00:00:09 | gmaxwell: | nsh: if you're not progress free (at least on a large scale) you're unfair and you give superlinear rewards to larger participants, which would incentivize centeralization. |
00:00:17 | tromp__: | the operating cost of latency constrained RAM is pretty low |
00:00:26 | nsh: | hmm |
00:00:29 | gmaxwell: | yes, ::cries:: and thats bad! |
00:00:38 | gmaxwell: | I agree that its low. |
00:00:47 | tromp__: | no, that means an attacker is constrained by investment costy |
00:00:57 | tromp__: | by cost of buying tons of RAM |
00:01:20 | tromp__: | he'll never spend as much on operating cost as the investment in RAM |
00:01:40 | gmaxwell: | Sorry, I think we're wasting time now. I suggest we both take a break and consider this again later with fresh eyes. By then I'll also read your paper, as I'm sure its independantly interesting regardless of this meta argument. |
00:01:57 | tromp__: | good idea. |
00:02:18 | tromp__: | thanks for your interest in my proposal |
00:05:12 | tromp__: | to summarize my aarguments: cuckoo is sequential latency constrained -> not parallellizable -> miner cost dominated by initial RAM investment rather than operating cost -> cannot match worldwide comodity PCs |
00:07:38 | gmaxwell: | Yes, this is also the argument advanced in the scrypt paper (just without the mention of operating costs). I am concerned, but not yet convinced that at least in the scrypt paper the argument is wrong, and I am nearly convinced that at least for some scrypt parameters that its wrong. This may not apply elsewhere, however. |
00:08:24 | tromp__: | also note that scrypt cannot increase RAM use much, because verification is alrd nontrivial |
00:08:37 | tromp__: | while cuckoo verification is always trivial |
00:10:59 | gmaxwell: | yes, I'm aware of this. It's inapplicable to the KDF case, as I said before I think the PT was giving the wrong initial argument to you. Collision like things usually fail to progress-freeness problems or TMTO, but they do achieve asymetric verification costs. |
00:11:22 | tromp__: | right, you cannot make a good KDF out of cuckoo |
00:12:10 | gmaxwell: | Why not? take your first solution from a determinstic start and hash it. The result is your key. |
00:13:14 | tromp__: | let me check my email correspondence on this |
00:16:31 | tromp__: | that does make a KDF, but it doesn' exploit the neat feature that cycles are trivially checkable. and memory hardness has to be taken more on faith than with ROMix based functions |
00:17:10 | tromp__: | so it's not an obvious improvement over other schemes |
00:17:28 | tromp__: | whereas for PoW it has ideal properties that no other PoW has |
00:27:10 | tromp__: | afk to dinner |
01:40:05 | ArcticTrader: | ArcticTrader has left #bitcoin-wizards |
03:35:03 | gmaxwell: | man, the internet is so screwed up: http://thenextweb.com/socialmedia/2014/01/29/lost-50000-twitter-username/#!tV5FI < this guy got his short twitter account name extorted out of him, and part of his advice is not to use your own domain names for registration because the domain names are so easily hijacked. |
03:45:48 | c0rw1n: | that's screwed up yes |
03:49:17 | tromp__: | with paypal you need to actively opt-out of being screwable. of course they have plenty other ways to screw you... |
03:50:30 | tromp__: | generally, the last 4 digits of cc shld be considered public knowledge |
03:50:56 | tromp__: | so godaddy was the bigger offender |
03:54:36 | andytoshi: | tromp__: agreed, i'd register a domain with realsolid before godaddy.. |
04:00:27 | tacotime_: | andytoshi: I hear he's offering decent prices for fee shares on his exchange these days too |
04:03:07 | tacotime_: | It's a shame for SC2, I feel like if RS/CH hadn't gone so outrageous crazy on trying to manipulate the price it would still hold some value today as a litecoin competitor |
04:06:27 | tacotime_: | And I was surprised how long the trust node system stood up for. |
04:06:59 | gmaxwell: | it got abused by RS pretty quickly. |
04:07:18 | gmaxwell: | I think it was only two months or so before the first time he used it to force a subsidy change on the network. |
04:07:31 | tacotime_: | Yeah, that was the problem. I mean, SK more or less does the same thing with checkpointing PPC, but SK doesn't mess with the chain. |
04:08:40 | gmaxwell: | yea the ppc mechenism is functionally quite similar though at least RS had an argument about how his thing would eventually be distributed. (though after he decreased the subsidy you could be pretty sure no one would ever have 1M SC) |
04:08:45 | tacotime_: | There's nothing super wrong with a temporarily forced centralization of the chain while it takes off and you mess with new features that could break it I think, but when you decide, "Hey, the price isn't high enough! Let decrease subsidy 100 fold!"... |
04:09:01 | tacotime_: | Yeah |
04:10:06 | gmaxwell: | tacotime_: well PPC's think is not temporary, it was originally that way to bootstrap until POS took off, but most mining is POS now... and the new white paper points out that the checkpoints are needed to create a consistent baseline state for POS. but yea yea. |
04:10:43 | tacotime_: | There's a new version? I didn't know he'd changed that... that's unfortunate. |
04:11:01 | gmaxwell: | if I did an altcoin I'd have multisignature broadcasted checkpoints (e.g. distributed instead of fully centeralized) and I'd have the nodes disable them automatically at some high enough difficulty. |
04:11:46 | tacotime_: | That makes sense. |
04:12:03 | gmaxwell: | yea, the updated one he did after the initial attack on PPC POS where someone was mining all the blocks. (by grinding at block hashes to search for a history where his stake was selected in every block) |
04:13:04 | tacotime_: | Right. I don't think that totally justifies complete centralization though... that's kind of an admission that you're not really confident in what you're doing functioning correctly on an indepedent basis |
04:14:08 | c0rw1n: | (or that you're a wannabe rent-seeking exploiter / future scammer / Ripple) |
04:15:13 | tromp__: | could you have checkpoints triggered by the blockhash being particularly far below the difficulty? |
04:16:04 | gmaxwell: | tacotime_: yea, well the bigger change that was made at that time was making it so that only pow blocks select POS miners, meaning that a POW majority can pick which stake can mine, and which makes high pow difficulty more or less essential to the security. |
04:16:34 | gmaxwell: | tromp__: I can't decode what you're suggesting. |
04:16:39 | tacotime_: | Oh, that's what that stake modifier thing was all about? He refused to explain that to me |
04:17:18 | gmaxwell: | fortunately(!) his code is pretty readable. |
04:17:39 | tacotime_: | That's also kind of scary though, as it makes the network more open to attack if someone decides to DDoS all pools |
04:17:47 | tacotime_: | Also the reward algorithm itself makes that lucrative |
04:18:11 | tacotime_: | I wish he would have just said that sentence to me 12 months ago, because that makes total sense. |
04:18:18 | tromp__: | if the blockheaderhash has maybe 16+ more zeroes than required by the target difficulty, that could be considere a checkpoint trigger |
04:18:22 | gmaxwell: | I just assume he's one of us, I think its generally well executed, it suffers because the overall idea is kinda lame. I like bitching about him because he's probably here twiching that he can't reply without blowing his anonymity. :P |
04:18:35 | tacotime_: | Haha |
04:19:08 | tromp__: | so checkpoints wld happen about every 2^16 blocks |
04:19:11 | gmaxwell: | tromp__: you can get some awesome attacks out of that. e.g. mine such a thing and then delay announcing it. |
04:19:34 | gmaxwell: | totally pointless, you should probably erase the word checkpoint from your mind, only horrible things result from it. |
04:19:42 | c0rw1n: | ooh scary |
04:19:52 | tacotime_: | Yeah it's the reason you have to be cautious about using the total work of a chain as the selecting factor too. |
04:20:11 | tacotime_: | Because if you hide the block from the network and it represents a huge amount of work, doublespending becomes very easy. |
04:20:18 | gmaxwell: | even better, if you're hashpower enough to cause trouble absent 'checkpoint' crud, you mine _two_ of them and then concurrently announce them to half the network each. Goodbye network. |
04:20:52 | gmaxwell: | tacotime_: yea, in what tromp__ was suggesting, they'd be worth infinite-ish work. :P |
04:22:36 | tromp__: | ic. i shld fix my suggestion. trigger when, not the blockheaderhash, but the whole block hash has 16+ zeroes |
04:23:06 | tromp__: | so it has no relation to accumulated difficulty |
04:23:22 | gmaxwell: | tromp__: that doesn't change anything relative to the points I made. |
04:24:03 | gmaxwell: | also, if it really worked like that, people would mine the whole block hashes instead, as they'd be much easier than normal mining. |
04:24:42 | tromp__: | let me educate myself some more on checkpointing procedures... |
04:25:02 | gmaxwell: | I reiterate, you really ought to forget that exists at all. |
04:25:20 | tacotime_: | I'm out to sleep, night! |
04:25:24 | gmaxwell: | Everyhing I've ever seen decribed in that space creates attacks where none existed before, some more serious than others. |
04:25:28 | c0rw1n: | good night tacotime_ |
04:26:16 | gmaxwell: | in particular, most of them create attacks which are most available to high hashpower consolidations, and if none of those exist then there was little to no advantage to be gained by having anything like that to begin with. |
04:27:51 | tromp__: | i have no idea what are these checkpoints you're talking about:-) |
04:27:59 | gmaxwell: | :) |
04:28:22 | c0rw1n: | "these are not the checkpoints you are looking for" ? |
04:31:51 | tacotime_: | tacotime_ is now known as tt_zzz |
04:52:17 | justanotheruser: | justanotheruser is now known as gh0sts |
04:52:25 | gh0sts: | gh0sts is now known as justanotheruser |
05:10:49 | justanotheruser: | justanotheruser is now known as justanotheruser1 |
05:10:54 | justanotheruser1: | justanotheruser1 is now known as justanotheruser |
10:08:38 | gavinandresen_: | gavinandresen_ is now known as gavinandresen |
16:02:47 | tt_zzz: | tt_zzz is now known as tacotime_ |
16:49:17 | botolhejo: | botolhejo has left #bitcoin-wizards |
19:04:32 | ZoltanTokay: | Bitcoin will raise so much after google will add bitcoin to their wallet.. look they speak live about it... www.thebitcoinsnews.com |
19:57:31 | cymanon: | ethereum? risk to high? |
20:00:31 | optimator: | it would be nice if all wallets provided a common api for testing. Hook the api up to testnet run through tests, add customer tests (m-n transactions). certified! |
20:00:43 | optimator: | *customer=custom |
20:10:50 | phantomcircuit: | cymanon, what? |
20:17:42 | cymanon: | I don't know ;\ be back later |
20:57:47 | grazs: | any recommendations for a cheap fpga kit? |
20:58:41 | maaku: | grazs: off-topic |
20:59:32 | maaku: | but i would recommend #bitcoin-otc, I'm sure there's plenty of miners getting rid of their gear |
20:59:40 | grazs: | i'm sorry |
21:00:56 | grazs: | that might actually be a very good idea, thanks! |
21:16:19 | michagogo|cloud: | ;;later tell gmaxwell Did you be any chance capture the second day of the ny hearing? |
21:16:19 | gribble: | The operation succeeded. |
21:16:31 | michagogo|cloud: | by* |
21:20:49 | petertodd: | gribble: I hear this is the rasberry pi of FPGA dev kits: http://www.zedboard.org/ |
21:21:00 | petertodd: | grazs: er, ^ |
21:23:56 | grazs: | petertodd: thanks a bunch! i got inspired when you guys talked about PoW algorithms |
21:24:20 | grazs: | and my job doesn't want to buy us such fine toys |
21:27:01 | petertodd: | grazs: yeah, the zedboard is very cheap, and stupidly powerful |
22:14:08 | tromp__: | the |
22:14:09 | tromp__: | Parallella-16 (Expect to re-open orders in January) |
22:14:11 | tromp__: | Parallella-16 |
22:14:19 | tromp__: | sorry; copy-paste issues |
22:14:48 | tromp__: | the Parallella-16 board is similar to the zedboard but only $99 (currently sold out) |
22:15:14 | gmaxwell: | tromp__: uh, it's almost entirely unlike the zedboard. |
22:15:19 | gmaxwell: | It's not a FPGA. |
22:15:52 | gmaxwell: | oh you mean the cpu is a zynq |
22:15:54 | gmaxwell: | Sorry, indeed. |
22:16:25 | tromp__: | it has both a zynq and an epiphany (16 core cpu) |
22:16:47 | gmaxwell: | yea, sorry I thought you were saying the epiphany was like the zedboard. :P |
22:17:28 | gmaxwell: | One thing about the zedboards is that they come with the license for the fpga tool. I _believe_ there is a cut down version of the zedboard which is a lot cheaper but doesn't include that license; though indeed not as cheap as $99 |
22:17:53 | tromp__: | i'm not sure what the ipiphany is good for, but you goota love that zynq |