, or is it near-enough empirical?
17:42 < nsh> s/heights/depths/
17:43 < tholenst> for a theoretical basis, you need to have some kind of clue how fast the block distributes among the miners
17:43 < andytoshi> nsh: (a) hard to make precise, as generally only part of the network perceives a reorg as a reorg, while the rest of them saw the winning chain first, (b) the big ones occur by implementation bugs, which are hard to predict, (c) the small ones probably are also due to network flukes which are also hard to predict, thought they might have a nice distribution
since they're frequent
17:44  * nsh nods
17:44 < nsh> but it should be possible to put a 100-block reorg into an improbability bracket
17:46 < tholenst> agreed, using only mild assumptions that should be possible
18:34 < andytoshi> nsh, tholenst: my expectation is that if you can get any number assuming no horrific forking bitcoind bugs, it'd be like 1/googol or something
18:35 < andytoshi> way way way lower than the chance of a serious dev mistake
18:35 < andytoshi> so that's the probability you need to estimate, and good luck with that :)
18:35 < nsh> pft, i crunch graham's number for breakfast
18:36 < andytoshi> it's higher than 1/graham's number ;)
18:36 < nsh> maybe late lunch then :)
19:46 < andytoshi> BlueMatt: you are "everything that is wrong with cryptos" :)
00:04 < petertodd> same issue with Bitcoin fundementally, but more likely to be a problem in practice "yeah, you see, I can't change my mining pool to prevent those stolen funds from being moved"
00:06 < amiller> how to know if you're an illegally operating MSB tip #103125: you're capable of detect and returning someone's stolen funds...
00:07 < petertodd> lol
00:08 < petertodd> "This isn't a MSB! Why fraudproofs/trusted-hardware/closed source software/The FSM stop that!"
00:10 <@gmaxwell> :)
00:11 <@gmaxwell> I hope at least some people were getting my points about building systems where _no one_ gets put in the awkward position of having to decide to protect a theif.
00:12 < amiller> i'm interested in more ideas/examples of how to encourage things-that-will-eventually-fail to fail immediately and obviously
00:12 < petertodd> gmaxwell: I'd suggest actually saying that directly...
00:12 <@gmaxwell> I thought I did!
00:12 < petertodd> I got it, I doubt even 10% of the audience did.
00:36 <@gmaxwell> " It would have been wrong of us to demand that the operator of a service turn down a well substantiated request in a case like this, it would make them a villain to the kind and honest people their decision harmed. We shouldn't create a world where people have to make choices like that."
00:37 < warren> gmaxwell: so the strongcoin guy detected the thief then modified the .js to take it?  That wasn't entirely clear on the thread.
00:40 < warren> It's amazing to me that the thief would be so dumb to use a traceable wallet at all.
00:41 <@gmaxwell> I mean, being a thief suggests a prior probablity that you are not someone who makes excellent life choices.
00:42 <@gmaxwell> warren: yea, my understanding was that he just modified the script to have if(this_is_such_and_such)sendallfunds(overhere);
00:42 < warren> that's scary.
00:43 < warren> I haven't checked if my blockchain wallet as Chrome extension has been silently updating itself
00:43 <@gmaxwell> It's the expected and obvious outcome and it's what I've spent the last year trying to convince people exists on these sites.
00:43 <@gmaxwell> ...
00:43 <@gmaxwell> warren: the extension only makes sure that the site matches the github, or at least thats how it used to work.
00:43 < warren> I've been meaning to switch away from it for weeks for that reason, and also the ability to brute force attack a wallet.  I strongly suspect someone downloaded all the encrypted wallets.
00:44 <@gmaxwell> yea, a lot of compromises lately and people claiming they had fairly strong keys.
00:44 < warren> I think there were two or three different blockchain wallet attacks
00:44 <@gmaxwell> there might be a vulnerability that let people bulk download the encrypted wallets. (perhaps some xss)
00:45 <@gmaxwell> (er, CSRF really)
00:45 < warren> 1) XSS or java browser exploits from clicking links on btc-e trollchat.  2) Android wallet malware and blockchain's android wallet being far less secure.  3) Weak passphrases and brute force cracking of all encrypted wallets that were downloaded.
00:46 <@gmaxwell> fwiw, I do all my webbrowsing in a seperate VM. Security is just too hard.
00:46 < warren> gmaxwell: reportedly someone is 95% through writing another js client-side encrypted wallet.  he intends on open sourcing it.
00:46 < warren> yeah
00:46 <@gmaxwell> ::Sigh:: sounds like another instawallet waiting to happen. :P
00:46 < warren> sadly there seems to be something wrong with kvm.  It's wayyyy slower than a few months ago.
00:46 <@gmaxwell> People are really too easily convinces that JS wallets are completely secure.
00:47 <@gmaxwell> weird. Working fine for me.
00:47 < warren> not sure what's going on
00:47 <@gmaxwell> s/convinces/convinced/
00:48 < warren> He's writing it for Litecoin, but will launch it for both
00:48 < warren> Litecoin idiot factor is a bit higher ... and MtGox confirmed today that they will launch Litecoin real soon.
00:48 <@gmaxwell> why doesn't he just take the code?
00:49 < warren> not sure, it has no copyright or license notices, suggesting it is on github only to allow auditing?
00:49 < warren> Litecoin remains unmaintained.  I really want to work on it but too busy.  I volunteered to help the professor finish her book before the June 1st deadline.
00:49 <@gmaxwell> oh, hm. I thought it was liberally licensed, I got yelled at by piuk for calling it propritary.
00:49 < warren> oh?
00:50 <@gmaxwell> as far as litecoin goes... ... tell mtgox that they want to pay you to work on it, and perhaps then you could justify some more time?
00:50 <@gmaxwell> if they're trading it .. and litecoin goes explody it could turn out quite bad for them.
00:50 < warren> I seriously doubt they would pay me.
00:51 < warren> well, it could go explody even if maintained
00:51 <@gmaxwell> sure, more likely to if unmaintained.
00:51 <@gmaxwell> I mean, other altcoins have had enormous rewrite attacks in order to exploit exchanges.
00:51 <@gmaxwell> and those exchanges are no longer in business anymore.
00:52 < warren> Litecoin remains vulnerable to the BDB lock limit self-consistency issue now.
00:53 < warren> gmaxwell: how is your relationship with mtgox?  could you suggest this?
00:53 < amiller> oh wow litecoin is being added to mtgox?
00:53 < warren> amiller: yes.  seems premature and risky to me.
00:53 < amiller> i actually did *not* suspect an altcoin would catch on... like this...
00:53 < amiller> crazy times
00:54 <@gmaxwell> magicaltux was saying it was a joke a few weeks ago. I suspect it was a joke and then it got a positive response from someone relevent.
00:54 < warren> I'm not invested in Litecoin.  I'm interested in developing it because 1) they're hurting for devs 2) I want to prove anti-spam policies that Bitcoin seems unwilling to adopt.
00:55 <@gmaxwell> A friend that has some of my old gpus is mining litecoin, ... he went through three pools before finding one that wasn't just robbing him blind.
00:56 <@gmaxwell> (I suspect his anti-samdar is not very finely tuned!)
00:56 < warren> There are honest litecoin pools.  Trouble is they get killed by DDoS often.
00:56 < warren> p2pool is the most reliable way to mine it.
00:57 <@gmaxwell> yea, I think he was on one that got dos killed first, and then switched to something else that just never paid him at all... and then another one which was giving him about 10% of what he should have been getting... and then one that went offline with positive balances.
00:57 < warren> Trouble with p2pool though is the dust + litecoin's super high fees.  I tried to convince forrest to reduce the number of shares in the next p2pool hardfork as the current dust size is unusably small.  He isn't budging.
00:58 <@gmaxwell> people can turn up their share difficulty if they're prefer to not get dust.
00:59 < warren> My maximum 100% efficiency dust size is too small.
00:59 < warren> I had to abuse 7 10KB free tx's to combine a thousand of them yesterday.
00:59 < warren> (maybe not a thousand, a few hundred, dunno)
01:00 <@gmaxwell> huh? changing you share difficulty shouldn't have anything to do with your efficiency!
01:01 < warren> What difficulty factor are you suggesting?
01:01 < warren> 5x less often?
01:02 <@gmaxwell> however much makes it so you don't get paid in every block
01:03 < warren> It allows a maximum of 10x
01:03 < warren> which isn't high enough to do that
01:03 <@gmaxwell> ah, well that seems like an issue.
01:03 <@gmaxwell> it should be claimed not on the up side but on the down side.. e.g. it shouldn't get you set it to more than 1/50th of a block or something.
01:04 < warren> It really isn't clear why Litecoin has such exchange value.  There's NO VENDORS.
01:05 <@gmaxwell> it's speculation
01:05 <@gmaxwell> duh
01:05 < warren> were you serious about asking mtgox to sponsor dev?
01:05 < warren> Not a weekend bounty, like payouts every 3 months as long as progress is made.
01:05 <@gmaxwell> I was, I have no clue if they'll do it
 if they're not already doing it they're morons... given that they're morons, ::shrugs::
01:07 < warren> I'm 60% convinced the hash is a risk.
01:07 <@gmaxwell> know of any online namecoin wallets that support importing private keys? I have some nmc to rid myself of and don't really feel like starting up a namecoin node....
01:07 < warren> It seems implausible that someone would invest money to destroy it though.  They could just extract outsized profits.
01:08 < warren> nope
01:08 < warren> heading to class, bbl
01:54 < petertodd> re: litecoin a silkroad clone started up recently that denominates in litecoin by default
01:55 < amiller> i summarized my above points about fees and contention here
01:58 < petertodd> Hmm... one odd thing about coinbase tx's is they can-not have non-generation inputs. If you allowed that, and made them an exception to the usual rule that you can-not spend a coinbase, your equilibrium creating behavior can be done, paying part of the fee to the next miner, and yet still avoid the mess of a re-org canceling coinbases.
01:59 < petertodd> The fee you give to the next miner would basically be an anyone-can-spend output from the coinbase tx.
01:59 < amiller> righteous
02:00 < petertodd> yup
02:00 < petertodd> but it's late here, night
02:00 <@gmaxwell> or you do what I suggested before
 make uncollected fees spill forward and you avoid all the weird maturity restrictions
02:01 < petertodd> gmaxwell: makes proofs that the block is correct potentially unbounded in size
02:01 < amiller> no you'd just have everyone keep a counter in their state
02:02 < petertodd> hmm, yeah, I'll think on that, but later
02:06 <@gmaxwell> petertodd: nah, doesn't, you just make the payforward accumulator part of the header.
04:39 < warren> gmaxwell: coblee is concerned about taking donations/sponsorship to help dev because that may create expectations or implied liability
22:10 < amiller> i'm just saying that including it in a storage proof of work puzzle of some kind is an approach to getting replication, which is closer to what you want than just paying one service specific
22:11 < petertodd> Problem is replication factor is a human thing, and it *can't* be proven with a proof-of-work. Sure you can make a storage hard proof-of-work that kinda sorta implies it, but it tells us nothing about how many data centers need to burn down.
22:12 < amiller> the point is i agree that the cool thing about this is that it's not the network's problem if your old data is forgotten, and it can be up to the individual user to take appropriate precuations to pay people to store the relevant data in the right way
22:12 < amiller> we're all in fierce agreement here
22:12 < petertodd> I suspect in reality the "pay to get my txout mined" is more than sufficient to get at least a dozen full copies out there, and remember that if you leave your computing running, even as a partial node, you can both contribute to the validation effort and keep the proofs for yoru txouts up-to-date.
22:12 < gmaxwell> yea, and it's tricky to not create huge outsourcing or consolidation benefits that way. amiller: your best solution against outsourcing requires some pretty tricky economic reasoning on the part of miners which is currently disproven by existing practice (not just in bitcoin but in every place humans transact
 no one ever demands cryptographic proof of anything)
22:12 < amiller> insertion-order-sorted merkle tree is outstandingly cool in this regard
22:13 < amiller> or MMR if you prefer :3
22:13 < gmaxwell> petertodd: well and a logical thing is to also include kind of DHTish recovery service. E.g. randomly keep X gbytes worth of data, so you can have a chance to partake in people paying for recovery.
22:13 < petertodd> Ha, hey, I dedicated Merkle Mountain Ranges to all the hikes in the Canadian Rockies I've had with my dad, so I'm fighting to make the name stick. :P
22:14 < amiller> i'm okay with that :)
22:14 < petertodd> amiller: Hey, at least I didn't call it Todd Trees.
22:14 < amiller> lol
22:14 < gmaxwell> amiller: MMR also implies that you care about the cheap insert rule. :)
22:14 < petertodd> gmaxwell: Yeah, and the "DHT" in this case needs nothing more than sipa's block ranges really - it'd be a long time before the DHT actually needs routing.
22:15 < amiller> i'll consider that MMR refers to not just the data structure but all the implied good properites it has :)
22:15 < gmaxwell> petertodd: yea, locality is good as it reduces the storage and computation required.
22:16 < gmaxwell> I wish sharding it were easier, but there are weird fungibility problems with sharding.
22:16 < petertodd> gmaxwell: I'm pretty sure I can do a sharding scheme that doesn't have fungibility issues actually, although it will have scary fraud issues.
22:17 < gmaxwell> you are not helping my confidence there!
22:17 < petertodd> gmaxwell: It'd also have 51% attack issues given we need a market for transaction fees... although I think with my "per-tx pow" scheme and some proof-of-stake sprinkled in it just barely works...
22:18 < gmaxwell> it works if you have a hierarchal currency. E.g. a master coin that everyone validates. And then shard coins. And you can only spend within shards and between shards and master.  But that hurts fungibility.
22:18 < petertodd> gmaxwell: Yes, multiple currencies makes it really easy. I think on the forum I gave the toy example of a circular set of currencies, where mining always mined an adjacent pair basically.
22:19 < petertodd> (good post to timestamp come to think of it...)
22:20 < amiller> i'm beginning to think even fungibiility doesn't matter asm uch
22:20 < amiller> one thing i've been worrying about with, say, ripple or color coin currencies is how you pay the miners if they don't care about your currency
22:21 < amiller> but you *don't* have to pay all the miners, you only need to pay enough of them
22:21 < amiller> you can mine your own irrelevant transactions if you can afford the cpu but no one else likes your currency
22:21 < amiller> the more broadly valuable your sillycoins are the easier it is to convince all the miners to include it
22:22 < petertodd> amiller: With wallet support it'd be easy enough to paper over the fungibility problems by just trying hard to keep the user's wallet well balanced, and accepting that some transactions take a few more confirms.
22:22 < amiller> sure
22:22 < amiller> you can have an automated portfolio of colored coins too
22:22 < petertodd> amiller: Someone more versed in graph theory than me could probably come up with some scheme where you have log(n) steps to spend any coin.
22:23 < amiller> you could have an altcoin that had proof of work mining, no startup bonus, only self issued currencies, and fees are just paid in IOUcoins of any user's discretion
22:24 < amiller> the only problem is that we don't have much reason yet to be confident that the whole consensus thing works with the current system with all the block bonuses removed
22:24 < petertodd> amiller: Well, do you understand my circularly set of pair-wise-mined currencies example?
22:24 < petertodd> amiller: You can still have block bonuses their.
22:25 < amiller> block bonuses are gonna go away anyway so the question is are voluntary transactions fees just to the miner good enough
22:25 < amiller> i like the idea that eventually you'll have to bribe the next miner to build on your block rather than 'discouraging' it
22:26 < petertodd> Yeah, and anyway to make such schemes work we have to get fraud proofs to work well, and I think right now TXO commitments are the logical way to do that...
22:28 < petertodd> One interesting thing about all this stuff, is suppose we got a nice, shardable, ultra-decentralized currency: I suspect we'd want a token system, with fixed values, so that the transactions related to the lowest value tokens moving around can be reglegated to the lowest security chain.
22:28 < petertodd> Otherwise the whole thing just becomes a nice way to instant-message your friends...
22:28 < amiller> petertodd, no the trick is insurance
22:28 < amiller> i sort of have an idea of how navigating the multi hierarchy currency works
22:29 < amiller> the main questions is how you exchange value from a small currency to a larger one
22:30 < amiller> like even if you have a locally-meaningful currency, it's still beneficial to have a broader audience observe the transactions
22:30 < petertodd> See, I'm thinking of a system where for a long, long time, the "1 satoshi" chain has basically no attention paid to it so fraud is rampant and people don't trade in single satoshis.
22:31 < petertodd> Because if you *can* cheaply trade in single satoshis, securely, then what stops me from timestamping everything? At some point something needs to break down, and there needs to be some way to "communicate" back the cost of the whole system to it's users.
22:31 < petertodd> There Ain't No Such Thing As A Free Lunch!
22:32 < amiller> i think we vaguely agree again :)
22:32 < gmaxwell> shard by txout value.. interesting.
22:32 < gmaxwell> but that creates a linear hieararchy which is kinda lame.
22:32 < petertodd> Yeah, I think it'd probably work best with some kind of storage-hard proof-of-work, especially if it can somehow be directly related to validation.
22:33 < petertodd> gmaxwell: Maybe it doesn't need to be linear? Maybe it's just opportunisticly sharded, IE you mine whatever part of the UTXO set that you want too, and we use fraud proofs to keep people honest.
22:33 < petertodd> A worthless chain won't have many people actually validating it, so every so often someone will get away with fraud, or the data will get lost and coins will become unspendable.
22:34 < petertodd> Conversely the 2^32 satoshi chain is actually economically important, and it's basically impossible to get away with fraud.
22:34 < amiller> sorry in advance for the following ramble but just be glad it's not in bitcoin-dev
22:34 < petertodd> All those chains can operate in lock-step too, so atomic transactions are still possible. (though exchanging a 2x 1 satoshi tokens for a 2 satoshi token won't be possible)
22:34 < amiller> what strikes me as really strange is that with the bribery/incentive/rational modeling it seems like we're headed towards a system that works even if people just do wahtever benefits them
22:35 < amiller> what's the role of the protocol or constitution in that case?
22:35 < amiller> what's even the need for a correct set of rules if following them is optional but just benficial by default somehow
22:35 < amiller> and i wonder if the explanation is that it's arbitrage of some kind between two kinds of rationality
22:35 < amiller> there's like the immediate greedy decision that you'd make fully anonymously
22:36 < amiller> and a separate kind of policy that you want to enforce on everyone else
22:36 < amiller> like it's easy to show support for a certain rule when it's probably not going to affect you anyway, like by building on someone else's block
22:37 < petertodd> I'll warn you, I'm this close to inviting you to #postmodern-bitcoin... :P
22:37 < amiller> likewise it's easy to deviate from the rule when the benefit is clear
22:37 < amiller> yeah well
22:37 < petertodd> heh, though go on :P
22:38 < amiller> that was the end of the thought i guess
22:38 < amiller> sometimes there's a new datastructure at the end, not this time
22:39 < petertodd> gmaxwell: Oh, and you know, what's really interesting with multiple powers of two token chains is that MMR TXO commitments are the perfect data structure for them, given the mandatory data required to mine a new block is very small, and they can continue even if all the data is lost.
22:40 < gmaxwell> well.. there is less need to shard if full verifying requires little state.. the primary advantage is potential bandwidth.
13:01 < gmaxwell> Things like that crop up all over the place, we get them in Bitcoin... they show up in any sufficiently large piece of software or hardware design. In digital electronics you'll sometimes have problems when analog effects that you thought you could ignore crop up.
13:02 < Emcy> obviously its not such a big problem as i think then
13:02 < Emcy> are there any cryptosystems that are unkowable in full by human mind?
13:03 < gmaxwell> Well...
13:04 < gmaxwell> We depend on knowing the thing in order to make arguments for its security. Modern cryprosystems are build out of simple regular parts.  Otherwise if you make something too complex you'll miss a weakness which will be obvious to someone who 'looks at it from another angle'.
13:04 < gmaxwell> So all the primitives we use are quite simple and straighforward.
13:05 < gmaxwell> Though in more recent times people have been building taller towers, systems which are only simple if you abstract away the details.
13:05 < Emcy> but they dont always interact in the way you think they should.
13:06 < Emcy> perhaps one day we will throw together enough primitives that it will turn around and ask us for clemency.....
13:09 < andytoshi> Emcy: there is a good lesson about this in the history of tls
13:10 < andytoshi>
13:12 < Emcy> im sure it is provably secure, the auth part is letting it down badly though these days
13:13 < andytoshi> that link has a short blurb about the MAC fiasco in the 90's
13:14 < Emcy> wots taht
13:14 < Emcy> nm ill read
13:15 < andytoshi> it's a classic "things interact in surprising ways when you pile them on" story
13:15 < andytoshi> and the complexity of that probelm was not even very high..
13:17 < Emcy> from what ive seen almost no servers still dont use tls 1.2
13:18 < andytoshi> yeah, i don't think browsers will even accept tls 1.0
13:18 < Emcy> i always thought people used old shit because its been in the trenches longer than new shit.
13:19 < Emcy> i saw a server with tls 1.0 and 1024 rc4 or something recently
13:20 < Emcy> thats pretty bad
13:22 < Emcy> jesus christ it just rained the hardest its ever rained around here in 30 years
13:22 < Emcy> it was raining upwards.......
13:22 < Emcy> wall of water
13:23 < andytoshi> well, i am off to the airport, good talking to you guys
13:24 < Emcy> good flight
13:24 < Emcy> oh
13:34 < Emcy> god dammit planetside 2 has been down for hours
13:35 < Emcy> i spose thats why its free
13:56 < nsh> andytoshi, your link on tls -- reminds me of that scene from one of the hitch-hiker's guide books...
13:56 < nsh> "Arthur goes to the village. He finds a woman seer who swats at flies in front of a cave. She smells horrible. She does her dead goat-like animals. He helps her take her photocopy machine out into the sun because it is solar-powered. She hands the photocopies to him. It is the story of her life. He should read it and not make the decisions she made to end up alone..."
13:56 < nsh> ( )
13:57 < nsh> someone should teach a remedial history of the internet, annotated at every point where we fucked it up
13:57 < nsh> in case we get a chance to start over at some point :)
14:51 < eclark> what do you think of **********DOGE*********
14:57  * nsh looks at eclark pointedly
16:59 <@gmaxwell> andytoshi, luke: I went and posted the description of my attack on that cryptosystem. (since he tried and didn't figure it out and asked me to explain it)
17:03 < jtimon> gmaxwell do you have a link?
17:05 <@gmaxwell> jtimon:
17:07 < jtimon> thanks
17:24 < nsh> i don't really understand the assumption that you'd want to have much correspondence with someone you just performed a pseudoanonymous one-time transaction with. i rarely feel the urge to call the hot-dog stand for a chat...
17:26 < helo> maybe authentication to some service that the one-time transaction paid for
17:26 < nsh> mmm
17:34 < helo> people generally handle their bitcoin private keys more securely than most other kinds of private keys, so services that are cobbled together ontop of bitcoin's PKI smell ultra-secure
17:36 < BlueMatt> heh, shit...they recovered rsa pgp private keys from the noise a cpu makes...
17:36 < nsh> yeah, was reading about that today
17:41 <@gmaxwell> BlueMatt: none of the crypto we use for bitcoin is timing/power side channel immune.
17:41 <@gmaxwell> I don't believe there exists constant time implementations of the primitives for secp256k1 at all right now.
17:41 < BlueMatt> gmaxwell: I didnt think they were, I just found this particular paper fun
17:42 < nsh> i wonder how much of the efficiency advantage of EC is lost with constant time primitives...
17:43 <@gmaxwell> nsh: the curve25519 stuff is constant time, and stupid fast... but its partly a result of having picked parameters with that in mind.
17:43 < nsh> hmmm, okay
17:44 < nsh> i wish djb would release the minimaLT code :/
18:06 <@gmaxwell> dear god.
18:06 <@gmaxwell> this guy is wasting unbounded amounts of my time in private message.
18:07 < BlueMatt> so ignore him?
18:07 < BlueMatt> or limit your bw
18:07 <@gmaxwell> I had hoped that I'd not be able to waste any time on him by dispatching luke to respond on the threat, but that ended up like a cesium / water reaction.
18:07 <@gmaxwell> s/threat/thread/
18:08 <@gmaxwell> dude is convinced he's going to revolutionize bitcoin with his grand ideas, but his only expirence is with bc.i.
18:08 <@gmaxwell> and he's all confused about how bitcoin works.
18:08 <@gmaxwell> and every exchange I have with him is revealing another understanding.
18:09 <@gmaxwell> like after message 6 I discover that he's planning on 'solving' the problem that the "messages in transactions are cleartext".
18:09  * nsh chuckles
18:09 < maaku> gmaxwell: there are a dozen people on bitcointalk like that
18:09 < maaku> if only the ignore bit were an option :\
18:09 <@gmaxwell> And the idea that a business that ships out goods to people would generate a new address for each payment seems to be completely foreign to him.
18:10 < BlueMatt> maaku: a dozen? really? theres like a few thousand...
18:10 < maaku> heh
18:10 <@gmaxwell> I could ignore him but I don't want him going and fucking stuff up with his earnest enthusiasm.
18:11 < nsh> there should be a crypto playpen tarpit for people
18:11  * maaku fully expects him to find some inestor willing to throw insane amount of money at his ideas
18:12 < BlueMatt> or...we could just let people implement dumb crypto primitives, and use idiots to steal coins from
18:14 <@gmaxwell> part of the problem, of course, is that even the broken and dumb ones are seldom so bad as to enable theft.
18:15 < BlueMatt> yup
18:15 <@gmaxwell> like
 this guys busted ass cryptography still would take 2^64 queries to a decryption oracle to crack one message. Even if someone had convinced him to reduce the mac to 32 bits, it likely would have only rarely been a pratical attack.
18:16 <@gmaxwell> he also thinks he can do things with transaction "from" addresses.
18:16 < BlueMatt> how much would it cost to put an ad on bitcointalk that just says "THERE IS NO FROM ADDRESS, GET THAT THROUGH YOUR HEAD, IF YOU DONT GET IT, GO AWAY"
18:17 < nsh> ehehe
18:17 <@gmaxwell> BlueMatt: I wonder what the revenue stream from bc.i is? It can't be that great if its really just the ads and they don't have income from spying on people or whatever.
18:18 <@gmaxwell> We could raise money to buy it and shut it down.
18:18 <@gmaxwell> Without notice.
18:18 < BlueMatt> they have pretty reasonable vc funding iirc
18:18 < BlueMatt> so...they must have some business model, somewhere
18:18 <@gmaxwell> darn
18:18 < BlueMatt> even if its "down the road, we..."
18:18 <@gmaxwell> (3) profit.
18:21 < maaku> money up for grabs:
18:23 < maaku>
18:24 <@gmaxwell> uh.
18:24 <@gmaxwell> that seems really dishonest to me.
18:25 <@gmaxwell> it looks like the security is dependant on their server handing out the correct keys.
18:25 < BlueMatt> they claim you can also do dh p2p and then compare some image that represents the shared key or something
18:25  * BlueMatt didnt read closely, it just said "compare image after dh exchange"
18:28 <@gmaxwell> I wonder why they're using sha1, especially when they need 512 bits of KDF.
18:48 <@gmaxwell> I see that has similar thoughts to me,
18:51 < nsh> "Yeah, it's probably against the rules of the competition and will get you arrested if you try. But I think if someone does break into their central server and wins the competition that way, they should still be paid out."
18:51 < nsh> i like those odds!
18:53  * gmaxwell contemplates that google search you did earlier today in #bitcoin ... :P
18:54  * nsh smiles
18:55 <@gmaxwell> hm. I was trying to see what their physical location was, and it seems to be run by totally anonymous parties?
18:57 < nsh> can you sell on the google play store anonymously?
18:58 < nsh> LLCs are registered, but anyone can call themselves X LLC
19:00 < nsh> possibly William / Jordan A Baker
19:00 < nsh> (no mention of encryption in the trademark application though)
19:01 < nsh> ( )
19:43 < adam3us> hmm this coinmessage thread is locked so i cant join in!  i was going to explain that what the sender claims is R.x from R=rP can be s st there is no solution to s=f(x) ie s is not on the curve.  he doesnt seem to get that (re comments about s being > n)
14:12 < gmaxwell> making it somewhat small means that from day 1 people would need to vote to keep the size up, thats probably good.
14:12 < gmaxwell> e.g. you want to actually make the minimum smaller than the current need so the need to vote doesn't surprise people later.
14:13 < petertodd> The thing is a non-vote is always a vote for the status quo, so people *don't* need to vote if they are happy.
14:13 < petertodd> (or just want the limit to reduce a bit)
14:13 < gmaxwell> petertodd: how do you vote for a reduction?
14:14 < petertodd> You vote for a reduction and a miner can chose to include it.
14:14 < petertodd> *choose
14:14 < petertodd> (john thought some % of the block limit should be reserved for votes FWIW)
14:14 < gmaxwell> hm. perhaps instead the vote-absent-target should be some median of the last N block sizes.
14:15 < gmaxwell> Since miners can already drive it down to nothing regardless of what the voters think.
14:15 < petertodd> That's what john proposed, the limit changes once per year, and a non-vote is a vote for the median of last years and this years limit.
14:15 < gmaxwell> not a median of the limits, a median of the observed blocksizes.
14:15 < petertodd> Basically that's just there so that if a too-high size allows for censorship, the limit will gradually reduce.
14:15 < petertodd> But that means miners can just pad blocks to change peoples status quo votes.
14:16 < gmaxwell> petertodd: yes, so then they stop voting.
14:16 < petertodd> But you can't *not* vote the status quo except by voting something else.
14:17 < gmaxwell> or to be more clear
 miners actual observed behavior _is_ the status quo.
14:18 < gmaxwell> petertodd:  median(blocks) < limit < 2*limit.   You're voting if the limit should be closer to median(blocks) or 2*limit.
14:18 < gmaxwell> if you don't vote, thats a vote for the median, and the limit will fall.
14:18 < petertodd> Hmm... that's reasonable.
14:18 < gmaxwell> (as the median must always be smaller than the limit)
14:18 < gmaxwell> the speed at which it falls depends on the miners behavior.
14:19 < gmaxwell> it will fall slowly if they're consistently right at the limit.
14:19 < petertodd> Although it's easy for all miners to decide to pad blocks to keep median(blocks) == limit
14:19 < gmaxwell> maybe median(blocks)-
  just incease they .. rigt
14:19 < gmaxwell> er right.
14:19 < petertodd> With jdillons proposal, the limit *will* fall even in that case.
14:19 < petertodd> For that matter, not all miners, 50% majority of miners.
14:20 < gmaxwell> yea, doesn't actually even need to be median, it could be a mean or some kind of weighed mean.
14:21 < petertodd> I'd just keep it as vote for 2*limit or vote for limit/2 in that case, pick a representative UTXO for each block, and calculate weighted mean for the past years worth of blocks.
14:21 < petertodd> Every step of that is cheap to prove.
14:22 < gmaxwell> So that has stability problems, I think.
14:23 < gmaxwell> basically, if blocks are full and you're like "fuck! I have more bandwidth, I want cheaper transactions"
14:23 < gmaxwell> you'll be voting 2* all year long with all your friends.
14:23 < gmaxwell> maybe you really only needed a 10% bump.
14:23 < gmaxwell> you'll be pissed alll year and then get a great big step when you really only needed 10% (but you don't _know_ you only needed 10%)
14:24 < gmaxwell> so it should probably be more continious to facilitate discovery.
14:24 < gmaxwell> One problem is that a rolling window has a high group delay.
14:25 < petertodd> Hmm... make the limit change every block, by 2 / (1year/10minutes) ?
14:25 < gmaxwell> so you're voting 2* for a long time, and then finally it really goes up.. and keeps going up even though you're like "fuck, too big!"
14:25 < gmaxwell> so there is a tradeoff there.
14:25 < petertodd> Yes, but everyone can spend their txouts to change their votes.
14:26 < gmaxwell> okay, I'll accept that its acceptably soluable.
14:26 < petertodd> Of course, in the context of computer systems, chances are 2x isn't really a big change.
14:27 < gmaxwell> well not just computer systems.
14:27 < gmaxwell> this is needed to keep fees up to prop up difficulty.
14:28 < petertodd> Against an attacker is does 2x feel like much safety margin?
14:31 < petertodd> Oh nice, so 1year/10minutes = 52,560 ~= 2^16, so the code can simply find a representative UTXO, and if the vote is to raise, do limit += limit>>16
14:31 < petertodd> If the vote isn't to raise, do limit -= limit>>17
14:32 < petertodd> oh, wait, no I'm an idiot...
--- Log closed Fri Jul 19 00:00:02 2013
--- Log opened Fri Jul 19 00:00:02 2013
11:13 < jgarzik> petertodd, RE identity + IRC replacement via P2P flood-fill network...  do you think a PoW element should be included, a la BitMessage?  Or just rely on identity cost and shared opinion
11:13 < jgarzik> ?
11:14 < petertodd> I think identity cost is enough because the domain over where the message is sent is fixed - there's no re-use potential.
11:15 < petertodd> rb
11:15 < petertodd> brb
11:47 < petertodd> back
13:08 < petertodd> jgarzik: I suspect dealing with the graph of trust is going to be tricky... smells like a computationally intensive graph problem.
13:09 < jgarzik> indeed
13:09 < petertodd> One subtlety is you have to apply the same anti-spam rules to messages stating who you trust.
13:10 < petertodd> The other one is how do you find peers who have similar ideas of what to filter.
13:11 < petertodd> For v1.0 maybe the right approach is to not do it as a graph, but as a simple accounting of the sum sacrifice ignoring someone.
13:13 < jgarzik> certainly easier
13:14 < jgarzik> though disappointing there must be some sort of state
13:14 < petertodd> Yes, more minimal state, but that's still state.
13:14 < petertodd> At least it's state without user-controllable parameters - like bitcoin peers can sync to each other and come to consensus.
13:15 < jgarzik> also I wouldn't want everyone in the world on the same P2P network.  My proxy would join user-specified networks, each with their own DNS seeds or methods of address gathering/bootstrapping/sharing.  i.e. join "freenode" network with specified network magic and DNS seeds
13:15 < jgarzik> enables darknets and scaling
13:16 < petertodd> For bitcoin P2P flood fill jdillon suggested that you split things up into different domains by a simple UUID.
13:16 < petertodd> Nodes can even advertise a bloom filter of what UUIDs they participate in.
13:30 < jgarzik> Perhaps, but ultimately I think people should be able to avoid transiting data for networks they care nothing about
13:31 < jgarzik> Proxy can talk to multiple P2P networks just as easily
13:32 < petertodd> Point is with those UUIDs that's exactly what happens, yet to an observer the behavior of all those networks is identical.
13:33 < petertodd> Also allows for a meta-UUID(s) to make peer discovery for a given UUID easier.
16:38 < sipa> every time i (re)join here, it seems the number of people has grown :)
16:39 < petertodd> we'll have to make -gods eventually
16:39 < sipa> well, there's always #bitcoin-satoshi above...
16:40 < petertodd> heh
16:43 < gmaxwell> this is the best bitcoin channel.
16:43 < gmaxwell> well, other than the one where you have to solve the cryptographic puzzle embedded in the blockchain to join...
--- Log closed Sat Jul 20 00:00:05 2013
--- Log opened Sat Jul 20 00:00:05 2013
02:27 < midnightmagic> :-I please don't tell me that unless there is actually a puzzle
02:28 < midnightmagic> lol
02:28  * midnightmagic distracts himself by clicking the bitmaps in obscure unicode glyphs
--- Log closed Sun Jul 21 00:00:08 2013
--- Log opened Sun Jul 21 00:00:08 2013
19:12 < gmaxwell> petertodd: so one additional property your transaction PoW stuff would have is that it would increase the incentive to make sure you include transactions from the far side of a network partition.
--- Log closed Mon Jul 22 00:00:11 2013
--- Log opened Mon Jul 22 00:00:11 2013
06:57 < petertodd> gmaxwell: indeed, for my proof-of-sacrifice ideas, like the zookeyv key-value consensus system, I was thinking that'd basically be the whole incentive to try to broadcast the fact that you made a block/tx as widely as possible
06:58 < petertodd> gmaxwell: Works really well I think if the blockchain has a DAG strucuture and including non-conflicting branches is advantageous.
--- Log closed Tue Jul 23 00:00:15 2013
--- Log opened Tue Jul 23 00:00:15 2013
02:42  * amiller grumbles
02:43 < amiller> i think the first rule of bitcoin is "no global identities"
22:14 < gmaxwell>
22:14 < gmaxwell> damnit I must be tired.
22:14 < gmaxwell> Can someone decode which properties there actually achieving there?
23:30 < petertodd> "secure against semi-honest servers" <- you've got good reasons to wonder
23:37 < petertodd> yeah, I don't think it's interesting for us - seems to be an interactive protocol where the client gets a proof that c \in S without knowing S, but you still need that round trip
23:38 < petertodd> I think the advantage over a merkle tree is supposed to be that the underlying primative can be a bloom filter, rather than a complete dataset like a merkle tree
23:40 < gmaxwell>
23:40 < gmaxwell> there I tried to read it again and managed to uncross my eyes long enough to understand their first form.
23:41 < gmaxwell> it's relatively clever, at at least less obviously horrible to some of the oblivious query stuff... but I can't think of anything we could use it for.
23:41 < petertodd> yeah, and that kinda makes sense, but what they are talking about appears to have to be an interactive protocol
23:41 < gmaxwell> petertodd: it is.
23:41 < gmaxwell> you can't query membership without asking the other side to blind sign for you.
23:41 < petertodd> right, which isn't much better than just a merkle tree
23:42 < gmaxwell> I can't think of anything we can use it for.
07:56 < warren> they're scared suddenly by Luke-Jr's patch, and realization that there's targeted ways for pools to filter only them
07:58 < adam3us> warren: i dont want to give them ideas but i think steganography wins (eg they could use committed tx too (even steganographically encoded variant of it), and we may want to prevent miner policy with (non-stego) committed tx also) Luke-Jr is awesome but miner policy is a slippery slope when we have limited technical defense against miner centralization
07:59 < sipa> luke's patch makes sense, but it's not rational for miners to adopt it
07:59 < sipa> it adds complexity to mining, and can only result in lost fee income
08:00 < adam3us> sipa: his policy was to deprioritize non-unique addresses right? or was the another feature also?
08:00 < sipa> yes
08:01 < adam3us> sipa: and msc is using address tagging i guess
08:01 < warren> adam3us: their address tagging is for dumb reasons that have nothing to do with the goal of the protocol
08:01 < adam3us> sipa: sweet patch btw :)
08:01 < warren> adam3us: it's for the founder to collect a tax on every tx
08:02 < Fistful_1f_LTC> why dont they move to PTS
08:02 < adam3us> warren: yes so the patch is a temporary win
08:02 < Fistful_1f_LTC> or create their own,
08:02 < adam3us> Fistful_1f_LTC: yes i suggested that to ripper123 on the msc thread - pts
08:02 < sipa> PTS?
08:02 < Fistful_1f_LTC> protoshare
08:02 < Fistful_1f_LTC> bitshare
08:03 < adam3us> sipa: protoshares a temporary "please mine this while we code bitshare" and we promise to give pts a 10% premine equity in bitshare
08:03 < Fistful_1f_LTC> lol
08:03 < sipa> brrr
08:03 < warren> Fistful_1f_LTC: I think their goal is to avoid having the entire network being declared illegal by making it impossible to be detected
08:04 < adam3us> Fistful_1f_LTC: its awesome - i hung out the on the #protoshares irc for a short while - most of the people had no idea what or why they wre mining, only that they were there EARLY so if it rocketed theyd make  bundle
08:05 < adam3us> warren: i think stego works, eg built on committed tx.  but only up to the insider attack  someone can get in their identify msc tx via nominal value msc tx, and feed the info and evidence to miners to block
08:08 < Fistful_1f_LTC> adam3us: it's already rallying,
08:08 < adam3us> sipa: the mistakes on pts were almost terracoin in proportion.  its hashrate went up faster than the adjustment could control, so it mined 6months planned in 1 week. they released a hardfork patch and demaned all miners switch
08:08 < Fistful_1f_LTC> i'm mining a ton right now
08:08 < TD> i don't think miners should be down-prioritising address re-use
08:08 < adam3us> Fistful_1f_LTC: i think you maybe could get more speed, like n^2 more by increasing the ram used in the code
08:09 < Fistful_1f_LTC> how would i do that?
08:10 < adam3us> Fistful_1f_LTC: there is a data structure tht stors colision candidates, its set to lke 1GB, if you increase it to 64GB it may run 1000x faster
08:10 < adam3us> Fistful_1f_LTC: (or however much ram you have)
08:11 < Fistful_1f_LTC> using AWS
08:11 < Fistful_1f_LTC> its probably scalable
08:11 < adam3us> Fistful_1f_LTC: yes you can choose instances with more or less RAM, but try it first
08:12 < warren> TD: sipa: sure Luke-Jr's patch may not be rational, although filtering MSC may
08:12 < TD> well it's just not useful, imo. people already have incentives to not re-use addresses
08:13 < Fistful_1f_LTC> ok, you kno which datastructure that is?
08:13 < adam3us> Fistful_1f_LTC: erm 1 sec
08:13 < Fistful_1f_LTC> or which miner are you talking about the coyote one ? or the beer
08:14 < adam3us> Fistful_1f_LTC: either the qt client or the ptsminer client (its the same code)... the bitshare binary they dont release source for
08:14 < warren> and OMG, have you read their "spec"?  The designer seriously doesn't know what he's doing.
08:15 < Fistful_1f_LTC> ok, i use ypool's miner, which is slightly faster,
08:15 < warren> huh, protoshares uses XPM's pow?
08:17 < adam3us> Fistful_1f_LTC: probably from same source... look for semiOrderedMap.cpp
08:17 < Fistful_1f_LTC> adam3us: cool, thanks
08:17 < Fistful_1f_LTC> warren: they use momoentum,
08:18 < adam3us> Fistful_1f_LTC: (I havent tried it... just as they are using birthday collision, until ram is full it speed increases n^2 with size of ram, if the cpu cores are fast enough to fill it in about the size of a block duration)
08:18 < Fistful_1f_LTC> slightly "hardened" scrypt, but it seems it's not that much harder
08:19 < adam3us> Fistful_1f_LTC: did they change it?  i think its H=hashcash-SHA512-26 (26 bit bitcoin like collision)
08:19 < Fistful_1f_LTC> adam3us: i will test it then
08:19 < adam3us> Fistful_1f_LTC: warren: then they find store H(cb,a), H(cb,b) for random values or counters a, until they find H(cb,a)==H(cb,b) in the last 50-bits (50-bit birthday partial collision)
08:20 < adam3us> Fistful_1f_LTC, warren: finally they test if H(cb,a,b) < target
08:21 < adam3us> Fistful_1f_LTC, warren: (cb is coinbase) their idea is its they wanted to make a scrypt variant which was faster to verify (3 hashes) but still needed ram like scrypt, an interesting but unsolved design concept (i thought of it and tried it myself ages ago - its not easy)
08:24 < adam3us> Fistful_1f_LTC, warren: consequently they failed on 3 counts: 1. it has TMTO (via unreliable bloom storage - which they dint realize) so it can probably be made to work in GPU L2 cache; 2. it has progress so powerful computers win more than their share, 3.  it has economies of scale (ie 2x ram = 4x power). triple fail
08:27 < warren> adam3us: I recall Luke-Jr was touting their design earlier while making fun of Litecoin's PoW failure. =)
08:27 < warren> (sure ,Litecoin had a PoW failure)
08:31 < adam3us> warren: litecoin PoW failure was params, this one is algorithmic :) an luckily for the investors in litecoin, the b0rken params turned  to be OK params for GPUs when ASICs took over
08:33 < adam3us> warren: 3am dude.
08:33 < warren> sigh
08:33 < warren> yeah
08:37 < adam3us> warren: it would be interesting to find a way to design a secure memory hard pow that does not require memory to verify and has no progress nor economy of scale problems (nor tmtos)
08:38 < warren> adam3us: I don't have enough CPU's to benefit from that new scamcoin.
08:39 < adam3us> warren: the guy who asked me to look at it rented 80 vsps from the vsp provider that bitshare were getting affiliation profitfor
08:39 < adam3us> warren: then bitshre did the hard fork he had 80 vsp sitting there with nothing to do on a monht contract, he was not happy
08:40 < warren> adam3us: read the launch of XPM and digitalocean?  hilarious
08:40 < adam3us> warren: (the difficulty jump after the fork made it ridiculous)
08:40 < adam3us> warren: no will go take a look for giggles
08:41 < warren> hmm, can't find the URL
08:41 < warren> adam3us: someone made a killing ... from referral codes
09:40 < petertodd> adam3us: the underlying problem isn't the incentive to mine - timestamping by itself is fine - it's the incentive to *publish*
09:41 < petertodd> sipa: sure, but equally adopting the dust patch can only result in lost-fee income too...
09:42 < petertodd> warren: yeah, I told MSC to ditch the address tagging too - they understand the issue and even came up with the idea of creating a globally predictable per-MSC address so that MSC clients could still work via SPV
09:42 < petertodd> warren: s/they/some of them/ :P
09:42 < warren> gavinandresen: just to confirm, you have 5 BTC available for macosx corruption bounty?	1) explain HOW it happens 2) provide a fix that is acceptable for merging by the standard review procedure.
09:43 < warren> petertodd: ooh
09:43 < petertodd> warren: (a MSC investor approached me a while back and paid me to do a bit of consulting for them; said investor decided to sell all the same)
09:43 < warren> petertodd: that's a better design than what I came up with
09:43 < adam3us> petertodd: well if the mine is of a bitcoin coinbase that includes a merkle root for the side-chain - then the miner has to publish it to collect their bitcoin reward
09:44 < petertodd> warren: yeah, basically the idea would be to predict the address, you'd have to duplicate a decent chunk of their code. Obvously that can be stopped, but it's a pain in the ass too.
09:44 < warren> gavinandresen: we'll chip in to the bounty, ask public for more donations to chip in more and post it.
09:44 < petertodd> adam3us: sure, but what if publishing late has incentives for some reason? mastercoin has global state crap so...
09:46 < adam3us> petertodd: well other than selfish mining, delaying publication of bitcoin blocks is playing dice with $25*450
09:47 < petertodd> adam3us: yes, *bitcoin* blocks, we're talking about mastercoin here
09:47 < petertodd> (well I'm talking...)
09:47 < adam3us> petertodd: the pay not to mine, given tx is a problem for bitcoin also, or pay to mine a  different msc merkleroot
09:48 < petertodd> adam3us: right, but remember, this is a side-chain, timestamped, so the problem is what happenes if a MSC tx or block or whatever it's called gets stamped, but not published? it's not a trivial problem
09:50 < adam3us> petertodd: ah i see what you mean.  mining a hash runs the risk that the block is not available.  bitcoin mines a hash, but announces by sending the block in one stage (not hash then block)
09:51 < adam3us> petertodd: i think other miners ignore hashes without blocks, and orphan them
09:51 < petertodd> adam3us: exactly. and with pow mining, it helps that naturally everyone is running flat out - not true with sacrifices/timestamps/etc.
09:58 < petertodd> bbl
14:03 < Luke-Jr> adam3us: there's no slope in miner policy. miners have always had a right to decide which transactions they will and won't accept
14:04 < Luke-Jr> sipa: it's rational for miners to use it because it ensures the value of their earned bitcoin remains
20:35 < amiller> then you'd have to run E(P') in time t^3 just to get the 2nd from last, etc...
20:35 < amiller> E(E(P')) i mean
20:39 < gmaxwell> yuck.
22:59 < amiller> i want to make a new definition for proof of knowledge
22:59 < amiller> bitcoin is really the perfect example for this
23:05 < gmaxwell> hm?
23:05 < amiller> the need for something like an extractor is because of the vacuousness of just saying "there exists", in the sense that a blockhash is valid if there exists some valid blockdata that's a preimage of it
23:05 < amiller> because there are a lot of valid blocks and the hash has collisions somewhere
23:09 < amiller> the recursive snark / proof-carrying-data paper basically defines this "compliance predicate" thing that describes valid blocks but as a recursive statement
23:09 < amiller> hrm
23:09 < gmaxwell> hm. I guess a useful definition of proof of knoweldge required that the thing you're proving be concrete enough that it's not a totally empty claim.
23:11 < amiller> the idea of an extractor is pretty compelling, like it says you have to efficiently provide the witness, where the witness is all the actual data
23:12 < amiller> the technical details are baffling and unnecessary tricky though, like it basically says "given access to compiled program code that produces a proof, there's an efficient reverse-engineering that produces the witness"
23:15 < amiller> so i wonder if there's a more indirect way to do it that's like
23:17 < amiller> rather than saying there's an extractor that extracts the witness, producing the proof using anything other than the witness is hard
23:37 < gmaxwell> it is a bit interesting the the SNARK proof is there exists a witness such that f(public,w)=x... but it doesn't directly prove that the prover knew the witness.
23:39 < amiller> "knew the witness" is really difficult to define
23:44 < amiller> it would be a really minor engineering effort to make pinocchio work for bitcoin
23:44 < amiller> like, who cares if it takes 10 minutes to make a whole blockchain proof
23:45 < amiller> per block even
23:45 < amiller> the "real world practical costs" threshold is a whole lot different if it's public data and its providence concerns a lot of people
23:45 < amiller> provenance*
23:46 < gmaxwell> You think the prover could run that fast, with a state space of several hundred megabytes?
23:46 < gmaxwell> (and ECDSA signature validation in it?)
23:47 < amiller> yeah maybe
23:47 < amiller> one of the weird things is that
23:47 < amiller> because of the algebraic structure (it's bilinear groups based on elliptic curves anyway) you get some kind of strange operations for free
23:47 < gmaxwell> well I think that would be tremendously valuable, it greatly changes our long term scaling, since we could have comitted utxos and then proofs of them and nodes could hotstart without substantially degrading the security model.
23:48 < amiller> yeah it changes things about the whole chains-validating-other-chains kind of stuff too which is more deeply why i'm so interested
23:48 < amiller> so, like, it's possible that lattice based hashes or lattice based signatures would be even cheaper than it seems
23:49 < gmaxwell> eliminating storage of user provided data would also remove a lot of existential risk for us... I think it's only a matter of time before someone tries to use childporn in the historic chain as an excuse to shut down bitcoin or to force it to become centeralized.
23:51 < gmaxwell> I know how to keep user provided data out of the utxo, but can't remove it historically without either proofs of validation or a reduction in the security model. ... but if the computation cost thousands of dollars to perform for the proof thats not a big deal.
23:52 < gmaxwell> (okay, well thousands would be kinda obnoxious, but it's viable)
23:52 < amiller> yeah.
23:54 < gmaxwell> by the numbers I think the majority of bitcoin users don't have a clue about security at all, and would be perfectly happy if all the rules were removed from the software and BTCguild, slush, and asicminer were just trusted to do the right thing. ... so I do worry a lot about a politically hot argument to degrade the security for expedient reasons.
--- Log closed Wed Aug 28 00:00:47 2013
--- Log opened Wed Aug 28 00:00:47 2013
00:31 < Luke-Jr> gmaxwell: maybe BFL should start self-mining. people would care about that.
00:35 < gmaxwell> Anyone able to decode something comprehensible from this:
01:55 < gmaxwell> wtf. why is most work on secure multiparty computation using a semi-honest participant attack model.
01:55 < gmaxwell> I hate academics.
07:50 < gmaxwell> amiller: did you see me yabbering about performing interactive cut-and-choose with the blockchain itself as the counterparty?
--- Log closed Thu Aug 29 00:00:50 2013
--- Log opened Thu Aug 29 00:00:50 2013
20:15 < gmaxwell> petertodd: so, generalizing the sighash flags.  Imagine a tree structured transaction seralization. There are N leafs matching up to the N data values being encoded.
20:16 < petertodd> Yup
20:16 < gmaxwell> petertodd: you form an N bit vector, setting 1s for all the items you want to sign for, and then you can encode that vector by encoding run lenths values.
20:16 < petertodd> Exactly what I was thinking too
20:17 < gmaxwell> e.g. if N=100 then you might code <100> to indicate all 1s.. or if you code 101111..<end> 1,98 or whatever.
20:17 < petertodd> You can further simplify it too by making the interpretation of that vector be centered on the input, so simple concatenation works.
20:18 < gmaxwell> and then you can stick on the checksig operator this runlength sequence as an input, you gather up the leafs that are matched by the mask and sort them by value.. and thats what you sign.
20:18 < gmaxwell> petertodd: you don't need to though because to support any changes you'd leave the runlength token outside of the signature.
20:18 < gmaxwell> so someone adding to the transaction would just compute another runlength token.
20:19 < petertodd> gmaxwell: Aw heck, I was thinking to simpify that compute code, but yeah, it'd probably just be easier to index from zero anyway.
20:19 < gmaxwell> But ... the downside of this is that it leaves malleability. And I'm annoyed that I see no way to preserve the flexibility I want without creating free malleability.
20:19 < petertodd> Yeah, I think that's impossible. Better to make a new system where you can sign a scriptPubKey:valout output instead.
20:19 < gmaxwell> (if you want to be complicated there are all sorts of fancy things you can do to make coding the runlength value efficient... but since you never hash it.. it's not really protocol normative)
20:20 < petertodd> *scriptPubKey:value
20:20 < gmaxwell> yea, I don't see how the malleability can ever really be completely removed unless you really heavly restrict scriptsig form.
20:20 < petertodd> Hmm... true you could actually not hash it at all, although that'd be a lot of complex changes in the scripting system.
20:21 < gmaxwell> e.g. OP_NOP <push> checksig is still valid.. so you'd have to have a rule saying you couldn't do that.  But I'm suggesting never hashing that value anywhere in the protocol.
20:21 < gmaxwell> basically I'm saying the scriptsigs for a txn would be a seperate hashtree. You'd still commit it in the blockchain but it would be a seperate fork.
20:22 < petertodd> Yeah, see I'm thinking s/OP_NOPn/OP_CHECKSIG2/ basically, and continuing to get the signature from the scriptSig, and continuing to hash that.
20:23 < gmaxwell> well I'm pondering how I'd completely change the transaction format to make some of the things that are clearly broken better.
20:23 < gmaxwell> e.g. the fact that fidelity bond proofs are unreasonably big.
20:23 < petertodd> Yeah, problem is you do want to preserve the backwards compatibility I think. The main thing we're missing is input values; got anything else in mind?
20:24 < petertodd> re: fidelity bonds, I just wrote a OP_CHECKLOCKTIMEVERIFY patch actually.
20:24 < gmaxwell> proof size and prunability of scriptsigs while keeping everything else (same problem) is what concerns me most w/ the current format.
20:24 < gmaxwell> even with OP_CHECKLOCKTIMEVERIFY I can't check a @#$@ single output without hashing the whole txn.
20:25 < gmaxwell> (okay, with the midstate compression perhaps you can get the last one, but thats a kludgy hack)
20:25 < petertodd> Right, and to solve that I think all you actually need is just to extend the merkle tree into the tx, plus making that merkle tree include input CTxOut's
20:25 < gmaxwell> right thats what I'm thinking about. How do you lay out the transaction so the data elements form an efficient tree... and then express the data you want to include in your hash efficiently as some masking over that tree.
20:25 < petertodd> I can't think of any other fields that are needed; maybe a per-transaction checkpoint.
20:26 < petertodd> Ah I see, yes, that's a good approach.
20:27 < petertodd> I guess the easiest would be to just number the roots of that tree, and make your RLL-encoded bitfield spit out indexes.
20:27 < gmaxwell> I think the txn global data is a version, a nlocktime, a checkpoint, and the counts and sums for the subtrees.
20:27 < petertodd> Right, sums are important.
20:27 < petertodd> Do you want a single checkpoint for the whole tx?
20:28 < gmaxwell> And the inputs have a sum tree of input data, the scriptsigs have a sumtree of sigsize bytes, the outputs have a sum tree of output value. the two sums give you the fees.
20:28 < petertodd> That's good
20:29 < gmaxwell> petertodd: I _think_ so, as they're redundant if they aren't identical, but it might make some merging complicated as you'd have to agree on the checkpoints when you include them.. otherwise the checkpoint should just becomes scriptsig operator that pushes the checkpoint onto the stack of data that gets signed.
01:06 < amiller> i have a friend who basically derived this in some private conversation last year :x
01:06 < amiller> i told him i didn't know any signature scheme that could be combined that way
01:06 < amiller> it was specifically about doing red balloons where you can't strip the new fee off
01:07 < gmaxwell> amiller: for ecdsa we have public + r + s   for this we would have public + aggregate(s)  but if it's use for anonymity you have to have an extra public key for each output.
01:07 < gmaxwell> and yea, this is really trivial with pairing crypto.
01:09 < amiller> yeah i ran through your elaboration and it made sense
01:09 < amiller> (i am not really checked out to read and securitize crypto but w/e)
01:09 < gmaxwell> the signature algorithim with one way aggregation is circua 2003. This posters contribution is the idea that if you seperate your spend and your output signatures would be insecure in isolation and aggregate them before announcing, you don't have linking.
01:09 < gmaxwell> Well .. it's pairing which uh. may not give everyone warm fuzzies.
01:10 < gmaxwell> because it's all based on carefully choosing groups withere the delusional DH problem is trivial to solve.
01:11 < amiller> yeah also all elliptic curves were generated by j.e. hoover
01:11 < gmaxwell> man I made the mistake of making a few comments on that, and have had press calling me all week about it.
01:13 < petertodd> gmaxwell: good job
01:14 < amiller> you and matt green.
01:14 < amiller> who visits my office once a week :3
01:14 < amiller> i gave him a copper bitcoin trinket today
01:14 < amiller> if you think *you* open your big mouth....
01:14 < amiller> anyway so...
01:15 < amiller> pairings are fine w/e PBC is easy enough to use and almost fast
01:15 < gmaxwell> amiller: can you ask him what he's doing going and filling reporters heads with the idea that the NSA can steal bitcoin with SHA256 collisions?  That has to be the biggest streach theory I've heard all weak and I really wanna know how the reporter got that out of him. :P
01:15 < gmaxwell> yea PBC is pretty sweet.
01:16 < gmaxwell> one pairing operation per txn is kinda lame but its not nonviable in the slighest.
01:17 < amiller> why not just merge all the tx
01:17 < amiller> miner makes one big ol operation
01:17 < amiller> one pairing and a dozen of the other things the third one
01:36 < gmaxwell> because the validation needs one pairing per message and public key.
01:37 < amiller> oh
01:43 < gmaxwell> (and one G2 multiply)
01:43 < gmaxwell> er GT multiply.
01:43 < gmaxwell> stupid paring terminology.
08:50  * jgarzik continues to work on auctionpunk
08:50 < jgarzik> new sub-idea: address servers
08:51 < jgarzik> Right now, "auctiond" communicates directly with bitcoind, obtaining addresses for payments and watching for those payments
08:51 < jgarzik> If a third component existed to serve out bitcoin addresses, this auction server need never touch a wallet at all
08:52 < jgarzik> that third component could do what auctiond does now -- call bitcoind getaccountaddress -- or read from a static file of 1 million pre-generated addresses, or any other method
12:40 < HM> or if bitcoind actually talked to a database server, everything could just talk to that :P
12:59 < jgarzik> well, this is more an administrative boundary; trying to design an API around that concept.
13:00 < jgarzik> a wallet is a kay management unit.  people may choose to manage keys in different ways.
13:00 < jgarzik> an address server is one way to enable many different wallet configurations.
--- Log closed Sun Sep 15 00:00:39 2013
--- Log opened Sun Sep 15 00:00:39 2013
20:49 < jgarzik> basic auction server complete.  now rewriting JSON-RPC -> HTTP REST ;p
22:08 < petertodd> nifty
22:09 < petertodd> jgarzik: I'm doing some work on what I'm calling the bitcoin.chain module to handle stuff like blockchain header maintenance and what not for python-bitcoinlib
22:11 < petertodd> jgarzik: Thinking it should look something like a magical box where you can ive it blockchain headers, and it figures out what's the biggest sum-work sub-chain, similar to sipa's work on headers-first.
22:12 < petertodd> jgarzik: (obviously it's ok if the box uses a pile of ram in degenerate cases... so long as the more obvious way to do it works well)
22:17 < BlueMatt> how did I end up leaving here? :(
22:17 < BlueMatt> petertodd: researching attacking tpms in what sense? dma to break txt or so?
22:17 < petertodd> BlueMatt: I guess Hogwarts expelled you.
22:18 < BlueMatt> <petertodd> There's a lot of possible attacks, but yeah, breaking memory is a big one. Of course, the big issue with even Intel's TPM stuff is that AFAIK main memory is unencrypted - rather useless.
22:18 < BlueMatt> petertodd: yea, well if you can rewrite kernel code via dma, tpm data can be read arbitrarily, essentially
22:18 < petertodd> Yup, and people overestimate how hard it is to get data out of main memory: just cool down the RAM sticks, turn off the machine, and transfer them to another machine for a cold-boot attack.
22:19 < BlueMatt> hence why txt exists (run program protected from dma, etc, where you can get new tpm status so that you can protect better)
22:19 < petertodd> IE, any application that needs sensitive data stored in RAM is insecure, making a lot of applications useless.
22:19 < BlueMatt> ofc there are (apparently) attacks against txt where you can break the IOMMU protection and then get access to the "protected" program
22:19 < petertodd> Yes, but TXT execution still leaves the program data in RAM unless you do really clever stuff with L1/L2 cache.
22:20 < BlueMatt> petertodd: see for some work Ive been doing (and am now continuing) that builds on the TRESOR store-encryption-keys-in-registers stuff
22:20 < BlueMatt> petertodd: yes, but you can get the tpm to hash the program and only allow private data to be read when you load the right program
22:20 < petertodd> Ah cool, yeah that's a nifty approach, and easier to implement than cache tricks from what I hear.
22:21 < BlueMatt> well, except for dma tricks where you just rewrite the kernel code.....
22:21 < petertodd> (note that my main TPM interest is remote attestation, for wallet stuff your type of security is probably fine)
22:22 < BlueMatt> ahh, well yea I mean you essentially need secure IOMMU limits st no hardware can write arbitrary crap to kernel memory
22:23 < BlueMatt> which is being worked on...but there are still drivers that dont do it right (hence my desire to find programmable pcie chips...)
22:23 < petertodd> I also have a project I want to do that'll just be a uC with a cheap FTDI USB<->serial chip and some very simple anti-tamper stuff to store full-disk-encryption keys, as well as provide a way to detect tamper events - the latter could be used to wipe system memory in conjunction with a in-case UPS.
22:24 < petertodd> You basically want to be sure the attacker can't plug in some hardware to a running machine right?
22:24 < gmaxwell> BlueMatt: so there are things like fpga devkits with pcie, but the pcie bus connection is some fixed logic, and may not be able to make do what you want.
22:24 < BlueMatt> petertodd: well, my threat model is how to protect against an attacker who can
22:24 < petertodd> Er, right, make sure an attacker who can can't do anyting interesting. :)
22:25 < BlueMatt> petertodd: see where I build a flash drive that is smart and tries to figure out when someone is trying to read it
22:25 < BlueMatt> petertodd: yea
22:25 < petertodd> BlueMatt: Lol, yeah I saw that earlier, very nifty.
22:26 < petertodd> See, my thinking is that there's probably so much backdoor crap and exploits in standard hardware, that it'd be more productive to add more hardware to the problem, but simple hardware that we can trust.
22:26 < BlueMatt> gmaxwell: fixed bus logic there should be fine, you just have to be able to change how it reports itself to the host
22:27 < BlueMatt> petertodd: yes, a smaller trust base would be nice, but its theoretically possible to do it all properly without any custom hardware so thats what Im looking at
22:28 < BlueMatt> also: doing a wallet in tpm should be done...
22:28 < BlueMatt> wallet in intel txt would be the ultimate in security for private key storage and signing
22:28 < BlueMatt> ofc you should probably just do a hardware thinggy instead, but....
22:29 < petertodd> BlueMatt: Well, they're both ideas with advantages and disadvantages so... if I build my little USB thing, think it'd be easy to write some kernel drivers/dmcrypt startup scripts to use it? I suspect it won't be a very hard project, much less than the other stuff you're working on.
22:31 < petertodd> BlueMatt: Reminds me: apparently the newer intel TXT stuff can even display things on screen securely, and take in user input from the keyboard and mouse securely, at the hardware level!
22:31 < BlueMatt> ooooooooooo
22:32 < BlueMatt> petertodd: in my case its incredibly easy because I just treat it like a flash drive and read in a sector
22:32 < BlueMatt> petertodd: thats probably one of the easiest ways (its already implemented...) and you can still do that in trusted hardware
22:32 < BlueMatt> but reading over serial shouldn't really be any harder
22:33 < petertodd> Well, remember the key idea I have is to make my USB thing actually connect to anti-tamper sensors, so when the thieves steal your server at the colo center the moment they open the case/move it the keys get wiped, yet you can still reboot it/handle power failures.
22:34 < petertodd> (or for that matter, ship it in the mail)
22:34 < BlueMatt> petertodd: you can do that in usb too...
22:34 < BlueMatt> usb with the same chip on the backend
22:34 < BlueMatt> (internal-case usb headers instead of standard A plug, probably)
20:33 < andytoshi> oh, damn, that was my first exposure to 21st century crypto, i thought maybe it was an implementation-friendly field :(
20:35 < gmaxwell> well, it's mixed. A lot of things in pairing crypto are easily implemented. E.g. I went and implemented the OWAS from that paper in under half an hour, including learning to use the pairing crypto library.
22:46 < Taek42> I had an idea for variable-speed blockchains
22:47 < Taek42> which I think would be desirable, because when you set a static rate, you can either be too slow (meaning you could go much faster)
22:47 < Taek42> or too fast (meaning that blocks happen faster than nodes can communicate them)
22:47 < Taek42> and right now, most coins seem to pick arbitrary values
22:49 < Taek42> If you count how many blocks have the same parent (as a percentage)
22:50 < gmaxwell> Taek42: amiller proposed several years ago commiting to orphans to control loop the rate.
22:50 < Taek42> how was the reaction to the proposal. Also, is there a link?
22:50 < gmaxwell> Taek42: but the problem with that it has enormous centeralization risks in two different ways.
22:50 < Taek42> how so?
22:52 < gmaxwell> Say for example that 60% of the hashpower was within the east cost of the US, such as system might happily adapt itself down to 100ms blocks, and just exclude the outside world. Even if the outside blocks were enough to slow it down, the majority could just happily ignore them, since its in their interest to keep it fast. Now, okay, perhaps you have some
sensible floor to prevent this.
22:53 < Taek42> I think I have
22:53 < gmaxwell> Then you have the fact that only miners play in this scheme but the block rate is very important to clients as well. 1 second blocks would be a ~600x increase in bandwidth and cpu for SPV clients over 10 minutes blocks.
22:53 < Taek42> that's only assuming that at 1% blocks the blocks (and not the transaction data) are the majority of the information
22:53 < Taek42> *at 1 second blocks
22:54 < gmaxwell> so while the miners are all getting paid for their mining and can afford fast networks
 tunnels through the earth and neutrino reactor transmitters and what have you
  the rest of nodes have to keep up with the flood but aren't compensated to pay for these increased costs.
22:54 < gmaxwell> and they have no control channel to express this displeasure.
22:55 < Taek42> hmmm
22:56 < gmaxwell> Taek42: why wouldn't it be at 1 second though? the system will keep speeding up until miners can't get lower latency networks, and then it will start excluding miners who are too far out
 e.g. in .au.  Right now there is hardly any incentive to do anything heroic about your network as a miner, but if the time kept going down as miners improved their
connectivity there would be.
22:56 < gmaxwell> amiller_: perhaps has a link to his writeup.
22:57 < Taek42> Well the idea is that when you want to send money over the network you just tell a miner. I don't think faster blockrates would result in less transactions
22:57 < Taek42> unless a faster blockrate meant that non-miners couldn't verify the balance of an adversary
22:57 < gmaxwell> (uh, you know bitcoin has no balances in it
22:57 < Taek42> I'm guessing you are saying a semantic thing
22:58 < gmaxwell> It would intefear with other nodes imposing the rules. Bitcoin is a trustless system, and part of the incentive alignment for miners is that non-miners vaidate their blocks too.
22:59 < Taek42> how can non-miners validate a block? I thought blocks were validated by additional blocks being mined on top of them
22:59 < gmaxwell> ...
22:59 < Taek42> bear with me
22:59 < gmaxwell> By stepping through the data and checking each piece of it against the hundreds of rules of the system.
23:00 < Taek42> oh okay
23:00 < Taek42> but say that a non-miner finds something incorrect
23:00 < Taek42> what happens?
23:00 < wyager> Mmmm
23:01 < wyager> They ignore the block
23:01 < gmaxwell> They just ignore the block forever and all successive blocks. This is what prevents a malicious group of miners from inflating the currency or stealing people's coins (which might have returns great enough to justify their misbehavior)
23:01 < wyager> You're thinking of an SPV node, Taek42
23:01 < wyager> SPV nodes verify blocks by their depth
23:01 < wyager> (right?)
23:01 < wyager> full nodes actually verify blocks
23:01 < Taek42> okay that makes sense
23:01 < wyager> Like, making sure their hash value is low enough and there aren't any illegal transactions and stuff
23:02 < gmaxwell> Bitcoin's security is predominantly autonomous zero trust
 you don't trust anyone at all to the extent that thats possible.  Miners influence is strictly limited to transaction ordering
 which is powerful, but hopefully limited enough to keep them honest.
23:03 < gmaxwell> (and we only trust miners for ordering because we don't have an alternative... it would be nice if physics allowed a decenteralized, autonomous, and consistent ordering
 but it appears not to)
23:03 < Taek42> consistent ordering might be more achievable if you implementing some sorting
23:03 < Taek42> but then miners could still pick different blocks for different transactions
23:04 < Taek42> *implemented
23:05 < gmaxwell> Taek42: sorting can't work unless you have a jamming proof network which can reach all parties in finite time. Otherwise someone can know of a transaction that others don't and the rest only learn later.
23:05 < Taek42> yeah
23:06 < gmaxwell> in any case, thats why we have mining, it solves that little problem.
23:06 < Taek42> with the current bitcoin, what happens when the transaction volume grows to a point where only miners can keep up?
23:07 < gmaxwell> But mining means bitcoin isn't like most cryptosystems, the good guys don't have an exponential advantage over the attacker, only a linear one; so that makes the economics very important too.
23:07 < gmaxwell> Taek42: it can't.
23:07 < Taek42> what do you mean by it can't?
23:07 < Taek42> suppose you reach several thousand transactions per second?
23:07 < gmaxwell> The system has hardcoded rules on the maximum size of blocks technically as absolute as the limit of 21 million total bitcoins. This means that even if the miners want to make huge blocks to stop other people from validating they can't.
23:08 < Taek42> ah
23:08 < gmaxwell> and to increase the limit requires all node software be replaced, so effectively it requires the consent of all the (remaining) users.
23:08 < Taek42> so at some point the demand for transactions could outgrow the hardcoded rule that limits transaction volume
23:09 < gmaxwell> Sure, though there are many differnet ways to deal with that (beyond just upping the limit
 which is perhaps possible, but there is that decenteralization tradeoff).
23:11 < Taek42> forgive me as I start to talk about things I don't know much about; wouldn't a more ideal currency (if theoretically impossible) not require non-miners to participate at all?
23:12 < wyager> Well an ideal currency wouldn't require miners or nodes or any of that stuff :p
23:12 < gmaxwell> Taek42: no, thats horiffic.
23:12 < Taek42> that's a good point
23:12 < Taek42> why horrific?
23:12 < gmaxwell> Taek42: because then you'd have to trust miners. And the whole point of Bitcoin was to eliminate trust.
23:13 < Taek42> what if you only have to trust that 51% of miners are honest?
23:13 < gmaxwell> The ideal system would have no miners, just participants.
23:13 < Taek42> participants that don't need to keep track of the entire state of the system
23:13 < gmaxwell> Taek42: what would make them honest? Bitcoin's assumption isn't merely that most are honest.
23:14 < Taek42> what if you only have to trust that only (epsilon approaching 0%) miners are honest?
23:15 < Taek42> but I see what you are saying
23:15 < gmaxwell> Taek42: after all, the fed's employees are mostly honest.  The fact that everything else gets enforced by mathmatical proof with 100% strength is one of the reasons the fact that honest users don't have an advantage over attackers is perhaps acceptable.
23:15 < Taek42> with bitcoin you don't need to trust some foreign entity, you can verify the whole chain yourself
23:15 < Taek42> but the cost is a 12GB (and growing) file and some computation
23:15 < gmaxwell> no, thats not quite true.
23:16 < Taek42> expand?
23:16 < gmaxwell> You can go ahead and delete the historic blocks, they're only used to initialize new peers.  (well not quite, at least not yet
 if you delete them your node will work fine until a new peer tries to grab a historic block from you and then you'll crash)
23:16 < gmaxwell> you only need the chainstate to verify new blocks that come in.
23:17 < gmaxwell> and thats about 300 MBytes right now.
23:17 < gmaxwell> and grows moderately slowly (looked decidely logarithmic before people started created junk txouts to store data).
23:17 < Taek42> but then you have to trust the incoming chainstate
23:17 < Taek42> if you are new
23:18 < gmaxwell> Nope.
23:18 < Taek42> no?
23:18 < gmaxwell> You can build it for yourself, but not store the historic data. (e.g. you have to inspect it once, but no storage cost)
23:18 < Taek42> okay
23:19 < Taek42> you still won't know though if you are looking at the actual chain or a fork
23:19 < gmaxwell> huh?!
23:19 < Taek42> suppose you are on a malicious network
23:19 < Taek42> feeding you a set of blocks from the genesis block
23:19 < Taek42> at some point they fork
23:19 < Taek42> and create an alternate histroy
23:19 < Taek42> *history
23:19 < gmaxwell> No, you inspect headers first to decide which chain has the most proof of work. Then validate it it. If you find a rule violation you black list that block and reorg.
23:20 < Taek42> assuming you get a block from the correct chain
23:20 < gmaxwell> No, it doesn't matter.
23:20 < Taek42> ???
23:21 < gmaxwell> Taek42: lets contine your example.
23:21 < Taek42> okay, I'll rework it a little though
14:23 < pigeons> I thought this was um, interesting or funny or weird or dangerous or something, "Moreover, the developers have purposefully introduced three security flaws into the source code that they will be releasing, as a means of encouraging the community to scrutinize the code and to prevent people from creating copies of Nxt by simply taking the source code and
re-using it.  People who discover the security holes will be able to claim rewards for fin
14:23 < pigeons>
14:24 < adam3us> maaku: i was thinking maybe one could have a trusted server for simulating alts.  rent virtual "VPS" resources.  buy virtual "ASICs" and so on, the actual money goes to charity or btc QA or something. then its green.  and it doesnt matter if its centralized because dogecoin grade alts have largely no tx anyway.
14:25 < pigeons> there was a game that did that, but its gone now
14:25 < pigeons> it had an internal exchange and you could make your own coins too etc and "virtually" mine them without really mining or using electricity
14:27 < adam3us> pigeons: seems like a lower energy sandbox for dogecoin, shitcoin et al play in, pity it died
14:28 < pigeons> yeah it added simulated pools when they came along and you culd run your own mining pool without having to get ddossed
14:29 < pigeons> you could virtually pre-order your asics and virtually never get them
14:30 < adam3us> pigeons: fantastic
14:31 < pigeons> he sold the code before he closed to a guy who was in over his head and couldnt keep it running but i think at this point it wouldnt really help, best to just start with your own bugs instead of someone else's
14:32 < adam3us> $1k by end of year ;)
14:32 < adam3us> ?
14:36 < adam3us> heh hash rate went over 10 PH and now the format is confused 1.045E7
15:17 < nsh> someone asks in ##crypto why ripemd-160 is used for addresses rather than just a truncation of sha-256 output
15:17 < nsh> i'm not sure how to answer...
15:20 < maaku> because the great satoshi said so
15:21 < maaku> retroactive reason: because breaking sha-256 doesn't mean a break of the address format, meaning coins would still be secure
15:21  * nsh prostrates before the ceremonial altar
15:21 < nsh> mmm
15:21 < maaku> obviously lots of other things would have to change if sha256 was broken, but you could still keep the same ledger
15:22 < nsh> right
15:34 < iddo> maaku: thats not so clear, if you can do sha256 collisions then you also have collisions for Bitcoin addresses (though i'm not sure how to use it to attack), and if you can do 2nd-preimage attack on sha256 then you can steal coins if someone re-uses an address
15:37 < iddo> an answer on stackexchange says that it's just "belt and suspenders" approach:
15:39 < andytoshi> gmax suggested that using a second hash function would guarantee that addresses still have a uniform distribution, while truncated-sha is not proven to have this property
15:39 < andytoshi> well, not just the distribution, preimage resistance as well
15:40 < iddo> hmm not sure what you mean by proven, there are no rigorous proofs for heuristic constructions like sha2
15:41 < andytoshi> true, i guess what i mean is "commonly believed"
15:41 < iddo> if sha2 is computationally indistinguishable from a random oracle, then truncated-sha2 is fine
15:42 < andytoshi> sure, but this isn't true because eg there are length extension attacks
15:42 < andytoshi> which distinguish it from a random oracle
15:42 < iddo> not for sha256d
15:43 < andytoshi> yeah -- and mining even depends on sha256d looking like a random oracle
15:43 < andytoshi> so tbh i am just as confused by the ripemd usage as anybody
15:46 < maaku> andytoshi: as I said, if a weakness is found in sha256, it is more likely to be able to be applied to sha256^2 than ripemd160(sha256())
15:47 < iddo> another question is why not just use the full 256 bits of sha256d, then you get an even better benefit of 256 bits of security if you don't re-use addresses, instead of 160 bits... the drawbacks are more bloat on the blockchain, and longer addresses for people to use
15:47 < maaku> so therefore, it's more likely that the current setup would protect users even in a catastrophic break of sha256
15:47 < maaku> iddo: even 160 bits is excessive. the birthday paradox doesn't apply here
15:47 < iddo> maaku: but what if a weakness is found in ripemd-160 ... ?
15:48 < maaku> iddo: nothing happens unless a weakness is found in ripemd-160 AND sha-256
15:48 < maaku> its additive security
15:50 < iddo> maaku: no, if you have 2nd-preimage attack on ripemd-160, then just create fresh ECDSA keypairs + sha256 hash, in a way that you get the same image (i.e. the 2nd-preimage attack) as someone elses Bitcoin address, and then steal his coins
15:52 < iddo> well actually it's not clear, depends how the 2nd-preimage attack works
15:52 < andytoshi> you'd have to get a preimage for the sha256 as well
15:52 < andytoshi> if you can 2nd-preimage SHA256 then i think you've got a problem, because if you can get the same SHA256 hash, it won't matter that you apply RIPEMD-160 on top of it
15:52 < andytoshi> but this is only a concern if you know the pubkey that you are trying to preimage
15:53 < andytoshi> pubkey whose image you are trying to duplicate*
15:54 < andytoshi> but until you spend a coin with a certain address, you don't expose the pubkey (or even its SHA256 hash), so you're ok in the case of no address reuse
15:54 < iddo> if you just find 2nd-preimage of random pubkey, then it wouldn't help you because you wouldn't know the corresponding privkey
15:55 < andytoshi> oh, right, derp
15:57 < iddo> i actually don't really see how either sha2 or ripemd 2nd-preimage attacks can be done in this context (i.e. in the context where you create random-looking pubkeys that are supposed to be the preimage, by invoking the ECDSA keygen)
19:02 < nsh> oh
19:03 < nsh> andytoshi / gmaxwell: thinking back to the question of the factor of 8 in curve25519 scalars, could it be to do with the square property of x coordinates?
19:04 < nsh> --
19:04 < nsh> Firstly, since the field is only 255 bits, the 256th bit is always zero. Thus if an attacker sees a series of 32-byte strings where the top bit of the last byte is always zero, then they can be confident that they are not random strings. This is easy to fix however, just XOR in a random bit and mask it out before processing.
19:04 < nsh> Secondly, the attacker can assume that a 32-byte string is an x coordinate and check whether x3 + 486662x2 + x is a square. This will always be true if the strings are x coordinates, by the curve equation, but will only be true 50% of the time otherwise. This problem is a lot harder to fix.
19:04 < nsh> --
19:04 < nsh> (probably not, but it just came back to mind while reading that page)
19:06 < nsh> "Square roots are defined in the standard way for finite fields where q
19:07 < nsh> (eight is rather low number for which to ascribe meaning to coincidence, i know...)
19:35 < andytoshi> nice find nsh, i dunno, i'll have to study this
19:36 < andytoshi> it looks to me that this is about disguising x coordinates, which isn't a goal of plain old ed25519
19:36 < andytoshi> eg they have bit 254 always set, which is a pretty obvious tell
19:38 < nsh> right
19:38 < andytoshi> also iirc we are talking about privkey encoding anyway, which is not broadcast
19:39  * nsh nods
19:39 < andytoshi> otoh, the square property of x coordinates could very well be involved with the factor of 8, i don't know
19:39 < nsh> yes, maybe very vaguely
19:39 < maaku> anyone asked DJB?
19:40 < nsh> no, i was going to tweet him
19:40 < andytoshi> no, i think everyone here is intimidated by him :P
19:40 < nsh> but he doesn't use twitter that extensively. might be better to email him
19:40 < nsh> oh, i don't have that problem :)
19:40 < andytoshi> :)
19:40 < nsh> i fell in the contempt couldron as an infant and the potion had a permanent effect
19:41 < nsh> cauldron*
19:41 < maaku> well it'd spoil the puzzle anyway :)
19:42 < andytoshi> haha
22:38 < warren>  interesting how they count #2
22:44 < phantomcircuit> warren, XRP is an altcoin with bad security
22:44 < phantomcircuit> and a totally fucking HUGE premine
22:45 < warren> phantomcircuit: they included the entire premine in that "market cap"
22:46 < gmaxwell> of course they did, it's part of the market cap.
22:47 < gmaxwell> I dunno how else you'd calculate it.
22:51 < phantomcircuit> warren, the premine is already on the network
22:51 < phantomcircuit> that is a reasonable way to calculate the market cap
22:52 < BlueMatt> it'd be nice if they showed market depth too, though
22:52 < phantomcircuit> however XRP is very illiquid
22:52 < phantomcircuit> so that doesn't mean much of naything
23:01 < phantomcircuit> BlueMatt, nearly all of the bids are for the exact same amount of btc
23:01 < phantomcircuit> 0.2625
23:02 < phantomcircuit> which tells me they're fake bids
23:02 < CodeShark> market caps in general for any of these coins is not particularly meaningful :)
23:02 < CodeShark> you need to take depth into account
23:03 < CodeShark> but these numbers do sound impressive, nonetheless
23:03 < CodeShark> so they do have press value
23:04 < maaku> yeah market cap is totally useless
23:04 < maaku>
23:04 < CodeShark> lol
23:06 < BlueMatt> phantomcircuit: even sill, the market depth is significantly lower than btc, which should be shown there
23:07 < CodeShark> a meaningful statistic would be, say, how much you could get in dollars if you currently held 10% of it and sold it right now
23:07 < BlueMatt> maaku: lol, nice
16:19 < gmaxwell> yea, fair enough.
16:20 < maaku> nsh: yeah actually the coincovenant thread is basically a listing of what you could do with a turing-complete script language and introspective builtins
16:21 < maaku> the snark is just a really cool addition
16:21 < gmaxwell> Yea, I think nothing there requires the snark except for efficiency.
16:21 < gmaxwell> might be good to add some examples that need zero knoweldge
16:25 < maaku> petertodd gmaxwell: btw didn't mean to take credit for this old idea. i thought nsh meant the benefits of using Joy
16:27 < nsh> i'm curious in general and specific :)
16:27 < petertodd> I'm curious if joy brings us any joy.
16:32 < maaku>	cdr=-\
16:32 < maaku> 6jm
16:32 < maaku> sorry
16:33 < petertodd> maaku: glad to see you have (formerly) strong passwords
16:33 < maaku> haha, toddler found my keyboard
16:33 < maaku> gmaxwell: well there are bounties. you'd need a zk proof to safely claim a sha256 collision
16:35 < maaku> you can even design a covenant which forces revelation if the coins are to be actually used
16:35  * petertodd says hi to little maaku
16:36 < sipa> cdr-=\   -> that's actually potentially valid C code
17:34 < pigeons> adam3us: I just saw uses hashcash to generate a token before you can submit
18:05 < jtimon> ok, so I need a name for the TC merklized extrospective scripting extension I just understood hours ago
18:06 < jtimon> otherwise "the new thing" is taken and I cannot learn or think about anything else new too me
18:06 < sipa> tc?
18:07 < sipa> extrospective?
18:07 < nsh> turing complete, no idea
18:08 < nsh> network-external inputs maybe
18:08 < jtimon> tc = turing complete
18:09 < jtimon> extrospective = you can reference the scripts in the outputs of future transactions, parts in them, and maybe also the current utxo and the block header
18:09 < petertodd> jtimon: that's a pretty good description IMO
18:09 < jtimon> something outside the script itself
18:09 < jtimon> thank you
18:10 < petertodd> jtimon: more than current utxo too, but likely committed data of some kind within (to be clear)
18:11 < jtimon> although joy is a new addition and not necessary for the idea I like joyScripts, although I also like quineScripts, and we could also just maintain coincovenants  (although not all uses use quines/covenants)
18:14 < jtimon> petertodd, you mean previous data in the chain? I guess it could work if people provide proofs to the miners, but for some reason I haven't found yet, that intuitively scares me
18:14 < jtimon> also I don't know any use et neither
18:14 < jtimon> *yet
18:15 < petertodd> jtimon: well, there's the model where it's proof based, referencing the prevblock hash, or you can have a model where miners are expected to actually have some set of data on hand. (that could take a lot of potential forms)
18:16 < jtimon> stateless validation is very attractive
18:17 < jtimon> I'm not sure what you mean by referencing the previous block hash
18:17 < gmaxwell> any stateful process can be reduced to a stateless one just by gathering up the state and presenting it as an input.
18:18 < petertodd> jtimon: IE, make your script take a proof in the form of a merkle path to the prevblockhash
18:18 < jtimon> petertodd: what kind of commited utxo are we assuming if any?
18:19 < petertodd> jtimon: could be a lot of forms, could be a committed MMR TXO too
18:19 < jtimon> I see, just one of them
18:20 < petertodd> jtimon: well, you can do both if you really want :P
18:20 < petertodd> jtimon: and actually, if you do expiration, both could make a lot of sense
18:21 < jtimon> well, I think expiration would be necessary for your TXI thing, but I don't know much about MMR
18:23 < jtimon> the advantages and stuff, I just read that once but I don't remember the motivation
18:23 < jtimon> I'm going to read again
18:24 < jtimon> but maybe a hybrid commited expired-TXI + UTXO would make sense too?
18:24 < petertodd> exactly
18:24 < jtimon> oh, I see
18:24 < jtimon> you use the MMR structure for the TXI ?
18:25 < petertodd> one interesting thing is that you probably want the PoW algorithm to be tightly coupled to some subset of blockchain data - perhaps the last year/GB of it - so a PoW on the UTXO set is an attractive idea
18:25 < petertodd> right, for long-term MMR works really well
18:26 < petertodd> note that when I say "UTXO" set that doesn't necessarily mean it the way you would mean in bitcoin - for some extrospective scripting consensus system your utxo set might mean a lot of things that may or may not be coins
18:27 < jtimon> to be honest, I'm thinking in freimarket's utxo
18:27 < petertodd> e.g. the absolute extreme you can take this idea is for the system to be essentially a key-value global consensus, where keys are H(script) and values the output of those scripts (basically)
18:27 < jtimon> with asset types, unique bitstrings...
18:27 < petertodd> yup
18:28 < petertodd> and mastercoin needs to look something like that if it's going to be useful
18:28 < jtimon> well, values also have refHeight for interest/demurrage and I guess some other minor details
18:28 < petertodd> right
18:29 < jtimon> why " you probably want the PoW algorithm to be tightly coupled to some subset of blockchain data"?
18:29 < petertodd> my extreme example, which I guess I could call MetaCoin, could be done such that the scripts themselves are what define consensus currency systems within MetaCoin
18:29 < petertodd> jtimon: because you want there to be incentive for miners to actually publish the contents of the blocks they mine, rather than just headers
18:30 < petertodd> jtimon: basically with stateless validation you can wind up with miners having no blockchain data at all, and then find out that only a single party has the data, and hence can assist others in creating transactions (or no-one has the data and the coin gets stuck!)
18:30 < jtimon> an interesting thing is that with unique tokens, you have effectively a per-asset namespace that you can use as generic key/value store
18:31 < petertodd> jtimon: yes, *but* that's only useful if either multiple values can be associated with a single key, or the keys are scripts
18:32 < petertodd> jtimon: see, you can view a decentralized consensus system's blockchain as a weird type of cryptographic accumulator - it's easy enough to create a proof that some tx-thing existed or didn't exist in that chain, but you must have blockchain data to update (and create) those proofs
18:32 < jtimon> but the holders could take care of keeping their data, no?
18:33 < gmaxwell> how can you keep data if miners aren't even sending you enough to update your copy?
18:34 < petertodd> gmaxwell: well, remember how with MMR TXO you can get transactions mined with the assistance of third-parties who create the txin proofs for you? of course, with the txin proofs, miners with no blockchain data at all can safely mine the txs
18:35 < petertodd> gmaxwell: hence, you can wind up with a system that appears to work just fine, until one day you realize only one entity has a copy of some or all blockchain data - even worse if you've got some sharded (U)TXO set scheme going on
18:35 < jtimon> gmaxwell I thought your part of the trie in which your data resides cannot be modified if not by you, maybe I misundertood something about maaku's updatable structure
18:36 < jtimon> I also don't understand this senstence "that's only useful if either multiple values can be associated with a single key, or the keys are scripts"
18:36 < petertodd> jtimon: yeah, but what forces miners to actually publish the content of blocks to other miners? nothing
18:36 < petertodd> jtimon: e.g. with my "one entity has a copy of the blockchain" example, miners could be just sending their blocks to that entity, but not to each other, and the system will appear to work just fine
18:36 < petertodd> jtimon: maybe that happens due to lazyness, maybe due to sybil attack, who knows?
18:37 < jtimon> they need to publish the new root of the trie, and they want other miners to believe them, so they will send all the proofs they used to update the tree
18:37 < petertodd> jtimon: in a sharded system, it means you can 51% attack some *subset* of the (U)TXO space, likely with less than 51% of hashing power
18:37 < gmaxwell> jtimon: your own coin could only be modified by you, but all the neghboring branches can be modified by the holders of 2^levels-up coins.
18:38 < petertodd> jtimon: nope. Miners will lose money if they mine invalid blocks, so we can trust them not too do that 95% of the time, and it's in your incentive to very quickly mine the longest chain so you're not wasting your time...
18:38 < petertodd> jtimon: and if tx's can provide proof that they are valid to include in a block, all the better!
18:38 < jtimon> you're trying to explain me the problem of relying on archive nodes
18:39 < petertodd> jtimon: or hell, imagine some scheme where we're using SCIP moon magic so that miners can prove their blocks *are* valid
18:39 < petertodd> jtimon: roughly speaking, but it's really even deeper than that
18:39 < jtimon> I thought that wasn't a problem with maaku's latest updatable utxo design
18:40 < petertodd> jtimon: no it is, it's just not as likely to be an actual problem as some sharded blockchain scheme.
18:40 < petertodd> jtimon: mainly I'm interested in solving that because I think it's an important part of making consensus schems more scalable
18:40 < jtimon> miner 1 receives all the proofs it needs from regular users to update from UTXOn-1 to UTXOn
18:41 < jtimon> he sends the mined block and all those proofs to all miners
18:41 < jtimon> I'm still missing the problem
18:42 < petertodd> it's simple: what forces him to actually send those proofs to other miners? they can mine just fine without them, and have incentives to skimp on doing proper validation
18:42 < jtimon> you said it yourself " Miners will lose money if they mine invalid blocks"
13:56 < petertodd> Yeah, then the proof-of-bitcoin-sacrifice version of namecoin basically removes the "coin" part of namecoin.
13:57 < amiller> so the attacker is assumed to have a bounded budget *in bitcoins*
13:57 < petertodd> Exactly
13:57 < amiller> and namecoin transaction fees are paid in bitcoins?
13:58 < amiller> and they are paid to miners who sacrifice their own bitcoins in return for the transaction fees such that those balance out?
13:58 < petertodd> Well... there aren't really transaction fees in this model. Blocks are then just lists of keys and values, potentially with signatures if make a system where the initial key-value setting includes a pubkey for additional settings. (as namecoin does)
13:59 < petertodd> It also means the blockchain can be organized as a directed acyclic graph, with priority given to key-value entries in block with the highest total sacrifice.
13:59 < amiller> well what is the attackers budget related to/
14:00 < petertodd> Because each block is associated with a sacrifice, the attackers budget is to outspend all the sacrifices already made for the existing blockdag.
14:01 < amiller> what is the incentive for creating a sacrifice?
14:02 < petertodd> Doing so lets you make a block with key-value associations.
14:02 < petertodd> What's interesting, is the amount of sacrifice can be set low until an attacker comes along.
14:02 < amiller> is there no incentive for sacrifice?
14:03 < petertodd> Ha, yes, other than outspending an attacker!
14:03 < petertodd> *Socially* the system really needs ways for interested parties to easily get together and create a sacrifice.
14:03 < amiller> so it would be a bit like bitcoin without mining fees
14:03 < amiller> without blockreward
14:03 < amiller> just blocks and pow and no reward
14:03 < petertodd> Like an assurance contract, but that's tricky
14:03 < petertodd> Yup
14:04 < amiller> ok
14:04 < amiller> so the fundamental difference really isn't about substituting work for coin, but substituting incentives for no-incentives
14:05 < petertodd> For instance, if I were to register petertodd.zookv, I'd probably sacrifice 1BTC because, why not? Now in doing so, I'd make all prior blocks 1BTC more difficult to re-write.
14:06 < petertodd> See, namecoin is interesting here. Why would a miner mine namecoin? To get namecoins which will hopefully be valuable in the future because they can be used to register names.
14:06 < petertodd> There was a *lot* of speculation going on in the namecoin space...
14:06 < amiller> could i do something like
14:06 < amiller> sacrifice 0.00000001 btc for a ton of names
14:06 < amiller> and then one 10 btc block on top
14:06 < amiller> and then it would take 10btc to reverse any of the names
14:07 < petertodd> Exactly
14:07 < petertodd> See, you can also do key-value without a blockchain, where what is the canonical mapping is simply the highest sacrifice.
14:07 < petertodd> But I suspect that has bad social properties...
14:08 < amiller> so lets say i buy a name
14:08 < amiller> for a 0.1 or something
14:08 < amiller> if someone else buys it for 0.11
14:08 < amiller> i still lost my 0.1 right
14:08 < amiller> it was sacrificed in bitcoin and so gone forever
14:08 < petertodd> Yeah, in a non-blockchain version of k-v that's exactly what happens.
14:09 < amiller> what if auction sites worked that way
14:09 < amiller> like on ebay
14:09 < amiller> you can bid on an item
14:09 < amiller> and you lose that much money even if you get outbid
14:09 < petertodd> In a blockchain version, you'd have a rule where the first k-v created includes a pubkey, and subsequent modifications require a valid signature. (up to some expiration time or something)
14:09 < amiller> and every time you bid higher you lose the sum of all of your bids
14:09 < petertodd> There's gotta be a whole whack of economic analysis on that kind of auction...
14:09 < amiller> doesn't it seem like a horribly perverse auction
14:10 < amiller> i don't know how to say specifically what is wrong though
14:10 < petertodd> It does, which is why I think a blockchain/dag based system where you build on each others sacrifices is the only sane way to do it.
14:10 < amiller> ok let me try to understand how that would work
14:11 < amiller> (i'm trying to piece together the parts above where you mentioned it, but please start again on explaining the dag version?)
14:12 < petertodd> The dag version just has a rule where if two blocks have a set of k-v settings that don't conflict, they can be merged back together to form canonical history.
14:13 < petertodd> Because these are sacrifices, it's good to ensure that people won't lose their sacrifice just because someone else made one at the same time.
14:13 < amiller> i see
14:14 < petertodd> The other key detail, is that building on each other's sacrifices gives a strong incentive to broadcast them.
14:15 < amiller> if i pretend that there's no latency and nothing happens at *exactly* the same time then the dag isn't any different than the first way
14:15 < petertodd> Sure, the dag is just to get around the fact that there is latency involved. Potentially multiple blocks worth of latency in the case of announce-commit sacrifices.
14:16 < amiller> so if it has some undesirable economic property even with no latency it's still present even with the dag
14:16 < amiller> i'm trying to think of how to approach analyzing this economically...
14:16 < amiller> normally in auctions the design is to get the best price for the auctioneer
14:17 < amiller> and people participating in the auction usually make a decision like
14:17 < petertodd> Ok, so think of it this way: we want the system to provide the best rewrite security, especially over time, for the purchaser of the k-v map.
14:17 < amiller> basically they have to have a maximum amount of money they would pay to own the item
14:18 < amiller> and then the system lets them express that
14:18 < amiller> because if the price of the item is above what they'd pay then they don't get it and they don't lose money
14:18 < amiller> if it's below or equal what they pay then they might get it
14:19 < petertodd> Yes, excellent! So by including a rule where k-v maps only come into affect after n blocks, you just need to watch the blockchain, and if it looks like someone else is trying to rewrite history you can stop them with a further sacrifice.
14:20 < amiller> i wouldn't bother if i think it's probably someone else's problem and it's not wroth it to me, there's a public good contribution thing going on there
14:21 < petertodd> Yup, and it's easy to determine if it's someone elses problem too. Yet if that someone else further upps the sacrifice amount, they've helped you anyway.
14:21 < amiller> how might i decide how much it's worth it to me
14:21 < amiller> like
14:22 < amiller> maybe i get some kind of income for every day that the name points to me
14:22 < amiller> like if someone hacked my business url then i'd sue for lost business damages proportional to how many days it was broken or something like that
14:22 < petertodd> Well, if you're running silkroad.zkv...
14:25 < amiller> hm
14:25 < petertodd> What's really interesting, is if the dag structure ensures that only conflicting key's in conflicting blocks are ignored, but the rest of the mapping is left untouched, if, say, the system gets used and early on silkroad.zkv is registered, a later rewrite history attempt can replace it, but every other mapping will have been strengthened by the attack.
14:26 < amiller> oh so
14:26 < amiller> so i buy for 0.1
14:26 < amiller> a few days later 100btc in total have been sacrificed *on top* of that
14:26 < amiller> so now the cost to an attacker to rewrite me should be 100.1 and i'm pretty safe
14:26 < amiller> *but*
14:27 < amiller> the attacker could *just* rewrite mine for 0.11 and merge along with everything else
14:27 < amiller> so it would only cost him 0.11 to rewrite me? in that case i'm not very safe
14:28 < petertodd> Nope, the attacker would have to spend >100.1 BTC to rewrite yours, but if he does, any k-v setting that he didn't try to rewrite now takes >200.2 btc to rewrite.
14:28 < amiller> could i just register all the names all at once
14:29 < amiller> maybe it would be helpful to make a simulation or demo of this
14:29 < amiller> a board game
14:29 < petertodd> Of course you could. You probably want, at least initially, for the rules to include a namecoin-like minimum sacrifice amount.
14:29 < petertodd> Like 0.1BTC per k-v initial setting.
14:29 < amiller> my intuition is that this is an absolutely horrible idea but i'm trying to be methodical :p
14:30 < petertodd> Heh, my intuition is that this is an absolutely horrible idea, but the alternatives may be worse.
14:30 < amiller> that *there are worse alternatives* i'd agree with :)
14:30 < petertodd> lol
14:31 < amiller> i still have high hope though for something really good
14:31 < petertodd> I really don't like how namecoin became mainly a speculative thing, but such is life.
14:31 < amiller> yeah, same
14:31 < amiller> i think it's really important
14:31 < amiller> it's actually the best other-than-money application i can think of for public crowdsource networks like generalized bitcoin
14:31 < petertodd> For sure, and not just for DNS names.
14:32 < amiller> i guess it's not a good sign if i can't even think of a clear way to say that this scheme is deficient in some way
14:32 < amiller> this is really tricky to analyze
14:32 < petertodd> I think the thing is froma  *technical* point of view it obviously works. But does it work socially? Hard to say.
14:33 < petertodd> Speaking of, something I didn't say to you is blocksize - I think there needs to be a mechanism where blocks in the scheme are either directly limited in size, or for the data to get progressively less important as the size goes up somehow.
14:34 < petertodd> Also the sacrifice should be calculated per byte consumed.
13:38 < adam3us> gmaxwell: well a base point could be generator of the full group, i think (if they chose it that way?); and that may explain the 8s that appear in the verification relationship perhaps.
13:54 < maaku> gmaxwell: what's the context of "expensive validation" - my script musing on #bitcoin-dev?
13:54 < gmaxwell> maaku: yea
13:55 < maaku> well in some of the applications i'm imagining it could be more efficient to validate a message signature than a transaction
13:56 < maaku> so, you could sign the transaction itself as a message, efficiently proving you have the inputs, and then get gray-listed if the actual validation fails
13:57 < maaku> e.g. the script is "if real-transaction then <complicated covenant code> endif <standard pubkeyhash script>"
13:58 < maaku> i would like a better method though
14:00 < maaku> you could require something like the above if the (explicit) instruction count is greater than some normal-use threshold
14:02 < maaku> pigeons: ;;cjs
14:02 < maaku> ;;cjs
14:02 < gribble> Coinjoin Status: There is no currently open session. Visit or http://xnpjsvp7crbzlj3w.onion/ to start one.
14:02 < maaku> andytoshi: but it'd be nice if there was an announcement when a new session started
14:05 < adam3us> gmaxwell: so i was musing an analogous argument to pegged side-chain security (cant inflate supply of main chain) could be used to introduce SNARKs + committed-tx or some variant of it in a zero-coin like zerotrust mixer on the main chain
14:06 < michagogo|cloud> Anyone have a link to andytoshi's cj client?
14:06 < adam3us> gmaxwell: or perhaps more simply, just make a zerocash snark as a reference example of a pegged-side chain (though i note even green put a disclaimer in his talk that this is a bit bleeding edge and could have problems)
14:06 < EasyAt> maaku: Couldn't I send a bogus TX that has a ton of operations to verify to chew through processing power?
14:07 < adam3us> gmaxwell: which seems kind of ironic (proposing to integrate zerocash in the pattern in which zeroin was proposed), now that zerocash is proposed as an alt.  (and I and Hal were more excited about moving zerocoin into its own alt)
14:08 < EasyAt> You would have to do a ton of ops before you realize the TX isn't valid
14:09 < maaku> EasyAt: yes, which is why as I said above you might require that the owner provide a quick-verifying signature over the transaction of the expensive inputs
14:09 < maaku> so you know the transaction came from him
14:09 < adam3us> anyone how big is the UTXO set if compacted now?
14:09 < maaku> and then gray-list the inputs if the validation fails
14:09 < maaku> adam3us: gettxsetinfo or something similar
14:10 < maaku> EasyAt: then it at least becomes expensive to perform DoS
14:11 < michagogo|cloud> [off]test
14:12 < michagogo|cloud> Oh, are the logs not live?
14:12 < EasyAt> maaku: What do you mean by gray list?
14:12 < maaku> e.g. only pay attention to transactions with inputs that have less than 20 instructions, *or* transactions enveloped with a less-than-20-ops signature for the expensive inputs
14:13 < maaku> gray list would be a list of inputs you no longer relay transactions for, maybe for a period of time or require higher fees
14:14 < andytoshi> michagogo|cloud: source is at
14:14 < andytoshi> michagogo|cloud: windows build at
14:15 < michagogo|cloud> thanks
14:15 < gmaxwell> andytoshi: about 300 mbytes.
14:15 < gmaxwell> oops
14:15 < gmaxwell> adam3us:
14:15 < michagogo|cloud> " is not commonly downloaded and could be dangerous."
14:15 < andytoshi> gmaxwell: !!!! ;)
14:15 < gmaxwell> bitcoind  gettxoutsetinfo
14:15 < gmaxwell> { "height" : 280494, "bestblock" : "00000000000000024c41edbc27cb0d093b593a47030b886fade01f9d19b8047a", "transactions" : 2597060, "txouts" : 8350183, "bytes_serialized" : 293414423, "hash_serialized" : "ca53e5d3a59fc7a3dca134cce6942c2af5d85c2ce21d985c8b06526e795faf74", "total_amount" : 12262214.79395749
14:16 < gmaxwell> }
14:16 < andytoshi> michagogo|cloud: populism is not security, your browser uses faulty assumptions
14:16 < michagogo|cloud> andytoshi: I know
14:16 < michagogo|cloud> I wasn't ascribing any meaning to that thing
14:16 < michagogo|cloud> Just wanted to let you know Chrome was flagging it
14:16 < gmaxwell> what a shitty thing
14:16 < andytoshi> ok, good to know
14:16 < andytoshi> chrome should really be flagging windows..
14:16 < gmaxwell> I bet if you throw the same binary on github you get no warning.
14:17 < michagogo|cloud> btw, I assume it uses RPC?
14:17 < michagogo|cloud> Which calls?
14:17 < michagogo|cloud> (i.e. can it work on 0.8.6?)
14:17 < andytoshi> michagogo|cloud: listunspent, createrawtransaction, decoderawtransaction, signrawtransaction, getaddress, walletpassphrase
14:17 < andytoshi> i think those are fine
14:18 < gmaxwell> also gettxout
14:18 < andytoshi> oh, gettxout, dumpprivkey
14:18 < gmaxwell> you might want to use getrawchangeaddress  but I think its git-only.
14:18 < gmaxwell> perhaps try getrawchangeaddress and if it isn't there, use getnewaddress?
14:18 < michagogo|cloud> In about 7 minutes when my 0.8.6-compatible blocks and chainstate finish copying over I'll see
14:19 < andytoshi> gmaxwell: what is the difference?
14:19 < gmaxwell> andytoshi: change addresses get hidden in the transaction list. But perhaps not. actually nevermind that if you do that people will spazz.
14:20 < gmaxwell> though .. actually you really should have a feature to let the user specify recipent addresses for the CJ outputs. (Personally I send my CJ outputs to offline wallets!)
14:21 < andytoshi> gmaxwell: agreed, my original UI sketch had such a thing
14:21 < andytoshi> but it's hard to design a UI for that non-intrusively
14:21 < michagogo|cloud> andytoshi: Hm, it doesn't seem to be launching
14:22 < michagogo|cloud> The process is ther, but just sitting at 164K of memory
14:22 < michagogo|cloud> there*
14:22 < andytoshi> michagogo|cloud: any output?
14:22 < michagogo|cloud> and not visibly opening anything
14:22 < andytoshi> my guess is that it's stalled pinging my server..
14:22 < michagogo|cloud> Oh, that's why
14:22 < michagogo|cloud> I don't know why it took so long to show up
14:22 < michagogo|cloud> "Our information on this file is inconclusive."
14:22 < andytoshi> oh, weird, it's quick for me (and i'm a good 2500km from the server)
14:23 < michagogo|cloud> "We recommend not using this file unless you know it is safe."
14:23 < gmaxwell> well it does connect to the remote server at startup.
14:23 < andytoshi> oh fuck windows
14:23 < michagogo|cloud> andytoshi: Nah
14:23 < michagogo|cloud> Not Windows, security software
14:26 < adam3us> gmaxwell: so that is 275MB vs 13GB for utxo vs txo about 2%
14:27 < gmaxwell> more like vs 16G.
14:28 < adam3us> gmaxwell: oh i thought jgarzik said his torrent was 13G
14:28 < gmaxwell> adam3us: sipa did some charts a long time ago, utxo size looked to be ~log() the blockchain size.
14:28 < gmaxwell> the torrent doesn't take it up to tip.
14:29 < adam3us> gmaxwell: (sending email cc green re contact from the other crypto guy mentioned in PM, i thought I'd take the opp to correct his 16GB bitcoin vs 1.2GB zercocash claim;)
14:36 < michagogo|cloud> andytoshi: eww, always-on-top?
14:37 < nsh> you don't get anywhere in the dog-eat-dog world of windowing systems by ceding your platform
14:39 < andytoshi> michagogo|cloud: what is always on top?
14:39 < michagogo|cloud> The cj client
14:39 < andytoshi> really?
14:39 < michagogo|cloud> Yes.
14:40 < maaku> who doesn't like it on top
14:40  * michagogo|cloud
14:40 < andytoshi> oh, oops, i had gtk_window_set_keep_above () in there
14:40 < andytoshi> i didn't notice because i don't use a floating WM
14:40  * gmaxwell xmoand user unaffected
14:40 < michagogo|cloud> ;;google xmoand
14:40 < gribble> [Arena PvP] Xmo and Xtk 2v2 - Forst Mage/Mage pt 1 - YouTube: <>; Xmo and Xtk TCB Double Frost Mage 2v2 Arena Part 1 - YouTube: <>; Xmo and Xtk 2v2 Act II Double Frost Mage 2v2 Arena Part 1 - YouTube: <>
14:41 < gmaxwell> yea, srsly. y'all use a floating window manager? sucks to be you.
14:41 < jtimon> xmonad?
14:41 < andytoshi> ....and a thought gmaxwell had a floating WM :P
14:41 < michagogo|cloud> And
14:41 < michagogo|cloud> Ah*
14:41 < andytoshi> michagogo|cloud: thanks much for testing, you are the first person with a normal system to have done so
14:41 < gmaxwell> No, I use xmonad.
14:41 < andytoshi> i'll refresh the build
14:42 < jtimon> hehe, I tried some tiling VM but I left it due to a lack of time for config
14:42 < gmaxwell> (I was happy I didn't need to report problems with the tiling wm, I guess I know why now)
14:42 < jtimon> I will definetely try again though
14:42 < gmaxwell> jtimon: to configure xmonad is very simple.
14:42 < gmaxwell> You join #haskell and nice people do it for you.
14:42 < jtimon> I shouldn't had started with ratpoison, but the name was so cool
14:42 < nsh> senate judiciary hearing on NSA started 10m ago
14:42 < michagogo|cloud> andytoshi: Is there a way to cj on testnet?
14:42 < nsh>
14:42 < jtimon> the two I used more were i3 and qtile
14:43 < michagogo|cloud> ;;tcjs
14:43 < gribble> Error: "tcjs" is not a valid command.
14:43 < michagogo|cloud> ;;cjst
14:43 < gribble> Error: "cjst" is not a valid command.
14:43 < andytoshi> michagogo|cloud: yeah, there is a cjconfig.conf file
14:43 < nsh> (Cass Sunstein currently summarizing review panel findings)
14:43 < gmaxwell> nsh: what did they find?
14:43 < andytoshi> in cjclient/, wherever Bitcoin/ is
14:43 < michagogo|cloud> andytoshi: What's the URL for the testnet page?
23:41 < petertodd> andytoshi: also the real importance of chainstate is being able to product compact proofs that rules were violated
23:42 < gmaxwell> andytoshi: if the chainstate is commited then you could have a full validating node without even storing the chainstate, but at the cost of txns having to carry chainstate proofs. (just hashtree fragments)
23:42 < andytoshi> ok, i see, did not realize that bandwidth would be hit so hard -- i was looking at "download 20gb of old transactions and validate them" as being much more overwhelming
23:43 < gmaxwell> and its orthorgonal to if you hot-started or not. If you hotstart without something like a snark proving chainstate faithfulness you reduce full nodes to SPV security
 e.g. miners could potentially inflate the coin.
23:43 < andytoshi> well, you might keep the last few weeks of actual blocks so that miners would need to outcompute the network for a long time to do that
23:43 < gmaxwell> and using a snark to prove a full chainstate fidelity isn't technically feasable yet, I think. though perhaps we're close if you skip the script evaluation.
23:45 < gmaxwell> andytoshi: but keep in mind in doing that you change the incentives completely. so the analysis isn't simple. E.g. if non-miner full nodes didn't check the generated amount, would miners just all set their generated coins to 100 and leave them there?
23:45 < grau> checkpoints skip script evaluation
23:45 < gmaxwell> grau: we're going to remove that in bitcoin-qt almost certantly after headers first, and even there there is a commandline switch to reenable.
23:46 < gmaxwell> and miners don't set checkpoints.
23:46 < andytoshi> gmaxwell: presumably at all times non-miner full nodes have the past ten days or so of blocks (and they'd be dropping them), so there'd never be a window when people weren't validating the latest blocks
23:46 < gmaxwell> Basically the point there is that if miners can get themselves a blank cheque its a very different set of incentives than we currently have.
23:48 < grau> I think it will be miner keeping check on each other not user
23:48 < gmaxwell> andytoshi: sure, you just have eluria and and slush (>>50% of the network) agree to do a 10 day reorg that harms nothing but gives them 10x the coins. Why not? it's tricky. And then why would people keep 10 days?  0 days is enough until the attack actually happens. Let someone _else_ take the cost of preventing the attack.
23:48 < gmaxwell> BlueMatt [~BlueMatt@unaffiliated/bluematt] has quit [Ping timeout: 260 seconds]
23:48 < grau> user will move to SPV, even merchants may
23:48 < gmaxwell> oops missate there.
23:48 < andytoshi> grau: then there's an incentive to conspire/collaborate and this leads to pool centralization
23:49 < andytoshi> ah, now i see the incentive problem with what i suggested
23:49 < gmaxwell> grau: there are only two or three people in the world required to achieve >50% control of hashrate.
23:49 < gmaxwell> (and one of them (the guy) has physical control of most of his hashrate directly)
23:50 < andytoshi> ugh, this is so frustrating, i had this massive blind spot in my analysis of pruning schemes
23:50 < andytoshi> if only i could convey that feeling to the alt-chasers..
23:50 < gmaxwell> grau: trusting miners is a pretty terrible idea, far worse than trusting the fed
 at least the fed has a sea of regulations and public identity regulating its behavior.  Miners are anonymousish, fully self selecting, unregulated, etc.
23:50 < grau> gmaxwell: assuming 2-3 would and use it to inflate coins. This could be surfaced by anyone and would destroy trust in the currency and that possibility would keep them from doing that.
23:51 < gmaxwell> and if you regulate them, the you just undermine the system in a differnet way.
23:51 < gmaxwell> Instead they can be regulated _naturally_ by the system how it was designed: but not trusting them any more than the absolute minimum needed.
23:51 < gmaxwell> (by having full nodes that impose the rules)
23:51 < Luke-Jr> BlueMatt: anyhow, maybe you misread what I said. I said you *are* a bitcoin dev..
23:51 < BlueMatt> ahh, ok
23:53 < grau> collaborating between miner to change rules is the same dilemma as in "selfish mining", whort term incentives against long
23:54 < grau> *short
23:54 < petertodd> grau: relying on incentives of a small number of quite-possibly non-rational people is crazy
23:54 < grau> if you have an other choice
23:55  * gmaxwell out
23:55 < petertodd> grau: well we do: design crypto-currencies where pools aren't possible, and be ready to deploy them if it becomes an issue (as an example)
23:56 < Luke-Jr> petertodd: if pools aren't possible, then you get worse alternatives (hosted mining)
23:56 < grau> design a migration policy of welth also if you are that
23:56 < petertodd> grau: that's the easy part actually
23:56 < gmaxwell> Luke-Jr: hosted mining is made insecure by the same things that break pools (though perhaps no one cares, which was the argument I gave before: easier to break pools than hosted mining)
23:57 < petertodd> Luke-Jr: basic physics fortunately encourages decentralization of hashing power
23:57 < gmaxwell> oh yea I'm not here
23:57 < Luke-Jr> that's why it's better to make decentralised pooling as cheap as possible, cheaper than hosted mining
23:57 < grau> petertodd: why that? bigger plants should have better ratios of energy/hash
23:58 < Luke-Jr> ^ + bulk orders of hardware get better prices
23:59 < petertodd> grau: nope, the basic unit of production is the chip + power supply, and for that your economy of scale is making them. otoh your costs to run the hardware has a huge component of getting rid of waste heat, which incentivizes decentralization
23:59 < petertodd> grau: e.g. "a bitcoin miner in every water heater"
--- Log closed Sun Jan 05 00:00:55 2014
--- Log opened Sun Jan 05 00:00:55 2014
00:02 < grau> petertodd: thereby you would raise production cost of e.g. water heater. Competition in water heater would eliminate that.
00:02 < petertodd> grau: if crypto-coin mining has a value, and heating water has a value, then you're cost for doing both at once is less than separating the two activities
00:04 < grau> You assume that water-heater mining is profitable to the extent that it ever amortizes the added production cost. That is not given.
00:06 < petertodd> grau: my point is if bitcoin mining is profitable, it'll be more profitable if you can use the waste heat for something useful. using waste heat for something useful is easier with more decentralization than less
00:08 < grau> There are places where getting rid of heat is not a big issue. I think you engage a bit in wishful thinking. We should rather think hard of how to deal with centralized mining.
00:09 < petertodd> grau: yes, and those places are always decentralized! it's just the basic physics of heat: surface area scales by x^2 and volume x^3
00:10 < grau> iceland
00:10 < petertodd> grau: obviously bitcoin mining will tend towards more northern places, but there's a whole lot of those around
00:11 < gmaxwell> 21:07 < NomZ> You all will love this one. The dogecoin blockchain split after someone submittted a 500M transaction.
00:11 < petertodd> grau: my parents live in a place significantly colder than iceland...
00:12 < grau> petertodd: wow, send them some boxes to mine :)
00:13 < petertodd> grau: yeah, I've done the math on that, it actually makes quite a lot of sense. furthermore in communities north of them the high cost of electricity is *not* a factor because the electricity generation is all diesel anyway, and diesel's more expensive (slightly) than fuel oil
00:13 < grau> gmaxwell: tomorrow you'll have lots of journalists asking if this could happen to BTC
00:15 < brisque> grau: not having scrollback to refer to, can you give me a one line summery of what you're referencing?
00:15 < gmaxwell>
00:16 < brisque> gmaxwell: ouch. I suppose that's what you get when you have inexperienced developers managing a bitcoin clone.
00:16 < petertodd> gmaxwell: heh, yeah warren noticed that awhile back
00:17 < andytoshi> petertodd, warren: oh? what is special about this 500m tx?
00:17 < Luke-Jr> lolwut @ font
00:17 < petertodd> andytoshi: it triggers some sanity limits that they recently removed
00:17 < brisque> andytoshi: the title of the thread has the details. some clients accept larger amounts in blocks than others.
00:17 < warren> andytoshi: competence
00:18 < brisque> "Ten days ago, the developers made a change to the Dogecoin client that raised the limit of coins in a block from 500 million to 10 billion. So now some folks are running Dogecoin clients without that change, because they are older, and some folks are running newer clients. In block 42279, a transaction that broke the rule -- containing more than 500 million
DOGE -- has prevented these older clients from advancin
00:18 < warren> did the pools upgrade?
00:18 < gmaxwell> .... wtf they didn't stage the change?!@#
00:18 < andytoshi> holy shit, this is so incompetent i can't believe it, even from doge
00:19 < brisque> presumably one pool updated, then the big TX made it into a block and the chain forked
00:19 < gmaxwell> well we learned nothing then, as we've succesfully made a number of changes that would have been forking if not staged.
00:20 < brisque> warren: from looking, there's some on one fork and some on another. presumably anybody on the old client has been left behind and that's the majority at this point.
00:20 < andytoshi> it appears they just pushed a forking change in a routine update? what the fuck?
00:20 < nsh> my hilarity sense is tingling...
00:20 < warren> three forks exist?
00:20 < warren> not sure how
00:20 < warren> but it's hilarious
00:21 < nsh> oldyellercoin....
00:21 < brisque> they might have changed the TX limit previously without making it a staged change.
16:55 < petertodd> Well the resolution protocol can easily have the blockchain be a directed acyclic graph instead where non-conflicting transactions in different forks on the graph can be merged back together later.
16:56 < petertodd> The incentive to broadcast your blocks (which can be just a single transaction) would then be to prevent rewriting by being on a part of the graph with maximal sacrifice.
16:56 < petertodd> Problem is how do you distribute the coins in the first place?
16:57 < petertodd> It'd also have ugly problems if transaction volume was low, because you're only safe from a rewrite once more coins have been sacrificed by *others* than your transaction was worth.
16:57 < petertodd> Hard to bootstrap that...
16:58 < petertodd> It is interesting though how it suggests that a proof-of-stake cryptocoin is probably more viable if there isn't a block reward.
17:01 < petertodd> Not much more viable mind you: it's still the fundemental problem of how do you know time has moved forward without a random beacon. (IE signing for a bunch of stake is something I can only do once - after that more signatures are meaningless, yet there's no good way to decide on what % ofthe outstanding coins should participate)
--- Log closed Wed Jul 03 00:00:07 2013
--- Log opened Wed Jul 03 00:00:07 2013
06:05 < sipa> :o
06:06 < gmaxwell> you were out!
06:06 < gmaxwell> oh no!
06:06 < petertodd> ...we need a -wizards archive...
06:07  * sipa demugglifies
06:08 < gmaxwell> you totally missed me being an idiot and taking like .. an hour to understand what petertodd was talking about with "proof of possession" and application to proof of sacrifice identity.
06:08 < petertodd> Lol, well I can cut that part out from the archive...
06:08 < petertodd> Though really it's a subtle point, albeit one that you should grok. :P
06:11 < gmaxwell> well in my defense I joined midconversation and didn't read the backscroll.
06:11 < petertodd> ...and if you look you'll notice I changed some of my arguments a bit because I had come up with that idea on the spot nearly.
06:21 < gmaxwell> I still think that even the less secure form of tearable data is interesting until there is actually a problem with people accepting blocks without seeing the good stuff.
06:37 < petertodd> I think the issue there is once you've got to the trouble of having tearable data, why not have proof-of-posession?
06:38 < petertodd> Remember that the nonce can be the previous block hash to keep performance requirements minimal.
06:40 < gmaxwell> two blocks back, so you're not latency threatened perhaps
06:41 < gmaxwell> but I think I proposed this when people were really worried about the 1txn miner and miners without the utxo set. And it was pointed out that people could just advertise the roots.
06:41 < gmaxwell> (I'd proposed a kind of proof of possession to prove you had the utxo set so you couldn't mine without it)
06:41 < petertodd> Sure, and add a system where you can use that proof-of-posession to spend certain designated fees as your payment.
06:42 < petertodd> Heh, yeah, and I kinda reinvented that with my idea for doing low-bandwidth zero-validation cooperative P2Pool...
06:42 < gmaxwell> a general argument against needing that is that if there are sacrifices going on, you'll _want_ to know about them so you would be disinclined to accept blocks that have hidden them.
06:43 < petertodd> Well I'm assuming this would be just another part of a UTXO proof system so there's no way to hide anything.
06:45 < gmaxwell> I'm just saying that something simpler may be more adequate than you're giving it credit for.
06:46 < petertodd> I'm just saying once you've done a soft-fork you're 90% of the way there...
06:46 < petertodd> Really simplier would be to do it as a pure merge mined chain.
06:46 < petertodd> (or a non-soft-fork)
06:47 < gmaxwell> merged mined.. uh
06:47 < gmaxwell> warning: absense of incentive detected
06:47 < gmaxwell> :P
06:48 < gmaxwell> well, I suppose my argument applies: if this merged mined thing teaches you about valuable transactions
06:48 < gmaxwell> then there is an incentive to particiate.
06:48 < petertodd> indeed, but without actual proof-of-posession you are relying on nothing more than people just using the defaults
06:48 < petertodd> that may be a much weaker assumption in the future...
06:49 < petertodd> Yeah, or if it's mined with some kind of proof-of-stake from people with a vested interestin the data itself.
06:50 < petertodd> *interest
06:50 < gmaxwell> how do you detect those people?
06:50 < petertodd> Heck, fidelity bond participants to pay rewards after some amount of merge mining...
06:50 < gmaxwell> the one who announced it isnt the useful one to mine it.
06:51 < petertodd> No, but for, say, a fidelity bonded bank thing you mind find a banks competitors proving that the fraud proof ledger is well distributed to discourage anyone from committing fraud, a bit weak sure, but at least the cost is pure bandwidth + some storage.
06:52 < petertodd> (remember the bitcoin blockchain can be used as a random beacon to keep the merge mining moving forward)
06:55 < petertodd> interesting thought: a bank might want to prove that their *clients* had been participating in some visible fraud proof storage system, so that if the bank gets sold one day the consent of the clients to the state of the fraud proof ledger is known and thus a proof disclosed after the fact can be declared invalid
06:56 < gmaxwell> petertodd: we're in cycles, we stumbed on this when talking about the IRC stuff: the irc bank could prune its transaction records once the customer provided a no-fraud ping.
06:56 < gmaxwell> because if they claimed fraud later you wouldn't have to prove them wrong, you'd just show their no fraud ping. :P
06:57  * gmaxwell predicts "what is a segmentation violation" in a minute.
06:57 < petertodd> Ah, I forgot about that bit... nice example of how it's a continuum of visibility options.
06:58 < petertodd> heh...
11:13 < adam3us> now you guys woke up: i was thinking the outcome is the miner will win the proportion of his own (and other peoples) sacrifice to miners in relation to his share of the network power
11:14 < adam3us> so that being the case, why not just pay to the set of miners (over some rolling transaction history) in proportion to how often they've been winning
--- Log closed Thu Jul 04 00:00:10 2013
--- Log opened Thu Jul 04 00:00:10 2013
14:49 < adam3us> petertodd: not afk? about your proof of sacrifice somewhat resistant to miner inside attack, not sure if you saw my additional thought
14:50 < adam3us> petertodd: i think it averages out to pay to miners in proportion to their mining power, so you could more simply achieve the same effect by paying to miners in proportion to their rolling average proportion of nework power (with some signature annotation saying this is a proof of donation to miners)
15:22 < petertodd> But that's not a sacrifice without a solid way to pick the lucky miner randomly.
15:24 < petertodd> ...and that doesn't work because there is no way to commit the funds such that if a miner is picked that you do not want the funds to go to the funds will go to them anyway - Bitcoin just can't do that in the scripting system.
16:29 < adam3us> petertodd: but what is special about giving it to a random miner in (chances biased in proportion to their power) vs just giving it to the miners in proportion to their recent demonstration of power (eg last month).  if they keep running for another month the effect in terms of what they receive will be basically the same right?
16:30 < adam3us> petertodd: I dont know why you would not want the funds to go to a specific miner, but the approach you discussed recently doesnt prevent that either, because well a random miner will win, you have no control
16:54 < petertodd> We're talking about sacrifices; if the destination of the funds can be controlled it's probably not a true sacrifice.
16:57 < adam3us> petertodd: my point is the approach you proposed a few days ago, it has the property that funds are given to miners, with some randomness, but presuming lots of people make proofs of sacrifice over time that will average out anyway, so the net result is that miners (all of them) receive funds in proportion to their percentage of network power, agreed?
16:59 < adam3us> petertodd: and is so, you can simplify and achieve the same effect by just paying to miners in proportion to their wins over the last month (pay to all of them, a multiple output); you would need some special annotation to indicate this is not just a payment to miners, its a sacrifice to miners and that will be validated by other full nodes against the
correct proportion being paid to the miners against the validated average network power
17:01 < petertodd> But doing that in Bitcoin is impossible if you want to ensure the person making the sacrifice can't direct it to themselves.
17:01 < petertodd> If you don't ensure that, it's not a true sacrifice.
17:02 < petertodd> What you are proposing would be at minimum a soft fork involving a lot of complex code with no advantage over a random model - it all evens out in the end.
17:04 < petertodd> Not to mention what you really want is anyone-can-spend outputs that remain locked for long enough that even if a pool has, say, 40% hashing power and is willing to play dirty and make sacrifices knowing that 40% of the time they'll mine the fees anyway it is unknown to them if they'll be in business by the time the output is spendable. IE sacrifices that
only go back to miners after multiple months.
17:04 < adam3us> petertodd: i am not saying the sacrificer can spend to themselves, they can only spend to the miners during the last month, in proportion to the power (1GH = 100 satoshi sacrfice or whatever ratio), and if the sacrificer pays to the wrong proportion or to the wrong users, it will be rejected by all validators (full nodes)
00:05 < warren> what's wrong with p2pool's approach?
00:05 < warren> p2pool implementation has scalability problems and payouts are too often in too  small dust, but that's a current implementation issue.
00:07 < amiller> well p2pool's approach is based on the same technique that makes hosted mining feasible/attractive
00:07 < amiller> (despite the fact that no one does it yet)
00:08 < warren> I mean, if users were more concerned about the risks of mining centralization, they would use p2pool-like approaches, there could be multiple of them.
00:08 < warren> p2pool needs to be a lot more efficient than it is now.  We hope to throw a few thousand dollars into its development.
00:08 < amiller> well see the thing is the risks of mining centralization aren't felt by individual users acting in self interset
00:09 < amiller> it's kind of like a social cost
00:09 < warren> amiller: p2pool miners can earn more than centralized pool mining
00:09 < amiller> warren, i am not talking about centralized pool mining
00:09 < amiller> i'm talking about hosted mining
00:09 < amiller> where you rent cpu power from a miner warehouse somewhere in the cool fjords of sweden
00:10 < amiller> where the hydroelectric power is cheapest
00:11 < jgarzik> Alydian is doing that
00:11 < jgarzik> $0.5 million for a petahash or three
00:11 < amiller> ah, thanks jgarzik
00:11 < jgarzik> though not necessarily in sweden
00:11 < jgarzik> knc and a couple others are doing hosted mining
00:11 < amiller> are there threads panicking about this
00:12 < jgarzik> and well over a year ago, "Vladimir" on the forums sold hashes in this manner.  you paid for a certain amount of hashes (GPU at the time).
00:12 < jgarzik> nope, it's already been explored
00:14 < amiller> already been explored? what conclusion did they come to? (i'm searching for such threads)
01:17 < gmaxwell> nanotube: amiller's plan to foil cloud mining is like julian assange's plan to use leaks to undermine secrecy. :P
01:18 < gmaxwell> I don't think anyone has explored foiling it through clever techno-economic hacks.
01:19 < gmaxwell> (nor do I think amiller's ideas would ever go anywhere, but they may someday turn useful should bitcoin fail to centralization)
01:19 < gmaxwell> (so that the $next_thing, in 100 years when people will finally trust a next-thing, won't have the same flaw)
01:21  * amiller can wait
01:21  * nanotube also plans on being around in 100years.
01:22 < nanotube> assuming we don't have a major cataclysm, seems within the realm of possibility
01:23 < gmaxwell> amiller: I can defeat your approach. :(
01:24 < gmaxwell> I have some independant hardware maker build my hardware with an odometer, and the hardware gets audited by people with electron microscopes (at random, which I can afford because I'm mega cloud)
01:25 < nanotube> we just need to make bitcoin asic coffeemakers and spaceheaters.
01:26 < nanotube> and have them default-set to mine solo.
01:26 < gmaxwell> yea, I've argued that before: for low level waste heat decentralization is actually more cost effective... but deploymens seem to suggest that I'm wrong.
01:26 < gmaxwell> er deployments.
01:26 < nanotube> once we have millions of these out there, no need to worry about it.
01:26 < nanotube> there are deployments?
01:27 < gmaxwell> alternatively, I just run my cloud business such that I pay the average expected payout regardless of the actual payout, and I hire trained assassins to patrol my datacenter to catch theiving techs.
01:27 < gmaxwell> nanotube: there are a number of big online highly centeralized deployments, e.g. asicminer and the 200TH mine that most of the bitfury parts went to.
01:28 < nanotube> gmaxwell: well yes, but there are no deployments of relatively cheap consumer hardware that mines automagically with no user intervention.
01:28 < gmaxwell> cointerra's original business plan was that, but the club to the head that they need to sell stuff was strong enough, but I don't know if they were just delayed or really deflected, see: "Our mission is to become a reliable and trusted node for transaction clearing on a stable and flourishing Bitcoin network."
01:28 < gmaxwell> no no right.
01:29 < gmaxwell> I'm saying that my theory that decenteralized is more efficient than centeralized because the waste heat is more productively disposed of may be wrong.
01:29 < gmaxwell> because I'm seeing lots of centeralized deployments and there is no bitcoin coffeewarmer.
01:29 < nanotube> hmm
01:30 < gmaxwell> I dunno why it's wrong, I certantly lived it in VA. with substantially free power in part of the year because mining completely replaced heating costs.
01:30 < gmaxwell> (realistically the heatpump was probably 2x more power efficient, still... half price power is good)
01:31 < nanotube> maybe because nobody's gonna buy a 3000-dollar spaceheater. :P
01:31 < nanotube> the bfl jalapenos could have been it... but bfl fscked up, as we all know.
01:32 < gmaxwell> well the actual cost of building these things is ... not that high. I titter a bit at the forum people "why would they sell them when they could mine!"  "because you morons will pay a kings randsom for the hardware!"
01:32 < nanotube> hehe
01:44 < Luke-Jr> lol
01:45 < petertodd> Why mine when you can sell the hardware and make debt payments now?
01:46 < Luke-Jr> petertodd: and make a nice profit until you actually ship!
01:46 < petertodd> heh
01:46 < Luke-Jr> bah! Qt 5 requires Perl 5.16
01:46 < petertodd> <shudder>
01:46 < Luke-Jr> not sure I want to upgrade to testing perl
01:46 < petertodd> awful, horrible language
01:47 < Luke-Jr> Perl is lovely.
01:47 < Luke-Jr> I think I prefer to stick to stable versions though
01:48 < Luke-Jr> OH! That's how I can get the election by a landslide!
01:48 < Luke-Jr> "I know Perl. =_="
01:48 < petertodd> I don't vote for the mentally ill.
01:48 < Luke-Jr> :P
01:48 < petertodd> well, at least *that* kind of mentally ill...
01:49 < Luke-Jr> Perl is the kind of thing where you hate it until you're familiar enough with it. :P
01:50 < petertodd> yeah, I got familiar with it then went to art school...
01:51 < Luke-Jr> I wrote an emulator in Perl once! :P
01:52 < petertodd> heh, of what? line noise?
01:52 < Luke-Jr> it was one of my toy MIPS emulators I think
01:52 < petertodd> I hope you ported perl to it
01:52 < Luke-Jr> :D
01:53 < warren> I don't know who to vote for.
01:53 < petertodd> I wonder what's the longest chain of emulators ever emulated?
01:53 < warren> There's no Clinton on the ballot.
01:53 < petertodd> I was hoping to vote for the other lizard.
01:54 < phantomcircuit> petertodd, well someone wrote a Z80 emulator for a Z80 and then ran it on x86
01:55 < petertodd> phantomcircuit: I was more thinking Arthur Ganson's "Machine with Concrete" -
03:15 < petertodd> Random number generator:
03:15 < petertodd> and sublime work of work
03:16 < petertodd> ganson is a genius
15:53 < gmaxwell> amiller: am I correct in beleving that just having basic pairing operators (gt* gt/ g1^ g1+ gt= and loads of g1 types) is all we'd need to verify pinocchio in script?
16:05 < amiller> gmaxwell, yes definitely.
16:07 < amiller> gmaxwell, i think it would be easy to implement using PBC
16:08 < amiller> pinocchio requires a few specific twist curve
16:09 < amiller> they have two curves basically
16:12 < gmaxwell> amiller: In the SCIP they mention they have selected a curve with a particular efficient endomorphism, I assumed this was just distortion map optimization and would already be in pbc.
16:12 < gmaxwell> (I guess its a requirement that the curve and its quadratic twist have the same embedding degree?)
16:14 < gmaxwell> In any case, I was just musing on what the minimal cryptographic extensions to script were to achieve the widest increase in applications.
16:14 < sipa> OP_X86
16:15 < Luke-Jr> P2SH-for-SCIP would be useful
16:15 < amiller> i don't actually know any details about how pairing based crypto works, i only understand it at the bilinear map layer
16:19 < amiller> i may end up trying to learn it in a hurry and implement the pinocchio verifier myself :/
16:19 < amiller> of course for efficiency it's always hard to find the right abstraction
16:24 < amiller> this are the BN curves y^2 = x^3 + b i think pinocchio uses
16:26 < gmaxwell> ah, okay, yea, I would have assumed it was though out of the ones in PBC. I still don't exactly understand how the pairing operation isn't slow as @#$@# for k=12 but apparently its not.
16:46 < amiller> the pinocchio guy said a similar thing once, that they picked a specific curve and used a lot of curve-specific implementation optimizations
16:46 < amiller> but maybe it's just this distortion map thing you're mentioning
19:44 < gmaxwell> So
 perhaps this was obvious, but I realized that a sensible way to go about establishing the usefulness and correctness of a new scripting system for bitcoin is to implement it, and embed it in a harness that uses it as the controlling criteria in a signing oracle.
19:45 < gmaxwell> e.g. you take your script, hash it, compute a new public key from the oracle's well known public key. Then do things where you want the oracle to sign with that key... then go present the oracle your script and when it accepts it signs for you.
19:46 < gmaxwell> so then you could make any new application for your new bitcoin script opcodes you want, with the limitation that you depend on a trusted oracle.
19:46 < gmaxwell> But if the usefulness of the improved script is established then thats the on-ramp to making it part of the distributed system proper.
19:56 < amiller> that's a neat idea.
19:57 < amiller> that would work e.g. for zerocoin
20:04 < phantomcircuit> this is driving me insane
20:05 < phantomcircuit> i cant get the block header that cpuminer is finding from the info stratum provides
14:25 < maaku> So question for the other -wizards': are there hard-fork changes which would make identity management easier?
14:26 < maaku> s/hard-fork/hard or soft fork/
14:34 < gmaxwell> maaku: being able to prove an output was created in the chain with a smaller proof (which doesn't include a whole transaction) would be nice.
14:35 < maaku> so merkleized transactions, presumably?
14:39 < gmaxwell> yes. Then you'd probably also want lockable outputs.
14:40 < maaku> lockable meaning can't be spent for X blocks, or until block X?
15:18 < gmaxwell> Either would work for SINs, the latter is probably more generally useful... the former may be better for SINs.
16:54 < gavinandresen> High-quality thoughts on selfish mining happening here:
17:34 < MC1984> i dont know. Weve already seen we cant wholly rely on positive incentives to maximise desireable behavior (like simply making sure your mining setup is bloody working properly and keeping it so)
17:34 < MC1984> whos to say we can wholly rely on negative incentives to minimise undesireable behavior.
17:35 < MC1984> ki mean, if that were true democracy would actually work right...
17:36 < MC1984> even wholly/substantially. Especially if a rumour or urban myth goes round amongst the plebs of a way to mine more coins for free or somthing even if its actaully killing bitcoin
17:37 < maaku> hrm. SIN and namecoin are very similar mechanisms, are they not?
17:38 < gmaxwell> maaku: namecoin expects the network can do lookups for you. sin expects the user to extract a proof and provide it.
17:38 < gmaxwell> You can verify sin without speaking the bitcoin protocol at all (with some security discussion because you're "blind SPV").
18:02 < michagogo|cloud> What goes on in this channel? (found it thanks to the mailing list)
18:03 < gmaxwell> A muggle1
18:03 < gmaxwell> !
18:03 < gmaxwell> burn him!
18:03  * amiller put on his robe and wizard hat
18:03 < gmaxwell> michagogo|cloud: we talk about far out technical stuff instead of pragmatic near term bitcoin things. It's kind of a cryptonerds bitcoin-dev-offtopic.
18:04 < michagogo|cloud> Hmm, sounds interesting
18:05 < sipa> amiller: ?
18:05 < maaku> stuff that's longer-term than the next release cycle
18:05 < pigeons> maaku: are you mining the -wazards for feature ideas to solve problems to add to freimarkets?
18:05 < pigeons> ;)
18:05 < amiller> bloodninja yeah ;p
18:05 < maaku> hah sometimes. that's what my question bout SIN was for
18:07 < maaku> but it's relevant since we can actually experiment with this stuff on a live network there
18:07 < michagogo|cloud> SIN/
18:07 < michagogo|cloud> s|/|?|
18:08 < maaku> michagogo|cloud:
18:09 < sipa> someone should write an identity protcol v2
18:09 < sipa> so we can talk about the Original SIN
18:10  * michagogo|cloud wonders if he's missing something
18:11 < amiller> "A SIN ("System Identification Number") is the unique record identifier by which this identity will be known."
18:12 < michagogo|cloud> I saw that
18:12 < michagogo|cloud> sipa: Is that a reference to something?
18:13 < maaku> michagogo|cloud: an oppressive catholic education
18:13 < maaku>
18:14  * michagogo|cloud glances at the nick list, between kinlo and maaku
18:32 < adam3us> why do we want identities again?
18:37 < adam3us> ok skimmed identity_proto..  for issuer signed attestations brands is the most flexible blind signature protocol
18:38 < adam3us> there are also some protocols for serial anonymous use, where if you get banned you lose your access token, but not your anonymity
18:50 < gmaxwell> adam3us: right, for anti-trolling/spamming/etc.
18:56 < adam3us> gmaxwell: yes, the interesting thing is it turns out to be possible to be serially anonymous (as distinct from pseudonymous) while reusing a single authorization
18:57 < gmaxwell> adam3us: yea, e.g. via chaining blind signatures. Are there other ways?
18:57 < adam3us> gmaxwell: at some earlier point people supposed you could not be anonymous and yet anti-trolled
18:57 < gmaxwell> e.g. present an identiying sync, get a chaum token.. chain it forward..
18:57 < adam3us> gmaxwell: yes the actual approach was something simple like that
18:58 < gmaxwell> s/sync/sin/
--- Log closed Fri Nov 08 00:00:41 2013
--- Log opened Fri Nov 08 00:00:41 2013
06:31 < adam3us> anyone tried to figure out if ed felten is right?
06:32 < adam3us> i posed the question similarly in my comments to the selfish-miner paper authors (on bitcoin-dev):
06:33 < adam3us> wrong link
06:33 < adam3us> "It is also not clear what will happen if multiple selfish miners compete with each other.  A selfish miner cooperating as a peer to increase percentage runs risk of mutual sabotage - he has to announce his private block to his co-conspirator, and the co-conspirator may publish, or collude with another non-selfish miner."
06:34 < adam3us> felten claims the answer to that q. is selfish mining is unstable so wont persist
06:35 < adam3us> (well a selfish pool composed of multiple smaller pools or powerful miners, is unstable is his claim)
10:39 < amiller> adam3us, ian michael miers sent ed an email about this
10:40 < amiller> it would be pretty straightforward for the pool operator to enforce/discourage fairweather-mining
10:40 < amiller> for example if you don't keep up the pace, you get kickedo ut
10:41 < adam3us> amiller: yes i thought it was an interesting question, and posed it also, but i am not sure ed's gut reaction is necessarily right or properly checked
10:41 < adam3us> is that public email? on a list?
10:42 < amiller> it was a private email, instigated by a public twitter conversation
11:44 < adam3us> amiller: i guess the fair-weather guy could also sell information or be in collusion with or be a larger unselfish miner; then he can switch to the previous block at random, and the selfish miner wont know which block to mine (do this reactively when the selfish miner gets ahead)
11:45 < adam3us> amiller: as soon as the selfish miner is > 1 block ahead (which happens 1/9 of the time with 33% power), the unselfish miner has already lost so he loses nothing new by this strategy
11:47 < amiller> did you switch from fairweather miner to unselfish miner?
11:48 < adam3us> amiller: no
11:48 < adam3us> amiller: fairweather is someone who attacks the selfish mining pool from within, unselfish is someone who is running the normal protocol
11:49 < adam3us> amiller: my point is the unselfish miner can sabotage the selfish mining game, and to the selfish miner he'll just look ridiculously unlucky which he will notice soon enough
11:50 < adam3us> amiller: but if he cant find anyone who wont do that to him, he cant do the attack unless he amasses 33% himself
11:50 < amiller> i have no idea what you're saying actually ;/
11:51 < amiller> you're saying fairweather miners can undetectably leak information to some other unselfsih miner?
11:52 < adam3us> amiller: correct, they can participate in the selfish mining in hashrate, but sabotage it, but it will be noticed statistically that the selfish pool is not doing as well as expected
13:30 < adam3us> seems like it could be useful to extend timelock to be a scrit function rather than a tx property so you can do before, after, ranges, and do in one tx rather than multiple interlocked tx
14:08 < gmaxwell> adam3us: the creates freaky problems where a transaction which falls out of the chain in a reorg can't be put back in.
14:10 < adam3us> gmaxwell: yes you'd have to have it confirmed (timestamped) within it validity period or you're out of luck
14:11 < gmaxwell> adam3us: not just that, it can be confirmed.. and then the chain gets reorged.. and it can never be put back.
14:11 < gmaxwell> The security of all coins decended from that one arguably reduced forever.
14:23 < adam3us> gmaxwell: well a coin reorg that excludes it is not much different to putting zero fees and not getting in the first time
14:25 < gmaxwell> adam3us: it is
 because you know when its never been in. This is the same kind of fungibility problem that coins derrived from coinbase txn have, which is why they have a 100 block settling time.
14:26 < gmaxwell> I'm not saying no-never... but it has tradeoffs which make me uneasy.
14:45 < adam3us> gmaxwell: yes.  maybe an addendum could be to authorize belated adding if previously confirmed in an orphan within th required block/time
14:49 < amiller> i don't get how it's different
14:49 < amiller> if the chain gets reorged, one conflicting transaction can replace the other
14:50 < amiller> everything descending from the tree is affected, if the fork goes back that far
14:50 < adam3us> amiller: he means that if its < timelock, nd the time has passed you're out of luck
14:50 < amiller> yeah
14:50 < adam3us> amiller: whereas now timelock is only > timelock so you just resend it
14:50 < amiller> it's still caveat emptor, i don't see how that should matter
14:50 < amiller> or to put it another way, if you receive a bitcoin from someone, who just received it from someone else, it's still not fungible
14:51 < adam3us> amiller: yes that is somewhat true; if a big enough reorg occured to undo 6 blocks, never mind 100 you've got other problem, you're vulnerable to full-on 51% attacks
14:52 < adam3us> amiller: but gmaxwell is right that mined blocks are treated with more suspicion in terms of confirmations at least in the qt client
14:52 < amiller> perhaps they shouldn't be?
14:53 < amiller> anyway i think coinbase maturity is a bad rule because of economic blah blah incentive-compatible but that's a dead horse
14:53 < adam3us> amiller: well there could be an argument that honest reorgs would preserve the transaction order
14:53 < amiller> honest reorgs is a weird model but sure
13:30 < adam3us> petertodd: isnt that enough
13:31 < petertodd> Right, but the issue is a 51% attack against some subset of the blockchain data.
13:31 < petertodd> Like, if other miners *didn't* build upon your part of the blockchain via timestamping, this wouldn't be a big deal.
13:33 < adam3us> petertodd: yes its another aspect of the one-true chain model (must be up to 7 dependencies by now) it ensures that once your block is burried even one block other miners have an incentive to mine it ot avoid being orphaned
13:34 < petertodd> Yup
13:34 < adam3us> petertodd: i think i had the analgous problem you are talking about with complex incentives for the "thicket" of block chains approach
13:35 < petertodd> Sure, although I think the biggest issue is just the really fundemental one about how you need to be sure the blockchain data is in the hands of more than one person.
13:35 < adam3us> petertodd: at that time i concluded it was enough alone to kill it - simplicity is good etc but this variant has additional advantages so maybe we can still get back to a net win eventually
13:36 < petertodd> Yup. Like, suppose we could make the assumption that the majority of hashing power would be mining all shards in one go, then that majority would have the data, and there'd be no issue at all. But we can't assume that.
13:36 < adam3us> petertodd: its not inherently interesting to someone to censor your shared block hash, they have to want to present a different version of it with a different spend
13:36 < adam3us> petertodd: right - thats the 7th dependency - super-entangled design when you get to all of the dependenices
13:36 < petertodd> Economically interesting no, but if their goal is to destroy the system then you're in trouble.
13:37 < adam3us> petertodd: yes, and you have defend against that
13:37 < petertodd> Yup. I dunno, maybe it's the case that fundementally you can't? But I'd sure hope you could at least do better.
13:37 < adam3us> petertodd: in my thicket thought experiment (unpublished) i was supposing some modest reward bonus for being the first to pull in a shard-hash
13:38 < petertodd> what do you mean by "pull in"?
13:38 < adam3us> petertodd: or a share of the fees in it (hash it as an input another shard hash)
13:39 < adam3us> petertodd: i think you need to have some list or merkle hash of shard-hashes so that as time-progresses each hashed block includes everything else if you explore down the tree a bit
13:40 < petertodd> See, my thought experiement is a little different: for a given committed transaction input, we should be able to calculate the total work done by all miners with that transaction input in their dataset. (assuming the pow scheme does proof-of-data)
13:40 < adam3us> petertodd: (each shard-hash includes all other shard hashes in a best effort sense, motivated by a share of the fee and/or reward)
13:41 < petertodd> Yeah, although maybe at this point it'd be better to leave reward out; I think in a inflationary system we can reward people simply by taking their coins away unless they mine in porportion to the coins they own.
13:44 < adam3us> random non-tech thought about the "what is bitcoin" virtual commodity, etc .. its a crypto/math geeks stamp collection
13:44 < petertodd> heh
13:45 < adam3us> see in hashcash in the mail context they were stamps and i have a page with a stamp collection; they are rare because they ar eexpensive, and a math/crypto/computer geek can admire and appreciate the beauty (or waste) in finding a number with 15 leading 0 hex digits so they have math aesthic value too
13:46 < adam3us> one of those was 48 bits eve years ago
13:46 < petertodd> yeah, bitcoin is special in figuring out how to take those stamps and assign them owners with global consensus
13:46 < petertodd> heh, meanwhile we've got, what, 68 zero sha256^2 pre-images now?
13:46 < adam3us> right; it wouldve been easy to give a hashcash a public key, just include a pub key in the hash (as bitcoin does), and i thought about it for mail apps even (prove a reputation)
13:47 < adam3us> yes
13:48 < adam3us> actually i calculated it here:
13:48 < adam3us> its 60.6 bits right now
13:48 < adam3us> or 61.6 bits of security (there are 2 hashes per try so +1)
13:48 < adam3us> more secure than 56-bit DES :)
13:48 < petertodd> ha
13:50 < gmaxwell> adam3us: well I don't think you get to count the ^2 ... I mean, sha256 is much slower in hardware than DES and you're not counting that.
13:50 < adam3us> the guy etienne gervais wrote his own openCL hashcash-sha1 miner just to get leaderboard on that page :)
13:50 < petertodd> Interesting thought: so, in my txin commitments scheme, what you need to keep "up-to-date" with, in terms of the blockchain, is the part of the blockchain with the still un-revealed txouts that your wallet contains. IE, the important part of the txin space is still "zeroed" up until you want to spend it to someone else.
13:50 < adam3us> gmaxwell: yes it is a question of what counts as an op in O(2^n) notation grey area
13:51 < petertodd> Not brilliant, but it is a bit of a security improvement in that targetting you specifically to make your coins unspendable is hard if you keep those txouts a secret.
13:51 < adam3us> gmaxwell: if it was computing DES unlike eff des cracker which computed one des decryption in 56hrs, bitcoin network can do it in < 12 sec
13:51 < gmaxwell> you could instead use some transistor toggle metric.
13:52 < adam3us> gmaxwell: vaguely recall knuth might've had some complexity metric based on a styled pseudo assembly code :) even with cycles or instructions depends on cisc, risc etc
13:53 < gmaxwell> adam3us: art's (who you didn't get to interact with, early bitcoiner who went away) fpga mining farm could do a full des search in ~24 hours and I think that was just a 40GH bitcoin farm.
13:54 < adam3us> gmaxwell: its interesting in that des cracker was built in 1998 for $250k but if it was sha256 instead of des it'd still be respectable and maybe profitable for bitcoin i think (have to check calc)
13:55 < gmaxwell> adam3us: DES is especially weird, becaues the sboxes yield especially compact combinitorial logic.
13:55 < adam3us> it was doing 280 TDes/sec
13:55 < adam3us> for $250k
13:59 < adam3us> gmaxwell:  something seems wrong
 bitcoin hashrate = 3 ExaH/sec if deepcrack was 280, it'd be only 10x slower, but thats not true; yet 2^56/56/6/1000^4 = 280 hhmm (deepcrack could do 2^56 in 56hrs)
14:00 < adam3us> gmaxwell: oh bitcoin hash rate is now 4 Exah (33% increase as of a  few days) jeeze
14:10 < petertodd> adam3us: suppose we ensured that mining some portion of the blockchain required the consent of the majority of the owners of the coins in that portion, do you think the data hidng problem would be sufficiently solved?
14:10 < petertodd> (ignore practical difficulties here)
14:16 < sipa> adam3us: what is Exah?
14:16 < sipa> per what time?
14:17 < sipa> it's 3.8 petahash/s
14:17 < sipa> where hash = double-sha256
15:36 < HM2> Android has improved its security further by adding support for two more cryptographic algorithms. Elliptic Curve Digital Signature Algorithm (ECDSA) support has been added to the keystore provider improving security of digital signing, applicable to scenarios such as signing of an application or a data connection. The Scrypt key derivation function is implemented
to protect the cryptographic keys used for full-disk encryption
15:36 < HM2> Android adopting Scrypt is pretty big crypto news I guess
15:40 < sipa> ooh nice
15:42 < HM2> yeah, not sure whether they make that available via the general crypto APIs
16:45 < adam3us> sipa: better that explains my error
17:19 < sipa> amiller: ?
17:19 < sipa> ah!
17:20 < amiller> haha, my phishing attack is complete
17:20  * gmaxwell is confused
17:20 < amiller> i'm approximately authenticated as adam back
17:20 < amiller> as far as sipa is concerned
17:21 < gmaxwell> Well, a people all look the same.
17:22 < sipa> my authentication scheme is based on H(nick[0])
17:42 < amiller> ugh question about colored coins again
17:42 < amiller> to determine if a txoutput has the color
17:42 < amiller> do you have to trace just a *path* through the transaction tree down to the genesis of the colored coin/
17:42 < amiller> or do you have to trace the whole tree?
17:43 < amiller> someone convinced me it was just the tree
17:43 < amiller> er just a path
17:43 < amiller> but now i think it's the entire tree, because you have to establish the color value of *every* txinput, which is then recursive
17:44 < gmaxwell> amiller: I'm not following the distinction. If you recieve a colored coin and someone tells you the respective genesises you can just connect them and ignore unrelated parts of the history.
17:44 < gmaxwell> I suspect most people flapping their lips about this stuff have never picked a random coin on the network and tried to extract its whole history.... :P
17:45 < gmaxwell> (it's pretty normal for something to be tainted against a singnificant fraction of all past transactions)
17:45 < amiller> what is the unrelated part of the history though?
17:45 < amiller> it would be nice if, for example, if i only cared about this current txout, then i have to look backwards to at most one txinput ineach transaction
17:45 < amiller> thus a linear path from the txout in question to the genesis
17:45 < gmaxwell> amiller: if you know which coins were the genesis you can trace forward and back and meet in the middle.
17:46 < gmaxwell> amiller: you only can do that if you already know the path (e.g. someone else already traced it)
17:46 < gmaxwell> if you know the genesis and the rule is setup right you can trace forward with one output per transaction.
17:46 < gmaxwell> but backwards alone is exponential.
17:47 < amiller> i don't see how to go forward with one txout per transaction
17:47 < amiller> can you recommend a link with code for this
18:15 < jgarzik> adam3us, TBH it's not just laziness.  Even if my bitcoinj-based Bitcoin Wallet was [hopefully] updated to reuse addresses tomorrow, you still have a problem of address reuse being practically mandated by circumstance, in the other direction:
18:15 < adam3us> sipa: when presented with a key though
18:15 < jgarzik> miner payouts, salary payouts, etc.
18:15 < jgarzik> no good way exists to give a payment stream a set of addresses
18:15 < sipa> adam3us: they could reveal that key
18:15 < TD> lol
18:15 < TD> wallet author lazyness
18:16 < TD> adam3us: you can follow HD wallets in bitcoinj development work here:
18:16 < TD> as you can see lots of code has been going in for the past 6-7 weeks
18:16 < adam3us> jgarzik: yes indeed.  well there is a mix of like wallets that only support one address supposedly? and then there are real problems.	signature lines, biz cards, etc they are truly simpler to use and understand and in some use-cases hard to avoid!
18:16 < Luke-Jr> jgarzik: HD wallet spec has stuff for that
18:16 < TD> adam3us: design doc is here, to give you a flavour of how complicated the work is:
18:17 < am42> lol
18:17 < am42> guys...
18:17 < jgarzik> Luke-Jr, yes, any derivation scheme fits the use case
18:17 < adam3us> jgarzik: "no good way exists to give a payment stream a set of addresses" well like Luke-Jr said shared subwallet chain-code should work for stream
18:17 < jgarzik> as long as it is standardized
18:17 < jgarzik> and private
18:18 < jgarzik> the whole world doesn't need to track my salary
18:18 < Luke-Jr> but it's so fun! <.<
18:19 < jgarzik> I would love to find a solution for mass payouts killing privacy.  the solution seems to be "send a bunch of little TXs", which is network-unfriendly.
18:19  * TD shrugs
18:19 < TD> the point of bitcoin is to move money, well
18:19 < TD> that's why we need to scale the tech
18:20 < TD> so we're not afraid of making little transactions if that's what it takes to give good privacy
18:20 < TD> adam3us: anyway if you're feeling non-lazy you're welcome to help chip in with the implementation .....
18:20 < adam3us> TD: scary looking spec there.	btw relatedly petertodd was saying that bloom is not that private with default parameters
18:20 < TD> :)
18:20 < TD> yeah current bitcoinj has a default very low false positive rate and a few bugs
18:21 < TD> ways the remote node can trick you into revealing whether you own a particular key, stuff like that
18:21 < TD> we experimented with a higher FP rate in this dev cycle but it wasn't usable on 3G connections. so we need to add a notion of bandwidth modes to the API
18:21 < TD> then if we're on wifi we can ramp it up, etc
18:21 < TD> either that, or some kind of auto measurement/adaptation, but that's harder
18:21 < sipa> well, as long as bitcoinj wallets reuse addresses by default, there's little point in trying to protect privacy using bloom filters )
18:22 < TD> yeah - that's why i'm working on HD wallets at the moment and not bloom filtering :)
18:22 < adam3us> TD: still i wonder if its more private still than the prefix idea prefix leaks to all and interacts badly with existing statisical network analysis
18:22 < sipa> yeah, i know, not commenting there
18:22 < am42> guys i want to buy safe bTC wia Western Union
18:22 < am42> or MoneyGram
18:22 < TD> but as you can see from the design doc ..... well, bitcoinj wallet class got a lot of features over the years, so making sure none of them break and the upgrade is smooth, takes a lot of work
18:22 < adam3us> sipa: ha ha
18:22 < am42> how to do that safe?
18:23 < sipa> am42: not here, try #bitcoin
18:23 < wallet42> td: will bloom filters work with stealth addresses?
18:23 < adam3us> jgarzik: "I would love to find a solution for mass payouts killing privacy." this seems like a coin control issue.
18:23 < TD> i don't know. i haven't really worked through the details of ... lets call them "routing addresses
18:23 < adam3us> wallet42: i think not
18:24 < TD> but yeah there's an obvious conceptual issue there - bloom filters are intended to hide what the node should be looking for. but with stealth/routing addresses, the client doesn't know what it's looking for either, in a way
18:24 < adam3us> TD: i was suggesting unlinkable static (vs the current static aka reused).
18:24 < TD> with the payment protocol it might be different because then you don't have to find payments only via the chain
18:25 < TD> adam3us: yeah but i think "static" is jargony
18:25 < adam3us> TD: exactly.  the client would have to give the node a private key to scan with.  and that scanning is like heavy
18:26 < TD> if the payer submits the tx directly to the payee via bluetooth/http/other payment protocol methods that issue goes away of course
18:26 < TD> but then you have to be online
18:26 < adam3us> TD: and then i think there's no ambiguity left for bloom to work with.  unless you upload a few other peoples private key also
18:26 < TD> or have a dropbox of some kind
18:26 < adam3us> TD: yes.  i guess we cant or dont want to accept that as an assumption  and also one or other part could get lost.
18:27 < adam3us> TD: routing address is not bad.
18:28 < adam3us> jgarzik: didnt petertodd write something called dust be gone that swept up all the tiny tracking spam payments into a corner so your wallet doesnt auto grab them?  or coin control to not use them until you run out of bigger coins.
18:32 < TD> i think it paid dust outputs to miner fees
18:43 < EasyAt> I don't understand the use of these tracking outputs.  Is it because if the TX is to me I will relay it, whereas if it isn't mine I'll drop it because it's dust?
18:44 < adam3us> EasyAt: apparently they send tiny payments to lots of people, then watch them be respent.
18:44 < EasyAt> Can't I just track outputs from a target address without tagging it
18:44 < adam3us> EasyAt: your wallet just grabs random inputs from whats in the wallet, "coin control" is not clever yet apparently.  its like someone giving you marked pennies.
18:45 < adam3us> EasyAt: well not if someone is not reusing addresses so much.
18:45 < EasyAt> Yea, but once they target my address they can just watch all outputs and the chain of TXs following?
18:46 < maaku> EasyAt: these addresses are one-use only
18:46 < adam3us> EasyAt: i guess you could say its a way to force someone to reuse an address against their wish... send them unsolicited dust to their address.
18:46 < maaku> oh n/m
18:47 < sipa> i really prefer a model where you have to ask for every transaction you have to send first
18:47 < sipa> but it seems the bitcoin economy hasn't evolved that way
18:47 < adam3us> EasyAt: your wallet contains like 100 addresses and the wallet tries to not reuse them.  so they know this particular address is yours for some reason.  maybe the point is the dust payment is to the same address, and may get used in a different payment (even tho its the same address its a different txout)
18:48 < EasyAt> adam3us: Is it in the hopes that you will spend the dust with another output from a different address, thus leaking some info?
18:49 < adam3us> EasyAt: its not automatic that all payments from the same address would go in the same payment.  its not balanced based so each txout is spent separately.  if they see one of those dust payments respent with an address of yours they didnt know was  yours, they do now
18:49 < adam3us> EasyAt: but i dont know who would care enough to waste btc dust to find out really.  maybe some academics doing analysis or something?
18:50 < EasyAt> adam3us: Indeed, I follow you
18:50 < EasyAt> tainting people
18:50 < EasyAt> Or address grouping, I suppose
18:51 < EasyAt> sipa: In your model I would need permission from the receiver?
18:52 < adam3us> EasyAt: yes probably the latter.  yes his model is that and would work, in an older version there was sent via IP which could've been more perission based as there was an interactive link anyway
18:53 < EasyAt> Interesting, thank your for the input
18:54 < adam3us> in an ideal world we'd have better privacy so people could send you small payments and it wouldnt matter.
18:55 < sipa> EasyAt: i would like that yes
18:55 < sipa> EasyAt: that you could not send coins without permission from the receiver
18:56 < EasyAt> How would cold wallets receive funds in that case
18:56 < sipa> nothing prevents it from being presigned
18:57 < EasyAt> Hm, then wouldn't I need prior knowledge of the TX?  How about a cold wallet used for donations?
19:00 < adam3us> EasyAt: maybe there could be a separate key for permission to send sig than for spending.  (like the chain-code being in an online computer and the private key in the offline)
19:01 < adam3us> sipa: it would also solve address reuse.  new address on each signed payment permission
19:03 < EasyAt> Or, maybe a way to publish a ruleset in the blockchain for acceptable payments to an address
19:04 < EasyAt> Though, by doing so I am giving up my pubkey... I think
19:04 < EasyAt> Well, I can't think of a way not to give it up
19:05 < sipa> adam3us: well, it's exactly what the payment protocol intends to bring back
19:09 < adam3us> sipa: yes.
19:21 < jcrubino> was a rename decided for stealth addresses?  I would like to propose "quiet addresses" or "silent address"
19:23 < adam3us> jcrubino: i think we have a winner from jeremy spilman "reusuable address"
19:23 < jcrubino> sounds good
19:23 < gmaxwell> I like reusable address.
19:24 < maaku> very nice
19:25 < adam3us> gmaxwell: yea me too.	i am not sure of the level of enthusiasm for this all being a done deal tho "I have high hopes for this feature. The war *against* address reuse may soon be a distant memory." (Jeremy on bitcoin-dev list)
19:25 < adam3us> gmaxwell: seems to me there is a big open question about SPV compatibility.
12:15 < adam3us> hm2: then everyone is a user (who uses it) but zerocoin is slow, bloated coins, and only one denomination (imagine paying $10k in 1c coins)
12:16 < HM2> i'm sure sipa could cook up something with hash trees
12:16 < adam3us> hm2: if you can follow chameleon hash argument u could grok it
12:16 < HM2> everything in bitcoin is solvable with another tree of hashes
12:16 < sipa> HM2: gmaxwell and petertodd are far more experts at using hashes for everything :)
12:16 < adam3us> hm2: funny u should say that committed transactions potentially hide a lot from the public are also just hashes
12:17  * sipa just implements
12:17 < adam3us> hm2: a different privacy model, where the only people who see who is paying who and how much are the people in the history of the payment (not the public at large)
12:21 < HM2> sipa, it's better for your sanity i'm sure
12:26 < adam3us> someone who knows something about hashes, trees, and tries ought to do something about bitcoin scalability; something concrete like a bip and an implementation
12:27 < adam3us> if bitcoin doesnt scale people will do something stupid offchain eg centralized micropayments with trust me bitcoin backing and when dust reaches $10k all bitcoin transactions will be offchain
12:27 < adam3us> that would be a very rubbish end to bitcoin ecash
12:33 < adam3us> you've got to wonder if accumulators could help also rather than trees, gives a kind of commutative hash tree so it can be rebalanced without changing the root hash
12:35 < sipa> hash(sort([h0,h1]))
12:36 < sipa> ha:
12:36 < adam3us> sipa: thats the effect you'd get but without the sort implication of needing the serializations available
12:36 < sipa> Please remember - don't hoard TestNet coins or try to sell them. TestNet coins are worthless, but useful. They are useful because they are worthless. If you will add value to them, they will be useless, therefore worthless.
12:37 < adam3us> sipa: lol
12:37 < sipa> (from
12:37 < adam3us> sipa: a(h1,h2)=a(h2,h1) and a(h1,a(h2,h3)) = a(a(h1,h2),h3) etc
12:38 < adam3us> sipa: and what more you can prove hn is in the tree in O(1) space and work rather than O(log2(n)), thats the real bonus
12:38 < sipa> over my head :)
12:39 < sipa> anyone has a testnet address and wants some coins? i need a test
12:39 < HM2> i wonder if anyones managed to trick anyone in to buying testnet coins thinking they're mainnet coins
12:41 < adam3us> sipa: its simple really; just a=g^h1 mod n and to add another hash a2=a^h2 = g^(h1*h2) and repeat user2 can keep g^(h1*h3) (ie with h2 missing) then user 2 proves he's in the accumulator by showing A'=g^(h1*h3)^h2 == A ie A'^h2 = A
12:41 < sipa> oh
12:41 < adam3us> sipa: it only works because its in an RSA group so you cant compute 1/h1 its mod phi(n) which no one knows
12:41 < HM2> except bruce schneier
12:41 < sipa> got it
12:42 < K1773R> sipa: mz1iravK75FhNCyinytJhNCVqxmhFddohn
12:42 < sipa> bruce schneier can recite pi backwards
12:42 < HM2> ;)
12:42 < adam3us> hm2: is this the bruce schneier = crypto chuck norris meme :)
12:42 < adam3us> hm2: he does look a bit like norris
12:43 < HM2> except politically more agreeable
13:03 < adam3us> amiller: about byzantine general and Aspnes et al "exposing computationally challenged byzantine impostors" it occurs to me that bitcoin should not actually need to quite solve the byzantine general problem
13:04 < adam3us> amiller: because you dont really care which tx is first from a set of double spends, just that one is chosen, even at random; maybe that leaves some scope for improvement over the general version of the problem where they actually want to know the correct answer
13:18 < maaku> adam3us: i'm working on the hash-trie thing
13:18 < maaku> and yes, we need it for scalability, especially an address/script indexed tree
13:19 < sipa> that makes non-anonymous non-validating wallets that only maintain a balance and no transaction history indeed scale easily
13:21 < sipa> and with an txid-indexed index, allows validating clients to skip replaying history, assuming they trust it in an SPV way
13:24 < maaku> well, they can validate backwards from the current set, allowing a choice of security in the spectrum between SPV+ and full
13:25 < sipa> if undo data is available over the network, yes
13:27 < amiller> adam3us, so yeah the standard byzantine consensus requires a property like Unanimity, which says the thing chosen is the *one everyone wants* in some sense, but there are a variety of different options people commonly use
13:27 < amiller> one is that it only matters if everyone begins wanting the same thing
13:27 < amiller> another is that it only matters if there are no faults and everyone is honest
13:27 < amiller> another is that the chosen one with high probability has to be close to the plurality
13:28 < amiller> what it means for bitcoin is that if you allow the adversary to always influence the block
13:28 < amiller> a block with no tx's in it is a valid block
13:28 < amiller> so just consensus without some unanimity-like condition would mean you couldn't get a transaction included
13:28 < amiller> something that's bugging me is this concept of, what if you had a transaction that could only be accepted on an even 1000th block
13:29 < amiller> should bitcoin guarantee that you'll get it in quickly?
13:29 < amiller> if the (sub-50%) attacker gets to influence one out of a thousand blocks like that then it could keep that pathological transaction from even getting in
13:54 < maaku> sipa: I suggest commitment of undo blocks in addition to hash roots
13:54 < maaku> and, eventually, some way of querying that data over the network
14:05 < maaku> amiller: I would think that pathological case is the user's fault
14:10 < adam3us> amiller: so what about if the vote is just which transaction is included not whether a tx is included
14:11 < amiller> well there's that edge case where like, you basically can never prove someone *didn't* hear something
14:11 < adam3us> amiller: eg you mine on your own public key to gain voting rights and reward (as a miner) then you exercise those voting rights to say which transactions u like and if there are any dups the highest or th elowest wins
14:11 < amiller> so bitcoin's design is very tolerant of miners pretending they didn't hear a transaction
14:11 < amiller> you never get misbehavior for ignoring a message or playing dumb and not being aware of a tx, etc
14:12 < adam3us> amiller: yes but if the vote is which you like or prefer if there is a dup, an absense of a vote is an abstention, not a dislike
14:12 < adam3us> amiller: attackers can abstain all they like (in fact they're encouraged to)
14:13 < amiller> well if everyone includes all the transactions they've heard...
14:13 < amiller> i dunno, this is tricky, but basically even in the reference client there's miner policy about which valid transactions to include, sort by fee/priority etc
14:13 < amiller> so you don't your transaction in if the miners are all too full and they like others better than yorus
14:14 < adam3us> amiller: i believe its only because of the one-true-chain model to making near 50% attacks difficult (to eventually chose a winning fork if there is a simultaneous block)
14:15 < adam3us> amiller: yes but the concept of a single block as a unified winner is due to a random winner taking 100% of vote
14:17 < adam3us> amiller: if multiple people can vote its more like proportional representation, and all non-dup tx are in by default; and which dup is used is based on the highest (or lowest) voted dup... the vote is mostly for avoiding dups
14:18 < adam3us> amiller: and it doesnt even matter which dup to use, just a random one will do fine (even one chosen by the attacker)
14:19 < amiller> are you saying you'd merge votes
14:19 < amiller> like if i cast 1 vote for {A,B} and you cast 1 vote for {B,C} then that counts as 2 votes for {A,B,C}?
14:20 < adam3us> well the idea is include anything that is not a dup
14:20 < adam3us> so the vote is irrelevant unless there is a dup
14:21 < adam3us> if there is a space limitation take the n highest voted until you're full
14:21 < adam3us> it does have to be somehow consistently serialized however which is the hard part
14:24 < adam3us> adam3us: its only if there are votes (A,B1) and (A,B2) and (B3,C) you need to use the votes to see which of B1,B2,B3 triple spend to use
14:26 < adam3us> adam3us: hypothetically say voting rights are accumulated in one round, to be used during the next round to arbitrate which blocks to include; the hard part is to consistently arrive at the same view of transactions and votes everywhere; maybe the guy who wins the block reward, gets to define the serialization but must provide the vote proofs to justify
his decision, or his block serialization is defined as invalid
14:29 < adam3us> amiller: "well there's that edge case where like, you basically can never prove someone *didn't* hear something" well if its in a trie or sorted binary tree you can efficiently prove he received it or not
14:30 < adam3us> amiller: and if you use committed transactions the miners and voters dont know what they're voting on as the sender, recipient and amount is hidden; then ll attacks degenerate to random DoS or blocking all tx but their own
14:35 < adam3us> committed transactions description is
14:37 < amiller> well committed transaction doesn't mean the transaction is valid
14:37 < adam3us> it does mean its not double spent however
14:37 < amiller> i think i would like the most if you were able to accept zero knowledge proofs of validity without having to learn anything else about the transaction
14:37 < adam3us> which is bitcoins main challenge
14:38 < adam3us> (the users validate the value from the spend history)
14:38 < adam3us> (which is not particularly spv friendly but there you go, maybe maaku & tries could help that)
12:23 < adam3us> jtimon: the firewall is its not plausible for bitcoin main to consider accepting transfers back from a side chain (2-way peg) unless there is assurance that fraud or security bugs on the side chain can cause holders of bitcoin main coins to be dilluted or lose btc
12:23 < jtimon> petertodd: another is demurrage BUT why would you expect not to have any in-chain transactions? off-chain transactions cannot be p2p currencies
12:23 < adam3us> jtimon: /can/can not/.  fortunately that seems possible to assure, hence 2-way peg excitement
12:23 < petertodd> Keep in mind, it's not that I disagree with TD's hope's of people playing nice, it's that if you're depending on that you've got a system with much weaker security guarantees than one that doesn't need honesty.
12:24 < petertodd> jtimon: why pay for an on-chian tx when an off-chian one works well enough? it's simple, less demand for on-chian tx's means less fees, and thus less security
12:25 < adam3us> petertodd: yes.  i think 51/33% attacks, incentive in btc main, and merge mined alt & sidechains is far from a done thing.  r& d community need to figure  out the optimal game-theory and protocol strategies
12:25 < jtimon> petertodd: if an off-chain system has all the properties bitcoin has, why should we fight to maintain a less efficient system?
12:25 < petertodd> jtimon: e.g. suppose fairly secure DRM w/ remote attestation was being shipped to consumers: you can easily turn that into a pretty good off-chain tx system with pretty good security that will get used a lot. That'll take a lot of money away from miners, reducing the security of the underlying system.
12:25 < petertodd> jtimon: because plausible off-chian tx systems *require* bitcoin to exist under the hood
12:26 < adam3us> jtimon: in this side-chain model bitcoin main is the sole home of reward mining.  its the hub at the center.
12:26 < petertodd> jtimon: without bitcoin they don't work
12:26 < jtimon> DRM needs proprietary software, which means we can't trust it
12:26 < jtimon> proprietary soft/hardware
12:26 < petertodd> jtimon: so what? trust isn't a binary thing
12:27 < jtimon> oh, I see "nbecause plausible off-chian tx systems *require* bitcoin to exist under the hood" this is what I was missing
12:27 < petertodd> jtimon: if I can trust it *enough* I can use it for less valuable payments and save the more expensive on-chian tx's for more valuable stuff
12:27 < jtimon> freimarkets private blockchains don't need public chains to work
12:27 < petertodd> and if bitcoin still exists, I can use techniques like fidelity bonds to make cracking the DRM system a lot less attractive
12:27 < adam3us> petertodd: there's a guy making offline bitcoin stuff using TPM cards that are microsd sized (via encrypted exchange of private keys) some people see to be excited enuf to be making him non-trivial btc onations
12:27 < jtimon> they can just interoperate with them
12:28 < adam3us> jtimon: is it drazan?
12:28 < jtimon> of course they don't have all the properties bitcoin has
12:28 < petertodd> adam3us: indeed, I'm thinking of buying a pair to support him
12:29 < adam3us> jtimon: drazvan
12:29 < adam3us> jtimon: its kind of cool.  not secure at the limit, but maybe it works for low value offline tx.  its only the users that lose if it goes wrong, nor online btc holders
12:29 < jtimon> so your concern is that off-chain systems relying on bitcoin are so useful that nobody uses in-chain transactions
12:30 < petertodd> jtimon: doesn't have to be "nobody", just has to be sufficiently less demand for on-chian that total fees doesn't pay for enough security
12:31 < jtimon> well, since I'm not against credit, I'm fine if people use other-things-than-bitcoin offline, so these kind of things don't excite me that much, I haven't read the thread yet though
12:31 < adam3us> petertodd: or maybe some trust/certification/ripple stuff sneaks in and mining contribution is reduced
12:32 < jtimon> petertodd I tend to worry more about "too much security" in the chain than about "too little of it"
12:32 < petertodd> my rough guess is something like 0.1% to 1% of the total value of all Bitcoins should go to PoW security per year. Satoshi should have let that happen with either never-ending inflation, or better yet, explicit demurrage. Doing mining that way give a very simple and stable security guarantee, and importantly works regardless of how many on-chain tx's are done.
12:32 < adam3us> jtimon: they are bitcoins, just transfered by encrypted exchange of private keys, in the model that the user doesnt know the private key and the TPM microsd card wont give it to them (or moare accurately tries to prevent cloning, you can load and unload them)
12:32 < petertodd> jtimon: "too much" just means you're wasting money - not a big deal.
12:32 < petertodd> jtimon: too little and some malicious 51% attacker destroys the whole system and we're fucked - big deal
12:32 < adam3us> petertodd: but he should do NFC or QR code, not SMS :(
12:32 < petertodd> jtimon: 0.1% to 1% are pretty low numbers that can be ignored as "rounding errors"
12:33 < petertodd> adam3us: isn't that just a software detail? the hardware itself isn't what does SMS
12:33 < adam3us> petertodd: sure
12:33 < jtimon> maybe I'm too hippy or something, too much you're wasting resources, destroying more nature than you need and all that
12:33 < adam3us> petertodd: nfc/qr = network privacy. sms=privacy leak.
12:34 < petertodd> jtimon: well, meh :) I'm sure conventional transaction systems tend to spend at least similar amounts of money per year on security, likely usually much more than that
12:34 < petertodd> jtimon: I mean, hell, I'm sure with credit cards the numbers are about that *per transaction*
12:34 < jtimon> well, I'm pretty sure 2PC ripple doesn't waste more resources than it needs
12:34 < petertodd> jtimon: wastes a lot of human brainpower on person-to-person trust relationships
12:35 < jtimon> credit cards need to feed fat cats, thus their high fees, but that's another story
12:35 < petertodd> jtimon: that's a shitty way to talk about the situation and makes you sound like an occupy activist
12:36 < jtimon> petertodd I disagree on that I don't have to think a lot when a friend of mine wants to borrow 10 eur
12:36 < petertodd> jtimon: well I think you're dead wrong there :)
12:37 < petertodd> more to the point, if you can only borrow 10 eur from each friend, then actually using ripple for any large tx gets tough
12:38 < jtimon> whatever, I can say it more correctly but it's just takes longer
12:38 < jtimon> was just laziness
12:38 < jtimon> credit cards are a very unefficient system for multiple reasons, I was talking about efficient systems like @PC Ripple
12:38 < jtimon> 2PC
12:38 < jtimon> petertodd: you see I believe in both counterpartyless money and credit monies complementing each other
12:40 < jtimon> to me, people that plainly reject credit as an exchange toold often sound like braindeath cultists goldbugs
12:40 < jtimon> just like people plainly rejecting counterpartyless money and only accepting mutual credit sound like fanatic
12:40 < petertodd> jtimon: You see, I belive in "This Bitcoin thing just requires me to install an app on my phone. This ripple things requires me to dick around convincing my friends to extend credit relationships to me and sounds like a shit-load of work."
12:40 < jtimon> that's just to me
12:41 < petertodd> jtimon: "Also, it's gonna be really awkward to turn down Bob because of his gambling problem."
12:41 < jtimon> petertodd: organizing a ntework of mutual credit local currencies is even more work
12:41 < petertodd> jtimon: "Nice guy, but still hasn't paid me back that $1000 I gave him when he got fired three years ago and needed to pay rent."
12:41 < petertodd> jtimon: "But I'd rather not bring that up again...."
12:42 < jtimon> I agree that a ripple-like network has harder critical mass problem than bitcoin
12:42 < petertodd> jtimon: Meh, software can do that automatically, and more likely we'll have schemes where the exchange rates don't float.
12:42 < petertodd> jtimon: It's orders of magnitude harder.
12:43 < jtimon> luckily it can start with other currencies like backed currencies, bonds, coupons, shares...
12:44 < petertodd> it's totally irrelevant what currency ripple works on, the problem is the social dynamics of it
12:44 < jtimon> maybe it never goes beyond that, but I think coupons can be more imporant than many expect in the future
12:45 < jtimon> if you have a pub and people accept some of your "I owe you a beer at my pub" currency, why wouldn't you do that?
12:46 < petertodd> *if* people accept it
12:46 < petertodd> if they don't, then you've put a lot of effort into a system that never got used
12:47 < jtimon> mutual credit is widely used right now
12:47 < jtimon> much more than you think
12:48 < jtimon> I just want to give this systems a plattorm to securely inter-operate
12:48 < petertodd> I know, it's why I've said before that ripple is much more likely to catch on for b2b transactions given that 30-day-credit relationships are extremely common
12:49 < petertodd> but fundementally you have to ask why you would use the ripple *technology* to manage those relationships? if transaction fees are sufficiently low, there isn't necessarily a compelling reason to bother
12:49 < jtimon> yeah, b2b, so called "barter networks" (they're really just another currency), coupons, local currencies...
12:50 < jtimon> to interoperate with others
12:50 < jtimon> to be able to pay with your spanish local currency in germany
12:50 < petertodd> well, again, what does ripple bring to the table? the ability to do cut-thru credit relationships, what does that do for you? potentially reduces transaction fees
12:50 < petertodd> if fees are low enough, why bother?
12:50 < jtimon> you just need a market path from the spanish local currency to the germany one
09:48 < adam3us> sipa, gmaxwell: so maybe there is a way to force the brute force to work on full preimage and not birthday via the structure of the p2sh calculation
09:49 < gmaxwell> adam3us: sure, you can make life linearly harder by using a 'vanity p2sh address'.
09:50 < adam3us> gmaxwell: as is its yet-another-consideration for the catalog of how-to safely use things (eg dont use p2sh for hashlock)
09:51 < gmaxwell> adam3us: I don't think you can say don't use p2sh for hashlock. But, certantly, you should understand the tradeoffs.
09:52 < adam3us> adam3us: yes, its another place to think about the use-case and think is it strong enough for the time-frame what are the incentives; i think its nicer to say its bullet-proof, knock yourself out for a building block
09:52 < gmaxwell> e.g. if you make the guy that will provide H(x) for the hashlock do so before the public key(s) in the hashlock script are generated, then can he can't search for a p2sh.
09:53 < adam3us> gmaxwell: are you sure? the network doesnt care what you agreed offchain, just that the spender can provide s' st AH(s') = addr, and provide inputs that make s' return true
09:54 < adam3us> gmaxwell: so that only applies to inputs already on the blockchain (i think coinswap does 4 block chain tx, so that maybe the case)
09:55 < adam3us> gmaxwell: eg lets say p2sh = RIPEMD160-128(y=SHA256(s))||y[0..31]
09:55 < adam3us> 128-bit truncate, and expose 32 bits from the inner hash
09:56 < adam3us> gmaxwell: not though hard about but that might screw over the birthday attack
 that kind of direction anyway
09:56 < adam3us> gmaxwell: otherwise just 256-bit script hash fixes...
09:56 < gmaxwell> adam3us: You are going to pay to   {something} + preimage of HX.    You are concerned that if the provider of HX gives you the p2sh address for "{something} + preimage of HX" he'll know another p2sh script that lets him redeem without revealing HX.
09:57 < gmaxwell> adam3us: if you say "Tell me HX, I'll tell you the {something} and we'll use that" then the attack doesn't exist.
09:57 < gmaxwell> (under that kind of protocol, at least)
09:57 < adam3us> gmaxwell: i guess HX better be 256-bit hash output also (yes)
09:58 < adam3us> gmaxwell: err no its irrelevant for hashlock if the committer knows two preimages
 if either is shown, the other party can unlock with it...
09:58 < gmaxwell> adam3us: doesn't actually matter!
09:58 < gmaxwell> yep.
09:58 < adam3us> gmaxwell: right
09:59 < gmaxwell> well for hash interlock, it matters for some other things.
09:59 < gmaxwell> E.g. it matters for this one:
10:04 < adam3us> gmaxwell: btw i think the above p2sh = RIPEMD160-128(y=SHA256(s))||y[0..31] doesnt work
 probably just screen for 32-bit match then O(2^32)*O(2^64)=O(2^80), the only solution i see is a bigger hash
10:05 < adam3us> maybe you can create for similar cost two public keys Q, Q' AH(Q)=AH(Q') and do some mischief to some other script assumptions, eg an expensive way to create signature malleability
10:10 < gmaxwell> adam3us: yea, thats what I meant by a linear cost increase by using a vanity address. Cute idea to use inner agreement.
10:12 < adam3us> gmaxwell: if you revealed RIPE160(y=SHA256(s))||y[0..31] i think that'd do the trick :) and actually its smaller than using 256-bit output
10:13 < adam3us> gmaxwell: (right idea, wrong parameters a few up)
10:14 < adam3us> gmaxwell: kind of like a 2nd, inner, address checksum
10:55 < adam3us> gmaxwell: about coinSwap you mentioned blind sigs but is that necessary?  if each user connects using tor to submit the new address he'd like, and then all users only sign the n of n if their undisclosed but self-chosen address is in the output?
10:59 < adam3us> gmaxwell: starting to have doubts about RIPE160(y=SHA256(s))