00:43:54jgarzik_:jgarzik_ is now known as jgarzik
01:19:47Sangheili_afk:Sangheili_afk is now known as Sangheili
02:13:42BlueMatt_:BlueMatt_ is now known as BlueMatt
04:37:55andytoshi:petertodd: can you give us a preview of the OP_RETURN based stealth addresses scheme you hinted at in your latest email?
04:52:58petertodd:andytoshi: writing it up now :)
05:00:29jgarzik:jgarzik is now known as home_jg
05:26:36brisque:coingen.io has forged 67 new altcoins. I'm impressed.
05:32:06BlueMatt:brisque: those are just the non-hidden ones, too
05:32:27kyrio:oh yeah
05:32:37kyrio:there's an option to pay to keep it private
05:33:19jcorgan:BlueMatt: of all the ways to earn BTC with a website, coingen.io is the most subversive :)
05:33:38brisque:BlueMatt: I'm extremely impressed. you've done a good job with it.
05:33:56BlueMatt:heh, anyway...its ot for here
05:47:35brisque:almost on topic, can anybody come up with a reasonable explanation for the behaviour of blockchain.info in regards to it's "peers connected" number? they seem to manage to get up to around 1500 connections before dropping them all and starting again.
05:47:40brisque:graph - http://i.imgur.com/iiJYOjo.png
05:48:43brisque:time timeframe is around 30 minutes before each big drop, so they're churning through a lot of connections.
05:58:27justanotheruser1:justanotheruser1 is now known as justanotheruer
05:58:37justanotheruer:justanotheruer is now known as justanotheruser
06:10:25jcorgan:jcorgan has left #bitcoin-wizards
06:19:24phantomcircuit:brisque, they dont understand what the limits of select() are so their client keeps crashing when they go past those limits
06:19:28phantomcircuit:which i personally find hilarious
06:25:07brisque:surely they'd notice the bi-hourly crashes and return the connection limit to something sane. surely.
06:25:22brisque:72,000 reconnections a day.
06:26:54phantomcircuit:brisque, surely they have no idea what they're doing and haven't noticed
06:27:10phantomcircuit:hint, it's my thing
06:35:01maaku:maaku is now known as Guest18214
06:36:05brisque:phantomcircuit: really not sure what the hint means
06:36:29phantomcircuit: brisque, surely they have no idea what they're doing and haven't noticed
07:49:08Graet:Graet is now known as Guest93508
07:52:16Guest93508:Guest93508 is now known as Graet
08:09:53Sangheili:Sangheili is now known as Sangheili_afk
09:11:22epscylonb:epscylonb is now known as epscy
09:22:21Guest18214:Guest18214 is now known as maaku
09:22:47gmaxwell:petertodd: P2SH^2 2.0: Take H(script) as a private key in a pairing crypto group. Compute G1*private = pubkey. scriptpubkey contains H(pubkey),sign(H(H(pubkey)||txid))
09:23:50gmaxwell:er sorry pubkey,sign(H(H(pubkey)||txid)) (because you can't to the pubkey recovery for a pairing short signature)
09:23:55gmaxwell:petertodd: so tada, data storage in txouts completely prevented. Overhead of one group element (e.g. 32 bytes)
09:24:35gmaxwell:Why not ECDSA? because signers choice of K can be used to store data in the blockchain... e.g. pick a well known K, and recievers use it to recover the 'private key' (the data)
09:26:48brisque:I'm interested in what The Pirate Bay is planning to do with Bitcoin. by the sounds of their post it is almost like they intend to be storing identifiers in the blockchain, just as you're trying to prevent.
09:27:14maaku:what would be the point?
09:27:26gmaxwell:because omg bitcoin such VC money WOW
09:27:40gmaxwell:people mistake bitcoin for a jamming free network, constantly. ugh.
09:28:15brisque:have you read the article, gmaxwell?
09:28:35brisque:“The “domain” registrations will be Bitcoin authenticated, on a first come first served basis. After a year the name will expire unless it’s re-verified.”
09:29:41brisque:“Site owners will be able to register their own names, which will serve as an alias for the curve25519 pub-key that will identify the site,” the Pirate Bay insider notes.
09:36:50Emcy:gmaxwell youve been saying jamming network a lot recently. Brief explanation?
10:20:49brisque:just as a thought, the entire sticking point of having a SPV p2pool is that we can't prove to a SPV client that the inputs are unspent, right? we can prove that they exist at some point, but not that the block the p2pool node creates with it will be valid to the wider network (the inputs were spent elsewhere).
10:34:03maaku:Emcy: jamming-free
10:34:33maaku:meaning it is a reliable mechanism for transmitting messages that can't be forceably censored
10:34:36maaku:(which bitcoin is not)
10:37:28gmaxwell:you can have different kinds of jamming freeness, like all or nothing channels.. If you're a >50% hashpower miner bitcoin is arguably an all or nothing jamming resistant network, but it's not to anyone else. :P
10:53:38adam3us:about XCP PhantomPhreak (one of the authors) seems to have changed from spend to fees to proof of sacrifice which they are calling proof of burn but seems to be the same thing, in reaction to someone pointing out that a miner could take their own fees (and maybe worse by the sound of it)
10:59:44nsh_:nsh_ is now known as nsh
11:08:35nsh:yeah, seems to be a very improvised affair
11:18:05gmaxwell:adam3us: do you have a EC discrete log formulatio nof my above P2SH^2 2.0?
11:18:55gmaxwell:the idea is basically to have a hash function where you can prove that the value in question is a hash and not data stuffed into the same spot.
11:21:23adam3us:gmaxwell: i read it earlier, its a subliminal channel suppression, seems a bit analogous to the wallet with observer protocol that relies on blind schnorr. but i dont think that helps because there is no semi-trusted hw wallet in this picture.
11:22:34adam3us:gmaxwell: one thing that occurred to me is the one-use signature or limited use sig, where the extended address is H(Q,r) so r is precommitted. then you are only allowed to make signatures with r. maybe you could prove something about r?
11:22:42gmaxwell:I thought perhaps one of those protocols for schnorr where there is one allowable nonce per private key?
11:22:52gmaxwell:But I didn't quite know how those work.
11:23:07gmaxwell:ah there is an extended address. hm.
11:23:09adam3us:gmaxwell: yes same thought... thats it above, its just to say that you choose the nonce(s) at time of address generation
11:23:19gmaxwell:oh darn.
11:23:29gmaxwell:yea, I think that wouldn't work for the namecoin application.
11:26:05adam3us:gmaxwell: i dont get the namecoin connection. (subliminal channel free signatures would be independently nice however to stop stuffing junk in the block chain:) btw if its purely hash based there is a small subliminal channel in grinding the hash if there is any mutability of the serialization or value hashed.
11:27:20gmaxwell:sure, but the grinding subliminal channel isn't huge and you can reduce it further by requring grinding normally. :)
11:27:55gmaxwell:adam3us: it's just the stop stuffing junk application, I'd fleshed that out a little more in particular to namecoin, https://en.bitcoin.it/wiki/User:Gmaxwell/namecoin_that_sucks_less
11:28:54adam3us:gmaxwell: yes. curious thought that the wallet with observer can have 0 subliminal channel due to the blinding and yet still end up with a valid normal (ec)schnorr sig. actually i saw Brands argue that it has 1-bit channel left: fail or not fail :) (simulated hw wallet death)
12:02:23nsh:* nsh exercises blinking muscles
12:34:52Muis__:Muis__ is now known as Muis
14:30:37andytoshi:gmaxwell: sorry, i'm not following your scheme: how is privkey == H(script) enforced here (or even exists(privkey) enforced)? what is txid and why doesn't it depend on its own hash?
14:35:28andytoshi:my concern is, pubkey,sign(H(H(pubkey)||txid)) gives you all of 'pubkey' as a subliminal channel
17:24:50petertodd:Just signed up for the Financial Cryptography and Data Security 2014 conference.
17:24:57petertodd:Who else is going?
17:26:04justanotheruser:I wish I could take a vacation to Barbados
17:27:57petertodd:justanotheruser: heh
17:28:14petertodd:justanotheruser: kinda eye-opening the overall cost - I'm gonna have to bring a tent :P
17:29:26justanotheruser:petertodd: Is Financial Cryptography conference a fancy way of saying bitcoin conference?
17:29:39petertodd:justanotheruser: yup, btc workshop on one of the days
17:30:26petertodd:justanotheruser: http://fc14.ifca.ai/bitcoin/index.html
17:30:38petertodd:justanotheruser: or more interestingly: http://fc14.ifca.ai/bitcoin/accepted.html
17:31:26justanotheruser:petertodd: what, interesting that RS are there?
17:31:51justanotheruser:Or just S
17:32:09petertodd:justanotheruser: ?
17:32:55justanotheruser:Interesting that I don't see any familiar names on that list
17:33:34justanotheruser:Seems like a bunch of PhDs are going to explain bitcoin to the bitcoin devs
17:35:16petertodd:Ha, yeah pretty much from the looks of it, will make for an interesting workshop...
17:35:38petertodd:I think amiller said he was going, so maybe it won't be all people totally removed from the dev community.
17:35:44petertodd:(not that him and I write much code...)
17:50:19home_jg:home_jg is now known as jgarzik
18:11:05Emcy:petertodd sleep on the beach
18:16:33Emcy:did anyone figure out how TPB is planning to use bitcoin for its little thing
18:16:42Emcy:or have you been talking about it and its way over my head
18:17:47Emcy:thye best not be spamming the chain......why dont they use namecoin instead
18:31:42maaku:Emcy: have they stated any details?
18:31:54maaku:all they've done is name-drop bitcoin, as far as I can tell
18:32:53maaku:their plan is, apparantly, "BITCOIN!!"
18:33:23Emcy:sounds about right
18:35:23skinnkavaj:gmaxwell: https://litecointalk.org/index.php?topic=12404
18:36:24maaku:skinnkavaj: sure, google "geistgeld"
18:36:59Emcy:maaku isnt there a data feild in a TX that cam be used for arbitrary data without really bloatingit
18:37:02Emcy:or somthing like that
18:37:26maaku:Emcy: sure, any OP_RETURN output
18:37:54Emcy:and that was specifically done to give people a place to dump thier crap, if they must?
18:39:27Emcy:wait is that a new feild or something repurposed? If its new isnt that just appeasement
18:39:41maaku:and by putting the hash instead of the data itself (or better, the Merkle root of a structure that can hold lots of data), you can keep the wire size small
18:39:46maaku:i think most people here are ok with committing data by hash to the chain
18:39:51maaku:it's an integral part of many of the protocols we design
18:40:52maaku:its just that putting raw data straight on the chain is wastful, inefficient, and (if it's not provably unspendable) freeloads off of full nodes
18:41:57maaku:it's part of the scripting language not a specific field, and it's always been there
18:42:09maaku:it's just being made standard so it can be relayed in 0.9
18:42:58Emcy:so TX will get slightly bigger, albeit by something that was already in the protocol but disabled until now?
18:43:40maaku:not disabled, you could always use it
18:43:59maaku:just not relayed by default just like other non-standard scripts
18:44:17michagogo|cloud:maaku: It freeloads off of full nodes even when it's provablt unspendable
18:44:26michagogo|cloud:It's still in the blockchain
18:44:34maaku:michagogo|cloud: no, full node != archival node
18:44:37maaku:it's not in the utxo set
18:44:42michagogo|cloud:It just isn't in the utx-
18:45:05michagogo|cloud:Erm, do non-archival full nodes exist atm?
18:45:26Emcy:that archival node thing isnt really gonna happen is it? 6tb helium disks soon
18:45:55michagogo|cloud:Emcy: It;s safe to assume that at some point in the future there will be non-archival full nodes
18:51:01Emcy:michagogo|cloud i hope not out of stict neccesity, but to try and poke people into running a node at all
18:53:50Emcy:hmm asking on TPB irc and no one seems to know shit......
21:19:59maaku:at some point in the near future
21:20:25maaku:i know both petertodd and myself have separately gotten some money to work on a pruned bitcoind
21:21:04maaku:we just have to good sense to make sure that some other fixes make it in first
21:21:20maaku:like headers-first syncing, and being able to advertise which blocks you hold
21:38:55gmaxwell:the later I think is most of the actual work in pruned bitcoind.
21:39:42gmaxwell:I mean, right now you can just delete the old block files and it works until you run a rpc that would access an old block or a peer tries to sync from you.. it's probably just a few lines of code to make those failures tidy.
21:39:58gmaxwell:and a few lines of code to just automatically delete old files.
21:49:10Emcy:id say it was probably a tradeoff worth making if the alternative is full verifiers dwindling to the hundreds because no one wants to run one
21:49:59Emcy:then again im not sure it will help, because even a pruned node is the same mental distance away from "just works instantly" as a proper node
21:50:05gmaxwell:Emcy: it's just a good thing to have even without that concern.
21:50:30gmaxwell:I now only run one full node at home and one on my laptop, because I just don't have the space for N copies of the blockchain.
22:31:37James:James is now known as Guest22406
22:31:40Guest22406:Anyone bought from iMine.org.uk?
22:32:08Guest22406:http://iminecryptos.webs.com seems to be their temp. page