--- Log opened Thu Nov 14 00:00:35 2013
00:26 < nanotube> wonder if anyone has seen the protoshares pow scheme. https://bitcointalk.org/index.php?topic=325261.0
00:27 < gmaxwell> nanotube: this its the 3rd (or 4th) POW scheme from those same people whos pow I eviscerated before.
00:28 < gmaxwell> Sadly they didn't get the memo I was trying to give them which was: stop coming up with novel cryptographic things out of your rear end where you don't really need them.
00:29 < gmaxwell> I think PT cut down their 3rd generation one.
00:30 < nanotube> hehe ic
00:30 < gmaxwell> I regret telling them about the first, would have been more fun to just exploit it in production. oh well.
00:31 < gmaxwell> I'd hoped that they'd actually believe me that it's hard to get this stuff right.
00:31 < nanotube> hah well, now you know better, and can do that with their fourth.
00:32 < gmaxwell> well, the first was ... basically riddle grade. Just hard enough to be enjoyable to break but not actually hard.
00:33 < gmaxwell> with enough iterations it would actually be work to break.
00:33 < gmaxwell> but its just goofy, they haven't gained any useful properties over scrypt, and scrypt has security proofs that have been reasonably well reviewed.
00:44 < warren> where's the URL for petertodd's MMR proposal?
00:56 < Luke-Jr> gmaxwell: isn't theirs actually a POW algo?
01:48 < gmaxwell> https://bitcointalk.org/index.php?topic=333487.0
01:48 < gmaxwell> couple thousand btc will pay for a lot of transaction fees.
03:42 < petertodd> gmaxwell: oh, and I misunderstood what you said re: scorched earth: it's actually not an issue for the other parties to the coinjoin, because the scorched earth spend just means the original tx is even more likely to be mined - only the funds going to the merchant can be turned into fees. The real issues are complex than that
03:43 < petertodd> gmaxwell: for instance, suppose the coinjoin is the double-spend...
03:43 < gmaxwell> petertodd: no consider
03:43 < gmaxwell> you are a merchant.
03:43 < gmaxwell> I want to pay you. I am honest.  I coinjoin with alice. Alice is paying someone else.
03:44 < gmaxwell> Alice is not honest.
03:44 < gmaxwell> Alice double spends her coin, paying to another party. The double spend does not pay you.
03:44 < gmaxwell> You do scorched earth. Sending my payment to you to the miners.
03:44 < gmaxwell> Now everyone is unhappy except the person alice was trying to rip off.
03:45 < gmaxwell> this happens because you didn't know that my contribution to you wasn't being double spent, only alices input to the join which was irrelevant to you was.
03:45 < Luke-Jr> oh crap
03:46 < Luke-Jr> gmaxwell: payment protocol beats it?
03:46 < Luke-Jr> then the merchant has an isolated transaction to refer to
03:47 < gmaxwell> yea, if you can tell the merchant whats up— even give him a non-cj'ed spend of that input to sit on.. things are happy.
03:47 < Luke-Jr> "ok, my original transaction is still valid with this double-spend; I'll hold off"
03:47 < Luke-Jr> (and broadcast the isolated tx obviously)
03:48 < gmaxwell> And likewise, scorched earth is only applicable for things where the reciever would be pissed about an unconfirmed doublespend.
03:48 < gmaxwell> Its not unsolvable, but its an unfortunate complication.
03:48 < petertodd> gmaxwell: yeah, I wrote on the forum about how the payment protocol re: coinjoin should work where you actually give the merchant a non-coinjoin, and coinjoin, version of the tx
03:49 < gmaxwell> it makes me think that perhaps there really should be a signal which says "I swear on my mothers grave that I will not doublespend this transaction {within x time}"
03:49 < gmaxwell> since there are plenty of cases where doublespends are totally legit, and you don't want unconfirmed acceptance in any case.
03:50 < gmaxwell> and also cases where you want unconfirmed acceptance and any doublespend is fraud.
03:50 < petertodd> heh, well, like I say, you give the merchant the non-CJ version, the CJ version, and heck, in some cases even more versions because you've done multiple payments in a row and don't know what will get mined
03:50 < gmaxwell> and its only in the latter where scorched earth is the right strategy.
03:50 < gmaxwell> sure.
03:51 < petertodd> thing in, scorched earth has even more requirements, because the sending tx has to be basically minimal size, so that the sender can't double-spend it with a *smaller* tx
03:56 < Luke-Jr> do C++ or boost have a key-only map type?
03:56 < petertodd> Luke-Jr: you mean a set?
03:56 < Luke-Jr> maybe
03:57 < Luke-Jr> unordered set?
03:57 < petertodd> could be? not familiar with boost
03:58 < Luke-Jr> petertodd: looks like these are both standard C++, thanks
03:58 < Luke-Jr> although.. C++11
04:01 < gmaxwell> Luke-Jr: we use stl sets in varrious places in the codebase.
04:01 < Luke-Jr> but not unordered
04:01 < petertodd> Luke-Jr: does it matter?
04:01 < Luke-Jr> shrug
04:01 < Luke-Jr> I'll use unordered and see if anyone complains XD
04:02 < petertodd> behind the scenes sets get implemented in an ordered fashion often
04:03 < gmaxwell> Luke-Jr: ordered is fine here, they're not in insertion order, they're in whatever search order (based on the comparator of the underlying type) the datastructure needs to make lookups fast.
04:04 < Luke-Jr> I guess I assume std::set is going to be slower than std::unordered_set..
04:04 < petertodd> Luke-Jr: often enough it's all trees behind the scenes anyway...
04:05 < petertodd> Luke-Jr: with C++ that's quite likely because there's no obj.__hash__() like in Python
04:06 < gmaxwell> petertodd: there is actually a generic hash template thing.
04:06 < gmaxwell> petertodd: and I think the unordered set template needs it to work on your type.
04:07 < petertodd> gmaxwell: oh cool, guess I'm wrong
04:19 < Luke-Jr> well, my compiler doesn't have it :<
04:20  * Luke-Jr can't wait for autoconf_pt3 to get merged so the warning on every compile goes away
05:06 < adam3us> y'know the aim of bytemaster birthday hash is amusing - i briefly looked at it in 1997 for hashcash, i actually started my thought process by looking at birthday hashes, but that lasted all of 10min :); it is not progress free so cant fairly be used in a first past the post race
05:07 < adam3us> (his aim is to have fast verify (3 hashes, though he could've easily done it with 2) and yet memory hardness - however he has killed progress freedom, and other more simple issues)
05:09 < adam3us> so its not quite true that it doesnt achieve anything that scrypt does - it achieves memoryless verification, however it has tmto with n^2 advantage, and progress so its broken
05:10 < adam3us> also because of the n^2 advantage custom hardware could dominate it way worse than asic, triple fail :)
05:10 < gmaxwell> adam3us: Their earlier stuff was not a collision problem, I wasn't aware that they switched to that in their latest incarnation as their response on the first one I broke convinced me to never look at their stuff again.
05:11 < gmaxwell> and yea, we had a conversation at collision's for memory hardness in here before, and indeed the advantage for faster miners was brought up, also that you can eliminate the memory hardness with a tradeoff for more computation.
05:11 < adam3us> gmaxwell: someone mining pts got me to look at it
05:11 < adam3us> gmaxwell: yes the problem is the n^2 advantage for memory
05:12 < adam3us> gmaxwell: and the progress, and the tmto they mistakenly thought didnt exist
05:15 < adam3us> u can see it someone using 50 GHz cores (cores x ghz) got bday 180H/min, vs 30 Ghz cores got 50H/min -fast enough processor, for RAM
05:15 < sipa> adam3us: i cannot parse your last sentence
05:16 < adam3us> sipa: because its birthday attack, if your cpus can fill your RAM within the 5mins block interval, the more ram you have the more birthday hashrate n^2 to amount ofram
05:18 < adam3us> what its computing i think is H(cb, a) for random a, coinbase cb; where H finds a 26-bit hashcash (like bitcoin but small difficulty as a pre-screen)
05:18 < adam3us> then they store those values (h1,...h_n) = {H(cb,a),H(cb,b),...}
05:19 < adam3us> and look for 50bit birthday collisions on h_i values, (using a hashtable rather than memory scan)
05:20 < adam3us> finally for each H(cb,a)==H(cb,b) the test if H(cb,a,b) < target
05:21 < adam3us> (the code i found unreadable, the paper vague and stale... talking about scrypt and other ideas; its actually using hashcash-sha512-26 ie partial preimage wth 26-bits of leading 0 using sha512 hash function)
05:21 < gmaxwell> adam3us: if you have super fast logic but gates for memory are costly you can also run near memoryless (like pollard rho w/ period finding), so if you really believe the argument that needing lots of memory is a great enhancement, well, not so much.
05:21 < adam3us> for the H function
05:22 < adam3us> gmaxwell: yes i agree - i said 3 problems, tmto (2 types actually), progress, and n^2 memory advantage
05:23 < gmaxwell> but besides that it's awesome!
05:23 < adam3us> the other tmto is to use a hashtable which is unreliable but more compact
05:23 < adam3us> gmaxwell: lets not mince words - its triply broken :)
05:23 < gmaxwell> I hadn't decoded tmto to time memory trade off for some reason.
05:24 < gmaxwell> I'm waiting for them to think you can use hamming distance instead of prefix matching to prevent that.
05:24 < adam3us> gmaxwell: but the usual cycle method doesnt work i think on partial birthday, only on full birthday, because the cycled finds are almost cetainly of unrelated values
05:24 < gmaxwell> (you can't)
05:25 < gmaxwell> adam3us: sure it does, you just need a function that reads only from the partial chunk for the next step.
05:25 < gmaxwell> (whats even more awesome is you can make this work well for hamming distinct thresholds too... with some mild complication)
05:26 < adam3us> gmaxwell: i dont think so, some proposed the cycle method on the bitshares forum and it got shotdown (not that they know much), but I dont think you can define a meaningful cycle
05:27 < adam3us> gmaxwell: he was forced to py out his $5000 bounty to to forum people, i held off saying anything :)
05:28 < adam3us> (mostly for the unreliable hashtable so it fits in gpu unit L2 cache)
05:28 < gmaxwell> well I haven't looked at their thing, but this does generally work for finding n-bit prefix matches in hash functions. There is a paper I like on it that also goes into the hamming threshold case.
05:30 < adam3us> gmaxwell: its possible i am wrong but what i am thinking is if you find cycle one of r_1, ... r_k, ... and another cycle r'_1,... r'_k the problem i see is that r_{k-1} is unrelated to r'_{k-1} and so on
05:30 < adam3us> (where r_k == r'_k)
05:34 < adam3us> the objective isnt stupid though - i thought of that too - to find an scrypt variant where you can verify without memory.  i believe its challenging without introducing progress
06:31 < adam3us> btw TD: something else wrong with uploading batches of deterministc addresses, they are uncertified.  the payment protocol certifies them, but with an SSL key in server memory.  Obvious attack point
06:35 < adam3us> TD: if the base address is static it can be certified by an offline X509 key, or simply verified with out of band static information
06:42 < TD> no
06:42 < TD> the payment protocol does not specify any kind of "server" or "client". whoever generates the payment request can sign it. SSL or not is irrelevant.
06:42 < TD> so if you have a private key, your wallet would just upload pre-signed payment requests
06:42 < TD> however most individuals do not have a certificate. so, i suspect we'll end up with a different PKI for end users.
06:42 < TD> (and to start with, none at all)
07:23 < adam3us> TD: i imagine any business web site accepting payments has an x509 cert (for SSL associated with the server domain), so if they bother to sign the payment requests, they wold probably reuse the one they already have.  you are right though that they could sign it with en x509 email cert, or a sub-domain cert
07:23 < TD> yes, business websites don't need to batch upload anything. they can generate them on the fly with the ssl key indeed. sorry i thought we were still talking about personal usage
07:23 < adam3us> TD: but there may be expectation issues - surey the relying party should expect a signature from bobsparts.com, not from bob@hotmail.com
07:25 < adam3us> TD: yes.  i am not saying i have a solution, eg the bloombait so far seems to likely have issues but will see what it can do; however at requirements level mostly i am saying it would be nice if were static, then it could be on a business card, brochure, shop window, with zero possibility for web site hacking address redirection
07:26 < TD> people can have their wallets be compromised as well. then it's impossible to recover
07:26 < adam3us> TD: (because signing with the site SSL key is also vulnerable to address hacking)
07:26 < TD> if a web site gets hacked, it can be re-sealed
07:26 < TD> if your addresses become compromised and they are on business cards, etc, you're hosed
07:26 < adam3us> TD: well they either need cold wallets, or air gapped armory-style deterministic wallets
07:27 < adam3us> TD: yes.  it would only make sense to publish a static address really with an offline wallet for the disaster recovery reason you gave
09:07 < phantomcircuit> TD, that's a good point
09:24 < adam3us> phantomcircuit, TD: i guess the certification model extends the other way also: if you put on your biz card the master offline business/user identity pub key address, you could have the blockchain timestamp the signed subwallet deterministic address, as an analog to certifiate transparency in x509 world, and ask any full node for SPV validation this identitys address.
09:25 < TD> i'm much more interested in ways to link keys/payreqs to social networks
09:25 < TD> as that is what people seem to use these days
09:26 < adam3us> phantomcircuit, TD: kind of complicated however.  ideally you want to be able to support scenarios where the wallet is offline, but connected to the network via the merchange only, without them getting ripped off via the unspecified change
09:26 < TD> i mean even email seems to be in its death throes for a lot of people
09:26 < TD> the number of times  i try to email someone and discover their entire online presence exists only on various social networks or via stupid online forms is .... irritating
09:26 < TD> twitter is not a replacement for a public, non-obfuscated email address!
09:26 < TD> but this is the trend of our times
09:26 < phantomcircuit> TD, people or companies?
09:26 < adam3us> TD: i share your frustrations :)
09:27 < TD> people
09:27 < phantomcircuit> TD, bizarre
09:27 < TD> companies still use it as much as ever, AFAICT
09:27 < TD> email is still the best for "serious" communication
09:27 < adam3us> there maybe some aspect of scale - if you are going to wire a company a lot of money, you want to be sure you have the right address/account number in this analog
09:27 < phantomcircuit> TD, personally i avoid email for company <-> customer communication as much as possible
09:27 < TD> but a lot of people don't really engage in a lot of serious conversation online. it's all short messages and social networks are better for that
09:27 < phantomcircuit> it's enormously difficult to keep straight who you're dealing with
09:28 < adam3us> TD: i just engaged in some research q about hashcash for udp/ip anti-DoS with a fellow who seemed to want to do it over twitter; twitter even dropped msgs, lots of htem, so i had to go search for them
09:28 < TD> ugh
09:29 < TD> yeah i can't believe anyone wants to use twitter for anything approximating work. but now i feel like i'm getting old and i'm  not yet 30
09:29 < TD> some years ago the gmail team did a lot of research that scared the crap out of the entire division
09:29 < TD> it basically said that an entire generation didn't use email at all. period.
09:29 < TD> the only reason they had an email address was to register at sites
09:29 < TD> and/or because their university/school insisted on one
09:29 < adam3us> TD: I mean i recognize the guys handle he's been on cpunks for years, and i believe he's highly competent in host security circles, but holy moly that is not a topic for twitter
09:29 < TD> it had been 100% killed by facebook
09:29 < TD> now facebook is getting killed by WhatsApp
09:30 < TD> so, trying to keep up with how people organise and communicate is a waste of time. much better to find a way to be general about this and coattail it
09:30 < TD> hence my interest in steganographically encoding short URLs where you can find a payreq into profile pictures
09:31 < TD> that's one thing all these mediums have in common (er, except email, but email has attachments)
09:31 < phantomcircuit> TD, gotta love whatsapp's security
09:31 < TD> "startup code". though i think they improved it since
09:31 < phantomcircuit> lol duplex rc4 streams with the same key
09:31 < adam3us> TD, sipa: btw re discussion yesterday about why people are confused that an address is static, i presume you may've come across living in zurich, with swiss private banks if you ask for a private payment, they send the transfer only with a transaction number, not a sending account number - its rather similar to bitcoin, but most people dont know about that or how it works
09:32 < phantomcircuit> adam3us, it would probably be easier to explain to people as a single use credit card number but for the mechant
09:32 < phantomcircuit> (maybe)
09:33 < adam3us> phantomcircuit: yes that is a good analog, just amused me that in some ways bitcoin addresses are a reinvention of swiss banking privacy technique, on use transaction numbers in place of accounts
09:34 < TD> heck i live in switzerland and have never encountered that
09:34 < TD> swiss banks are like any other bank as far as I can see. except, reasonably competent
09:34 < TD> (in terms of their user-facing stuff)
09:34 < TD> (not their investment decisions)
09:34 < BlueMatt> or their signup requirements for americans.....
09:34 < adam3us> TD: you'd have to request it, see people with swiss private bank accounts are sensitive about other people learning their account number
09:36 < TD> well that's not their fault
09:36 < TD> anyway their signup requirements are mostly very simple.   "you cannot be american". doesn't get simpler than that!
09:36 < BlueMatt> heh
09:36 < phantomcircuit> TD, well you can be american, but you have to basically allow them to give you entire account history to anybody who asks for it
09:37 < phantomcircuit> also you needs lots of money
09:37 < BlueMatt> (and prove residency)
09:37 < TD> no quite a few banks just forbid US citizens period
09:37 < TD> some will do it and handle the requirements yes
09:37 < phantomcircuit> TD, those bans are always dependent on how much you want to deposit
09:37 < adam3us> btw Ian Grigg/systemics with their sox protocol ran for a time a payments server demo with one-use, or user-controlled creation of multiple account numbers.  he was the guy who also operated egolds transaction server under contract somewhere in the caribbean - its ananlogous to the swiss private banking privacy model, and the bitcoin model
09:38 < adam3us> phantomcircuit: $500k min deposit i think
09:39 < phantomcircuit> adam3us, yeah i guess
09:39 < phantomcircuit> but i dont see why anybody would bother unless they actually lived in .ch
09:39 < adam3us> Ian Grigg actually wanted to use chaum/brands signing but couldnt get a license due to the chaum patent getting locked up in a patent holding company and other similar issues
09:41 < adam3us> phantomcircuit: well its private is the point (financial privacy) and .ch has some nice AAA rated banks (the US doesnt have any) also if you live in spain, cyrpus, much of europe its a great way to avoid getting an involuntary depositor haircut
09:41 < phantomcircuit> adam3us, for a us citizen there isn't really much more privacy
09:42 < phantomcircuit> so really what you're getting is a competent bank in the .eu
09:42 < adam3us> phantomcircuit: its orthogonal from taxes - you have to declare it or get taxed anyway if you have a european passport also.  there is also asset protection.  they do not seize funds without a swiss court seeing evidence and it passing their legal standard
09:43 < TD> it looks like there's going to be a referendum on FATCA actually
09:43 < TD> which worries me a great deal
09:43 < TD> that could lead to "interesting times" for sure ...
09:44 < adam3us> TD: grr facta, wipo etc.  i wish the chinese would just say no, hire falkvinge as advisor, and start a counter-veiling force
09:44 < TD> i quite like switzerland. i hope it doesn't end up engaged in a bloody fight it's too small to win
09:45 < TD> it's fat-ca  not facta, though the former is much harder to say
09:45 < TD> well unfortunately the nature of how fatca works mean no one country by itself can stop it. that's rather the nature of empire, see, conquered lands are forced to join the army and fight the next one
09:45 < TD> until nobody is able to stop the conquering army and you end up with rome
09:46 < TD> it takes *simultaneous* opposition
09:46 < TD> that isn't going to happen.
09:47 < phantomcircuit> adam3us, theoretically that provides some level of protection
09:48 < phantomcircuit> in practice however very few us citizens with funds in swiss banks would benefit from that in a meaningful way
09:50 < adam3us> TD: yes fatca is the equivalent of viral licensing. they are trying to take over and unify.  its a very bad trend because it precludes jurisdictional competition and societal exploration of  conventions pulls everyone down to the lowest denominator (whatever american politicans are paid by lobbyists to think)
09:50 < TD> i would put it more simply:  it is the end of independent countries and the formal start of the american empire
09:50 < BlueMatt> hah, yep, welcome to us banking regulation (and others, ie trade sanctions...)
09:50 < BlueMatt> we own the world, screw everyone else
09:51 < adam3us> TD: agreed.  the only hope I see is the rise of asia ecomic and geopolitical influence
09:51 < BlueMatt> and yet even americans have a fundamental hate for their politicians....
09:51 < BlueMatt> one would hope the eu would be large enough and willing to compete, but that clearly isnt gonna happen
09:51 < TD> yes it's quite an unstable situation, where you have a tiny number of people in washington who are despised by nearly everyone including the people they claim to represent
09:52 < adam3us> TD: and the meteoric rise of rick falkvinge & pirate party, still an outlier but growin
09:52 < TD> the only thing keeping a  lid on it, is the fact that technically they were "voted" for, but i wonder how long that will continue to placate people
09:52 < TD> BlueMatt: well, compete in what sense?
09:53 < BlueMatt> compete on regulation and refuse dumb things that america tries to push
09:53 < TD> EU governments can't/won't push back strongly against FATCA even though it means the end of their sovereignity, because they've all been on the war-path against "tax avoiders" so can't afford to look soft on tax now. especially as there are so many people who are being kept alive only through taxation
09:53 < BlueMatt> compete on regulatory burden and figure out what regulation should be instead of just taking what is forced on them from washington
09:53 < adam3us> they paid some lip service to that after snowden's haul revealed spying on the politicians themselves (merkle etc)
09:53 < phantomcircuit> BlueMatt, americans largely hate politicians
09:54 < TD> then it only takes a few to crack and what little unity existed is gone. divide and conquer. easy.
09:54 < phantomcircuit> but the reality is by and large we're wealthy enough that doing something about it is risky
09:55 < BlueMatt> phantomcircuit: for good reason
09:55 < adam3us> TD: well i hope the swiss vote against it, in their citizen led referendum; they managed to keep out of EU through the same process, the problem is the man in the street may not understand the issues well enogh
09:55 < phantomcircuit> BlueMatt, dat welfare, placating the masses
09:55 < TD> the problem is if the  swiss reject it, they will be completely wrecked
09:56 < TD> it's not just the USA that will impose massive sanctions. every other country that agrees to FATCA has to as well
09:56 < BlueMatt> phantomcircuit: lol
09:56 < TD> that's why it's viral and like an empire - countries that are theoretically "allied" will be forced to fight the swiss, or become enemies of the empire themselves
09:56 < TD> i don't think switzerland can survive a sudden, overnight 30% loss of trade and foreign assets
09:57 < TD> ultimately the swiss will have to agree that they are no longer a free, independent people, and relinquish that, or risk becoming the next iran
09:57 < TD> and that will be incredibly painful. i am not sure what they will do.
09:57 < TD> no other government is ever going to put this to referendum for exactly the same fear - that the people will reject this takeover, fight it and get killed in the process
09:58 < phantomcircuit> BlueMatt, sadly that isn't really a joke, my personal experience has been fairly strongly that people on welfare strongly support the governments power to tax and give them more money
09:58 < phantomcircuit> ironically they get all mad when some cop shows up and shots someone
09:58 < TD> of course they do. you would too, if you were on welfare
09:59 < phantomcircuit> i've literally never met anybody on welfare who could see the irony
09:59 < phantomcircuit> TD, i honestly cant say i'll likely ever know
09:59 < TD> i wouldn't be too sharp there. times change. i've met out of work programmers who couldn't get a job for whatever reason.
10:00 < TD> but if you really can't imagine this, imagine it's your girlfriend/wife/son/daughter/best friend/whatever
10:00 < adam3us> so does facta extend to other countries than US?
10:00 < phantomcircuit> TD, i went to high school with a ton of people whose parents were on welfare
10:00 < TD> the problem is not taxation. the problem is this idea that every government has to know everything about every country in order to implement it
10:00 < adam3us> i mean does it have implications for non americans?
10:01 < phantomcircuit> TD, (like nearly the entire school was on some sort of assistance)
10:01 < TD> adam3us: green card holders, ex citizens too. otherwise no. but the issue is - now america went ahead and did it, suddenly that strategy is legitimised. other parts of the world are talking about the same thing, which would have been unthinkable a few years ago
10:01 < TD> which is stupid because they can't possibly collect any significant amount of tax that way
10:01 < TD> even FATCA is seriously net-negative when you add up the costs and expected extra revenue
10:02 < TD> and the US has citizenship-based taxation which nowhere else does
10:02 < adam3us> TD: well there is also the EUSTD but realistically the UK is dragging its feet because its a bigger tax haven than switzerland (with its offshore dependencies)
10:02 < TD> so if the USA can't make it work, financially, nobody else can even get close.
10:02 < adam3us> TD: and austria is also pushing back
10:03 < TD> yeah but these places all have no chance.
10:03 < adam3us> TD: they are working on EUSTD2 at present
10:03 < TD> basically, the future is automatic data exchange between all countries.
10:03 < phantomcircuit> TD, and the vast majority of us citizens living outside the us dont end up paying much tax anyways
10:03 < phantomcircuit> (if any)
10:04 < TD> ah well, just wait until the people who were supposed to file lots of paperwork and didn't (because they didn't know/would have paid no tax) start getting their savings confiscated to pay the fines
10:04 < phantomcircuit> since the first 90k is exempt entirely and then you can deduct taxes paid to the local authorities
10:04 < adam3us> TD: UK might they have some veto power in europe and vested interest to keep their financial center status, and while they cant say it, they also like their offshore dependent's tax haven status
10:04 < TD> no, no, no they don't: http://www.caribjournal.com/2013/11/05/cayman-islands-united-kingdom-sign-fatca-type-agreement/
10:04 < TD> the UK is busy imposing its own fatca-lite on the caymans
10:05 < TD> anyway, i'm actually all for the idea that if you live in a country you should pay taxes there
10:05 < adam3us> TD: I think views on it are mixed, as i recall the guy who was reviewing one of these things for the uk govt, some lord or something, was himself the beneficiary of a like $100m offshore trust
10:06 < TD> FATCA is evil because for poor old americans there's no easy way to escape.
10:06 < TD> you can't just leave the country and say goodbye to the IRS
10:06 < TD> (and because of how it's being implemented)
10:06 < adam3us> TD: yes i agree - you have to vote with your feet, not dodge local taxes, that way lies legal risk
10:07 < phantomcircuit> TD, it's also fairly difficult to renounce your citizenship
10:07 < phantomcircuit> there's a comical number of people who think they have but infact haven't
10:07 < adam3us> TD: the americans are screwed already.  my wife and brother in law are american dual nationals.  have to avoid joint accounts
10:07 < TD> oh dear. they should try and fix that ASAP
10:08 < TD> my brothers girlfriend is a dual british/us national
10:08 < TD> she can barely pay her british taxes, which are trivial. i bet she's never heard of an FBAR
10:08 < TD> i really worry one day her savings (or whatever she has of them) are just going to vanish
10:08 < TD> sent to the IRS to pay fines for not filing paperwork she never even heard of
10:08 < adam3us> phantomcircuit: correct.  i do not believe you can renounce us citizenship.  my sister in law did it, but i doubt it would make a difference if there is tax involve, they can reject the renunciatoin on tax grounds as invalid
10:09 < phantomcircuit> adam3us, no they cant
10:09 < adam3us> TD: yes my brother in law who lives in canada is avoiding flying to the us until his accountants work through the retroactive legislation
10:09 < jgarzik> TD, That's modern life in modern society.  There are enough laws that (a) no one can credibly know them all, and (b) everybody is a criminal, because everybody is likely violating /some/ law like these.
10:09 < TD> they claim they can actually
10:10 < phantomcircuit> adam3us, you have to go into a us embassy on foreign grounds and renounce your citizenship to the ambassador
10:10 < TD> i've read this too. if the embassy suspects you're giving up citizenship for tax reasons, they can deny it
10:10 < jgarzik> Thus you exist at the whim of prosecutors not focusing their attention on you.
10:10 < phantomcircuit> TD, they can try but that would never fly in court
10:10 < TD> jgarzik: well, she hasn't broken any local laws. she was born into dual nationality, she never lived in the USA
10:10 < TD> phantomcircuit: which court? "citizenship" just means "the US considers you to be an owned asset". they can enforce whatever they like if they get brutal enough
10:10 < TD> courts or no courts
10:10 < adam3us> phantomcircuit: yes, it doesnt work.  my sister in law got irish citizenship first, then renounced us; but if there was tax involved it is explicitly within their rule  book that they can reject it or look past it for tax purposes
10:11 < TD> FATCA just bypasses the whole civic infrastructure of laws and courts. the banks will fine you for them
10:11 < phantomcircuit> TD, you'd end up having to sue the IRS
10:11 < TD> and you'd fail. you're technically a criminal, right?
10:11 < TD> (in their eyes)
10:11 < phantomcircuit> TD, im pretty sure you would succeed
10:11 < phantomcircuit> there's a reason that this has never gone to court
10:12 < phantomcircuit> they dont fight battles they will lose if they can bullshit people instead
10:12 < TD> i'm pretty sure you would fail. what ground would you have to sue them? they're just implementing laws congress wrote
10:12 < adam3us> phantomcircuit: courts dont work because they make the rules, and they interpret the rules, and they can interpret the very loosely and they have infinite money.  you lose.
10:13 < TD> now this is all well and good, but the *real* fun will begin once the US starts to tax people and things that don't have any US connection at all
10:13 < TD> the current definition of "us person" is already so expansive that it bares little relation to the intuitive definition
10:14 < adam3us> TD: being the world currency reserve is a form of global hidden tax via USD inflation.  its  relatively significant bonus to the us
10:14 < TD> the US finances are so completely unfixable that once that infrastructure is in place, the temptation to tax foreigners will be overwhelming and irresistable
10:14 < TD> yes sure, but i'm talking about stuff that will pay down the deficit. doing that would be politically popular.
10:15 < phantomcircuit> TD, iirc the law actually only provides for enforcing existing obligations, but does not actually allow for rejecting your renunciation
10:15 < jgarzik> It is quite literally impossible to fully pay down the deficit.
10:15 < adam3us> TD: probably increased inflation to inflate away the debts value, that has been the historical method
10:15 < phantomcircuit> jgarzik, we could sell like maine
10:15 < TD> they're already doing that
10:16 < jgarzik> Inflating away debt is the only tool remaining in the toolbox.
10:16 < phantomcircuit> adam3us, the debt is growing much faster than inflation
10:16 < jgarzik> (I'm not saying that's a good thing... just the engineering reality)
10:16 < TD> the problem is the politics of it. the way modern governments inflate away their debts is that the central bank prints money and lends it to the other branches of government
10:16 < phantomcircuit> it's like 800 billion/year and we're at about 17 trillion
10:16 < TD> technically the government is printing money, but when you add up the "debt" it includes debt to the central bank
10:16 < phantomcircuit> so ~4%
10:16 < TD> and people will then be shown a graph of debt going upwards
10:17 < phantomcircuit> (that's a conservative number)
10:17 < adam3us> its possible we're looking at a second round of financial system shocks, eg when more major countries default, historically it has happened relatively often, and more recently than people imagine
10:17 < phantomcircuit> inflation is ~2.5%
10:17 < jgarzik> Fallacy:  most countries will not default.
10:17 < TD> which is unpopular and then politicians looking to get elected will campaign on "reducing the deficit". but they can't raise taxes domestically, because that's even more unpopular than deficit, and they can't cut back the  DoD because it's such a huge part of the economy
10:17 < jgarzik> Gold bugs love to think about impossible scenarios where 95% of the world melts down, except for the wise people holding gold.  </eye roll>
10:17 < phantomcircuit> TD, the problem is that the US has actually borrowed money from itself for decades
10:17 < TD> so - that leaves, taxation of foreign income
10:18 < phantomcircuit> TD, so now there are massive unfunded obligations like social security and medicare
10:18 < TD> yes, pensions are a huge problem everywhere. but massive deficit spending on the military makes a bad situation worse, and that's politically infeasible to fix
10:18 < jgarzik> Politicians get elected by writing checks that can be inflated away.  Money in the pocket now, and not thinking about long term consequences.  But when the crisis comes, the populace will vote for whatever avoids total meltdown for their local community.  Simple self-interest.
10:18 < TD> for reasons i don't really get, but still, that's how it is
10:19 < adam3us> TD: maybe some more faux-imperialism - annex some more countries in thte name of exporting "freedom" and install us megacorps to exploit their resources
10:19 < phantomcircuit> jgarzik, that depends on if you're using the technical definition of default and whether you include obligations to citizens or just to bond holders
10:19 < TD> well that was already tried in iraq
10:19 < TD> and it sorta worked and sorta didn't
10:19 < TD> they're running out of things that weren't done yet
10:19 < phantomcircuit> jgarzik, it's almost certain that nearly every western country will default on it's obligation to citizens
10:21 < adam3us> phantomcircuit: they may avoid technical default, but there maybe some major money printing bail outs eg within europe, haircuts for depositors, bondholder conversion (the paper work maybe prepped for that by now)
10:21 < phantomcircuit> TD, in large parts of the us military spending is a significant part of the economy, because of the way representatives are selected (it's a combination of districts and number of people) they have disproportionate representation relative to population size
10:21 < TD> yeah. i know about the way the campaign donations are structured. but military spending isn't unpopular
10:21 < TD> it's barely even discussed, it seems
10:21 < phantomcircuit> TD, more so they pretend to have many issues but really they only have one
10:21 < phantomcircuit> more pork for their district
10:22 < phantomcircuit> TD, because it's largely pointless
10:22 < phantomcircuit> there is a significant voting bloc which only cares about that one issue
10:23 < jgarzik> phantomcircuit, c.f. Crysler bailout.  USG has already proven it is willing to favor a junior-yet-politically-favored class over senior debt holders
10:23 < TD> people who work for the military or have relatives who do, i guess
10:23 < jgarzik> Chrysler
10:25 < jgarzik> phantomcircuit, Having lived in a military family in military towns... that's demonstrably not true... unless the local base is majorly threatened.  People tend to ignore the issue unless somebody threatens to close the local base.
10:26 < jgarzik> phantomcircuit, a lot of the US military tends to vote Republican/tea party/conservative, not pro-government Democrat
10:27 < TD> because they know the republicans are anti-spending, except for the military, where they always spend more.
10:30 < adam3us> amiller: you mentioned you had a solution to non-outsourceable puzzle - are you going to update the bct thread?
10:34 < amiller> adam3us, yes, probably not for a week or so though
10:35 < adam3us> amiller: nudge me when you do - interested if there maybe other apps of it
10:38 < TD> jgarzik: btw bitpay rocks
10:38 < TD> jgarzik:  i can now purchase takeout food in zurich thanks to bitpay+lieferservice.ch
10:38  * TD remembers just 18 months ago pondering creating a manual gateway for buying pizza locally with bitcoin. 
10:40 < jgarzik> hehe
10:40 < jgarzik> TD, I am scheming to buy real estate with bit coins, through bit pay.
10:41  * TD is happy with smaller pleasures
10:41 < jgarzik> TD, investors pay bitcoins, and bitpay auto-converts and puts money in the escrow bank account used for purchasing real estate :)
10:41 < TD> like pizza
10:41 < jgarzik> hehe
10:41 < TD> so they can more easily switch from one bubble to another? nice! :)
10:41  * TD is finding it so hard to concentrate this afternoon
10:42 < jgarzik> My lifelong dream has been to build cool real estate, like affordable castles (strongly  built with redundancy,   but affordable for the average person)
10:42 < jgarzik> Nah, the real estate thing will not use leverage, just cash.  Less bubbly ;p
10:43 < TD> a mans home is literally his castle?
10:43 < jgarzik> That's the middle class dream, and we are amazingly close to it
10:44 < TD> screw castles. i want one of those: http://www.digsdigs.com/photos/the-most-futuristic-house-4.jpg
10:44 < TD> although - possibly with a road next to it
10:44 < jgarzik> Think about everything that only a king had access to, 400 years ago:  food preparers, groundskeepers, imported food and wine, servants (now at $/hr, divided out and outsources)
10:44 < jgarzik> personal doctors/health care
10:44 < TD> a harem?
10:45 < jgarzik> TD, redtube.com?
10:45 < jgarzik> ;p
10:45 < TD> lol
10:45 < TD> close enough
10:45 < TD> http://lifewithoutbuildings.net/greentextiletower.jpg
10:45 < TD> i'd also settle for that one
10:46 < TD> ooh: http://futuristicnews.com/wp-content/uploads/2012/07/Cocoon-House-Jeju-Island-Korea-02.jpg
10:46 < jgarzik> That's the best of the three
10:49  * TD is debugging code that is too complicated and is procrastinating
10:49 < TD> best thing is - i wrote it!
11:18 < adam3us> maaku, jtimon: when we were discussing blind certificates with chaum blinding (or brands) here yday or so, you mentioned using ZC for on chain respending
11:21 < adam3us> maaku, jtimon: but if you have an issuer (or an offline issuer, but online transaction server), maybe you could consider giving the transaction server a key authority to reblind the tokens, optionally using the chain as the authority for double spending prevention
12:32 < adam3us> had to say something about the coin validation stupidity
12:32 < adam3us> https://bitcointalk.org/index.php?topic=333882.new#new
12:32 < adam3us> (the forbes article)
12:40 < TD> if they want buyers to have to identify themselves, the right approach is a payment protocol extension
12:40 < TD> but their thinking seems muddled in other ways, so i am not surprised they didn't think of that
12:46 < adam3us> TD: precisely - its stupid and the wrong approach - identify the user, not break fungibility
12:46 < TD> fungibility isn't absolute even with bitcoin. i made this point on the foundation forums
12:46 < TD> e.g. unconfirmed coin with zero fee < 100 confirms
12:47 < TD> though technically they both give you bitcoins
12:47 < adam3us> i encourage everyone to ram home to any bitcoin biz people who may not understand, that this will damage fungibilty, and so if their business depends on fungibility, and bitcoins success particpating in this is destructive
12:48 < adam3us> TD: yes bitcoin fungibility is imperfect which is partly is what makes it vulnerable to the dangers  coin validation creates
12:48 < adam3us> TD: and the defenses that exist (or could be implemented) like wallet coin control, coinjoin are either not impl or not widely deployed
12:50 < adam3us> (if fungibility was cryptographically perfect, they'd be force to adopt a sensible approach- provide users with certificates that they can use with regulated businesses when AML/KYC are required)
12:50 < TD> none of those are related to the lack of fungibility i just pointed out
13:06 < phantomcircuit> jgarzik, i had to run earlier, in general the constituency has a lot of other issues they are worried about, but the principle matter representatives work towards is more pork for their district, they they also pass some social policy changes then maybe they beat the guy running against them who would also make pork their primary issue
13:06 < phantomcircuit> jgarzik, it's gotten to the point that they dont really need to campaign on it since it's implied
13:08 < phantomcircuit> jgarzik, iirc real estate holding companies like that would mean following sec guidelines that are doubly plus not fun
13:59 < jgarzik> phantomcircuit, not true, if properly arranged :)
14:00 < jgarzik> (RE real estate)
14:00 < jgarzik> Still have annoying investor DD, so far from anonymous, but thankfully no SEC reg
14:01 < phantomcircuit> jgarzik, unless you're transferring title to the investor they would need to be
14:04 < jgarzik> phantomcircuit, nope
14:05 < jgarzik> phantomcircuit, think multiple companies, multiple countries, annoyingly complex ownership structure
14:05 < phantomcircuit> sorry i accidentally some words
14:06 < gmaxwell> 10:59 < cjb> "github: we put the 'central' in 'decentralized revision control system'"
14:06 < phantomcircuit> jgarzik, they would need to be accredited investors and/or you would need to comply with the JOBS act stuff
14:06 < phantomcircuit> gmaxwell, lol
14:07 < phantomcircuit> jgarzik, im sure there are shenanigans you can play with offshore holding companies which they're invested in which in turn hold the domestic company
14:07 < phantomcircuit> thus the investors comply with the offshore rules instead of the domestic rules
14:07 < phantomcircuit> in general schemes like that work until they dont and then they tend to really not work
14:11 < jgarzik> gmaxwell, rofl
14:15  * jgarzik ambushes the channel with a new term, beta-testing it: http://imgur.com/P2G7670
14:16 < jgarzik> My thesis, after watching economists and computer scientists grossly misunderstand bitcoin, even after looking at it a while
14:17 < jgarzik> To understand why bitcoin works (or how it might fail), you must evaluate any thesis according to each of the three legs of the Satoshi Triangle:  economics, game theory and software engineering.  Most academics fail to take a holistic approach, and in doing so, wind up failing to understand why their "bitcoin is broken!" argument falls over.
14:18 < jgarzik> Really Smart People(tm) keep missing major facets of bitcoin, when they do their own research
14:18 < jgarzik> and thinking
14:19 < gmaxwell> I very much agree with your point. Invoking satoshi more makes me a bit sad. I think we do better without the satoshi mysticism in general, and people fixating on satoshi weakens us. </tangent>
14:20 < gmaxwell> I don't have any better names for the facets, not sure I'd choose that exact set of labels.
14:38 < jgarzik> gmaxwell, Modesty prevents me from calling it 'garzik triangle', and 'bitcoin triangle' seems rather boring.
14:38 < jgarzik> gmaxwell, IMO these are key facets that Satoshi figured out, so I thought it fair
14:38 < jgarzik> computer scientists are calling bitcoin tech "Nakamoto block chain" for example
14:43 < petertodd> gmaxwell: We should pay the NSA to come up with undeniable proof that Satoshi was a crack-addled alcoholic. Then again, Toronto's mayor is still in office...
14:43 < gmaxwell> "I was too drunk to know I was inventing a decenteralized cryptocurrency."
14:44 < petertodd> lol
14:46 < phantomcircuit> lol
14:47 < sipa> "I was trying to come up with this absurdly complex pyramid scheme..."
14:47 < gmaxwell> "I'm not sure if I succeeded or failed"
14:47 < amiller> i'm not sure what you mean is the difference between economics and game theory
14:49 < sipa> amiller: atire
14:49 < jgarzik> I agree that economic incentives and game theory motivations are quite intertwined
14:49 < jgarzik> But from the PoV of a classically trained economist, who barely knows computers and prints out his email, I think the distinction matters
14:49 < amiller> swap one or the other for distributed systems & cryptography and i'd like it
14:50 < jgarzik> (1) Economics and game theory, (2) software engineering, (3) distributed systems & crypto ?
14:50 < amiller> sounds right to me
14:50 < petertodd> jgarzik: you forgot (4) sociology/political science
14:51 < adam3us> need a bitcoin.it wiki page
14:51 < jgarzik> petertodd, too meta
14:52 < jgarzik> want to avoid politics and ideology.  depending on your political bent, views range from "bitcoin is OBVIOUSLY political" to "keep your politics away from my bitcoin"
14:52 < petertodd> jgarzik: well you are talking to a guy whose most recent bitcoin-dev list post was a short near-future sci-fi post-modern narrative
14:52 < jgarzik> best not to go there
14:52 < jgarzik> P.S. I argue it is impossible to be post-modern
14:52 < petertodd> See, seriously speaking where politics comes into it is the nature of changing the system itself; something that hasn't been deeply explored yet.
14:53 < petertodd> jgarzik: heh, my art school teachers would have argued the exact opposite
14:53 < amiller> it's post-impossible to be modern?
14:54 < petertodd> amiller: lol
14:54 < petertodd> amiller: You're recognition of the concept of modernity dooms you to forever be a post-modern man.
14:56 < jgarzik> petertodd, Yeah, but that's in art school, where they know nothing of engineering constraints imposed by reality.  ;p
14:57 < jgarzik> OK
14:57 < jgarzik> Revised: http://imgur.com/S4dTQOG
14:58 < petertodd> jgarzik: at least they don't pretend otherwise :P I quit industrial design after a year that included me having to argue a design for a "eco-friendly" lamp was physically impossible; couldn't get my teacher to understand the relevance of E_k = mgh...
15:00 < petertodd> heh, I like how software engineering != distributed systems, good
15:05 < phantomcircuit> petertodd, but but it's eco friendly!
15:07 < jgarzik> petertodd, to me "engineering" is the grubby parts of making things work, outside the world in which theoreticians exist
15:07 < jgarzik> some attacks are valid in theory, but just not practical for engineering reasons to annoying to detail
15:08 < petertodd> To me an engineer is just a theoretician who analyzes non-spherical cows too.
15:10 < maaku> petertodd: that's one approach to engineering. it's not always the best though
15:11 < petertodd> heh, ah, but see, the moment you assume a non-spherical cow, you very quickly either adopt good engineering practices, or give up and make the cow spherical again.
15:11 < petertodd> (or design bridges that fall down...)
15:19 < phantomcircuit> petertodd, brb genetically engineering a spherical cow
15:20 < petertodd> phantomcircuit: spoken like a true engineer!
15:23 < jgarzik> Any problem is solvable given sufficient time to debug.
15:29 < phantomcircuit> jgarzik, or the ability to modify the problems contraints
15:29 < phantomcircuit> constraints*
15:30 < jgarzik> phantomcircuit, I'm an engineer.  I am allowed to tell management that reality is interfering with their artificial, theoretical constraints.
15:30 < phantomcircuit> hehe
15:34 < phantomcircuit> is the disable wallet patch in master?
15:35 < jgarzik> phantomcircuit, yes
15:35 < jgarzik> wumpus pushed it over the finish line, while I was off dealing with family stuff
15:35 < maaku> phantomcircuit: while you're at it, make me a cuboid cow. easier to stack.
15:36 < midnightmagic> jgarzik: Yes, people do often misapprehend the nature of the scaling issues bitcoin has. https://twitter.com/midmagic/status/241845808201334784
15:36 < phantomcircuit> maaku, try japan they already make cuboid watermelons
15:36 < phantomcircuit> although something tells me a cow would object to being kept in a plastic box
15:36 < midnightmagic> "because it has to broadcast transactions, it's untenable"
15:36 < midnightmagic> `_`
15:37 < phantomcircuit> midnightmagic, "i have no idea what a gossip protocol is"
15:39 < midnightmagic> phantomcircuit: She's a tor dev. :(
15:40 < phantomcircuit> that is deliciously ironic
15:40 < sipa> midnightmagic: who?
15:41 < sipa> ah
15:42 < midnightmagic> sipa: The person who told me namecoin was useless as a distributed dns lookup because tx are broadcast thus hand-wavey "quadratic scaling problem".
15:42 < midnightmagic> maybe I'm misinterpreting.
15:43 < phantomcircuit> midnightmagic, she's missing that peers keep track of what they've told other peers about
15:43 < phantomcircuit> the communication protocol is basically O(n * m) for n = messages and m = peers
15:44 < phantomcircuit> but the actual chain storage is linear with transactions
15:44 < phantomcircuit> if you naively assume that every peer tells every other peer about everything
15:44 < phantomcircuit> then it is horrible
15:46 < midnightmagic> phantomcircuit: But the cost of doing those broadcasts successfully is significant (or it was before Vince screwed us all) so growth does not cause strictly quadratic growth in network communications overhead anyway, even leaving the blockchain itself out of it (which is ultimately very much more prunable than bitcoin's.)
15:47 < phantomcircuit> midnightmagic, the broadcasts should be fairly cheap with an inventory/getdata setup
15:47 < phantomcircuit> optimally each peer receives 8 inv messages, sends 1 getdata, and received 1 data block
15:52 < gmaxwell> midnightmagic: One reason people assume quadratic communication is because they're not aware of the surprising result that expander graphs can have log radius while having constant degree. E.g. nodes can have some small _constant_ number of connections per node, but the distance to any other node can remain log in the number of nodes. So they start thinking every node has to be fully connected to every other node.
16:04 < warren> hmm, is the floating fee stuff happening for 0.9?
16:14 < ebfull> ya warren
16:14 < ebfull> gavin's got it in bitcoin-git/smartfee branch
16:43 < midnightmagic> gmaxwell: Is this Raoul Raoul? That guy that shows up when I mention his name? https://bitcointalk.org/index.php?action=profile;u=9477
16:49 < midnightmagic> He must not know about this channel yet.
17:15 < adam3us> had a minor thought about slightly improving committed tx: if you want to decommit (reveal the tx to the network), previously it was discussed as sending it to the network, and as i recall people pointed out a risk that the miners could refuse to validate it and therefore you'd be prevented from compacting utxo and have to respend it in committed form
17:17 < adam3us> however replying to mastercoin about their impact on the bitcoin network thread it occurred to me, the full nodes can validate whether the key decommit is valid to relay, they have the committed tx to compare it to, so they dont need miners
17:17 < adam3us> and a decommit is small, its just a sym crypto key and the last txid of the committed spend path
17:20 < gmaxwell> ha!
17:20 < gmaxwell> we don't need to have a consensus about your deleted data... so long as we don't authenticate it.
17:21 < gmaxwell> kinda breaks using a comitted utxo though, alas.
22:41 < gmaxwell> http://www.smbc-comics.com/?id=3175#comic
23:51 < warren> We're getting complaints of MacOS X corruption from several users now.  I didn't get around to posting the bounty in public yet.
23:51 < warren> maybe it's time to define it
--- Log closed Fri Nov 15 00:00:43 2013