01:00:49nOgAnOo:nOgAnOo is now known as n0gAn0o
01:01:31n0gAn0o:n0gAn0o is now known as nOgAnOo
08:29:17phantomcircuit:gmaxwell, blargh
08:30:05phantomcircuit:somehow my $HOME was wiped out
08:30:13phantomcircuit:cant figure out how
08:32:55gmaxwell:rm -Rf $HOME ... damn, keys are right next to each other
08:33:01wumpus:probably some script with an over-eager rm -rf, what is the last thing you did?
08:33:16phantomcircuit:mathematica install
08:33:28phantomcircuit:wumpus, that's my best guess also
08:33:47phantomcircuit:im thinking something in it's cleanup was using a variable with rm -rf and the variable didn't get set
08:34:03phantomcircuit:from now on mathematica gets installed in it's own vm >.>
08:34:45phantomcircuit:but i cant see how that's possible
08:44:34phantomcircuit:wumpus, the weird thing is /home/phantomcircuit the directory was still there
08:44:52phantomcircuit:but /home/phantomicrcuit/.config etc were gone
08:44:56wumpus:your user cannote remove that directory
08:45:36phantomcircuit:yeah must have been the mathematica install script
08:45:38phantomcircuit:that's unfortunate
08:45:54wumpus:also are your files in /tmp and such gone? if so, it was probably running a rm -rf / as you
08:46:18phantomcircuit:system was rebooted since then
08:46:21phantomcircuit:so i have no idea
08:46:31wumpus:pretty unfortunate, btw why are you still here instead of doing forensics (or are your backups that good?)
08:47:17phantomcircuit:backups are pretty good
08:47:20wumpus:depending on the fs it is possible to restore deleted files, but only if you act immediately
08:47:23phantomcircuit:it's a vm with snapshots
08:47:46phantomcircuit:it's ext4 there's basically no way to recover except to pick around at individual files
08:48:03phantomcircuit:silly thing zeros the inode when you delete a file
10:48:41edulix_:edulix_ is now known as Edulix
12:57:02qwertyoruiop:qwertyoruiop is now known as tjk9357
13:20:25tjk9357:tjk9357 is now known as qwertyoruiop
17:08:30andytosh1:andytosh1 is now known as andytoshi
19:07:06sipa:roconnor: maybe here :)
19:07:42sipa:what properties an ideal PoW should have... there's much debate
19:08:25sipa:some like to make it favor general-purpose hardware over specially-designed ones (or at least try to limit the advantages custom hardware can have)... which, even if possible, encourages botnets
19:08:45sipa:an assumption was that making it memory-bound would have this property
19:09:27sipa:but gmaxwell argued that heath dissipation actually becomes the limiting factor, rather than memory bandwidth (correct me if i'm wrong), so there is still much to gain from that
19:10:02sipa:other things that have been proposed are PoW functions which mimick bitcoin validation as much as possible, proving as a miner that you have fast access to the UTXO set for example
19:12:01maaku:*gmaxwell argued, and experience with 1st gen scrypt ASICs showed
19:13:07roconnor:sipa: Is the suggestion that POW should be designed to increase heat output?
19:13:17tromp__:memory bound does not imply heat
19:14:09sipa:roconnor: the assumption was that a memory-bound hash function would lead to optimal implementations using general-purpose memory chips
19:14:25sipa:roconnor: so custom-designed hardware wouldn't be able to improve things much
19:14:47sipa:roconnor: turns out that this is not correct, because the limiting factor is not memory throughput, but the cost of heat dissipation
19:15:21tromp__:how does memory-latency-bound computation generate much heat?
19:15:26roconnor:isn't the theoretical limit for heat use independent of the hashing function?
19:15:49roconnor:though perhaps bringing theoretical limits for heat use is inappropriate now.
19:16:06sipa:gmaxwell or maaku can probably comment better than i can
19:17:49pigeons:specialized hardware can gain efficiency due to better heat dissipation than commodity hardware, overcoming the purpose of making the function memory hard to keep away specialized hardware that is more efficient
19:17:55maaku:* maaku wonders if it possible to construct a p2sh script which puts a bounty on ECDSA malleability
19:18:03gmaxwell:not just heat dissapation instantly, but in the total cost of operating a computing infrastructure fabricated on modern process, if your compute job spans more than a month or so, power costs dominate your operation.
19:18:52tromp__:gmaxwell: i disagree, for a latency bound pow
19:18:57gmaxwell:So in terms of talking about commodity vs specialized hardware advantage, if you have something which reduces the total energy used on the commodity hardware, it may actually have provided less strength.
19:19:47gmaxwell:tromp__: I know you do, and you've not substantiated this position except to repeat it. We now have an existance proof that the 'scrypt' mining asics have more cost advantage over cpus than sha256 ones did.
19:20:48tromp__:i've subvstantiated that cuckoo cycle spends 5% on hshing and 95% on memory latency, whether single threaded or dozen-threaded
19:21:07gmaxwell:tromp__: yes, and the point there is thats bad.
19:21:09michagogo|cloud:maaku: Like the hash collision bounties?
19:21:37gmaxwell:hardware costs are amortized by reuse.
19:22:01michagogo|cloud:maaku: Seems to me you'd need to first eliminate all non-ECDSA malleability (non-DER encoding, etc) on a protocol rule level, not just IsStandard
19:22:20gmaxwell:I'm not going to waste my time arguing this with you right now. I suggested you take a crack at writing up a complete cost analysis, including operating costs.
19:22:49sipa:michagogo|cloud: https://gist.github.com/sipa/8907691
19:23:04michagogo|cloud:sipa: Yeah, I saw your gist
19:23:22michagogo|cloud:* michagogo|cloud checks if it's changed since he last saw it
19:23:55sipa:i updated it yesterday
19:24:22michagogo|cloud:7 revisions?
19:24:28michagogo|cloud:I think it was at 3 when I saw it
19:25:00sipa:it's just tiny changes, semantically
19:25:09sipa:there's 7th new rule now
19:25:54maaku:michagogo|cloud: yeah i think it'd be trivially doable if sipa's hard-fork were implemented
19:26:06michagogo|cloud:maaku: Right, but that's a prerequisite
19:26:06maaku:sipa: thanks for adding #7
19:26:41maaku:michagogo|cloud: I was thinking it might be doable with SUBSTR & CONCAT, but that's even more a moot point ;)
19:26:45tromp__:gmaxwell: i dont yet have the required data for a detailed cost analysis. i have to determine the limits of cpu and gpu multithreading first. i'm hopeful though that a cuckoo data center can run with passive cooling only.
19:27:38maaku:tromp__: the point is the goal you are optimizing for is actually really bad for the health of the network, and does not achieve what you purport to want
19:27:43michagogo|cloud:Heh, I'd never considered a script using OP_CHECKSIG without providing a pubkey or the hash of one
19:27:56maaku:but this has been argued here a hundred times, and like gmaxwell we all have better things to do than rehash it
19:28:39sipa:all except #1 and #3 could be added as IsStandard rules right now, i think
19:28:54sipa:#2 and #5 already are
19:29:36michagogo|cloud:sipa: Why except #1 and #3?
19:29:41michagogo|cloud:* michagogo|cloud thinks
19:30:14sipa:#1 would mean pretty much 50-80% of transactions created by non-bitcoind/bitcoinj wallets become non-standard
19:30:20sipa:#3 kills some script functionality
19:30:25gmaxwell:maaku: well I'm unsure if it can achieve what it proports to want. I consider it unclear right now. I have some evidence that it doesn't.
19:30:42michagogo|cloud:Oh, I see
19:30:48gmaxwell:sipa: oh is bitcoinj using low-s already?
19:31:02sipa:gmaxwell: not sure if any release does, but i hear mike implemented it
19:31:04michagogo|cloud:So it's not that they couldn't, just that doing so would have bad effects
19:31:25michagogo|cloud:(because people are routinely not doing that)
19:31:43sipa:#4 already exists as an IsStandard rule too
19:32:02sipa:but we could add #6 and #7 now
19:38:20michagogo|cloud:Heh, apparently there's a marketplace for trading "Real BTC" and "Gox BTC"
19:41:05RBRubicon:not just apparently
19:43:53maaku:sipa: does #3 kill any script funcationality we care about?
19:44:14maaku:*which isn't blockchain spam
19:45:06sipa:i believe there are some potential cases
19:45:43gmaxwell:reason to make the network rule a switch on the transaction.
19:46:58sipa:of course no problem making #3 an isstandard rule, as there currently is no standard transaction type that requires it
22:36:34amincd:we had a problem a while ago with people encoding messages in the Bitcoin blockchain using dust transactions. and it was solved by creating a minimum transaction value for txs that nodes will relay. I was wondering if the following alternative solution would work: relaying dust transactions (txs with below a threshold value) if the pay to address is a public key + a signature of the bitcoin address that the public address ha
22:37:43gmaxwell:no, you can can just embed data via the signature that way— plus, it makes you reveal the public key, which is unfortunate.
22:38:01gmaxwell:not to mention it would make the addresses huge.
22:38:17gmaxwell:though thats somewhat analogous to the P2SH^2 thing I suggested.
22:39:39amincd:from what I understood, the P2SH^2 is not a protocol rule, in that nodes wouldn't be required to follow it. I'd be concerned that malicious nodes/miners would include them in blocks
22:40:01amincd:^ would include transactions that don't follow the convention
22:40:05gmaxwell:amincd: it could be a protocol rule no less than what you suggest.
22:40:17gmaxwell:and again, if the signature is actually in the transaction you can encode data in it.
22:40:41gmaxwell:e.g. adopt a convention that K=1 the 'data' is your private key, now recover the data from the signature.
22:41:14gmaxwell:Alternatively you could use my self-certifying hashes, but they double the size of the hash, and probably take ~1ms to verify.
22:44:47amincd:what I suggested could be made into a protocol rule, rather than a convention, through a hard fork, but if it's possible encode messages in the signature, then it's DOA. I haven't heard read about the self-certifying hashes, I'll read up on it
22:46:14amincd:is the self-certifying hashes the P2SH^2 proposal or something different?
22:46:44sipa:something else
22:46:47gmaxwell:what I suggested could also be, and again, what you suggested still allows the covert channel.
22:47:21gmaxwell:Self-certifying hash is P = G*data, P2=to_point(H(P)), hash (what you put in the tx) = {P,P2*data}. To verify, compute P2 and check that P,P2,hash is a DH tuple by using pairing to solve the decisional Diffie-Hellman problem: pairing(G,hash) == pairing(P,P2)
22:50:38amincd:gmaxwell: if the P2SH^2 were made into a protocol rule, wouldn't the inner hash have to be included in the blockchain?
22:51:24gmaxwell:amincd: no, because a protocol rule could apply differently to non-burried blocks than it does to burried ones.
22:52:16gmaxwell:and — YET AGAIN— if you actually embed the data into the transaction so you can verify it on burried blocks (with either what you suggested or P2SH^2) you _do not eliminate the high bandwidth side-channel_.
23:10:08amincd:If the protocol rule is that non-buried blocks are treated differently than buried blocks, is that a form of 'cementing', and would that create issues with network splits, where some part of the network is disconnected from the rest for a long period of time?
23:14:44tromp__:tromp__ has left #bitcoin-wizards
23:14:57gmaxwell:nah, because the criteria can just be how many blocks exist on top of it. So it can be objectively performed the same by all nodes.
23:15:26amincd:thanks for the food for thought, I'll think on all this
23:17:36gmaxwell:this isn't to say I like it. I don't like any of these solutions _that_ much. SC-hash is cryptographically speculative (but a well tested construct for other purposes, which could only fail safe) and slow. P2SH^2 is a partial solution because you could still temporarily relay data.
23:18:18gmaxwell:Probably moving the entire transaction into zero knoweldge is the only way to really eliminate substantial side channels, and small side channels (e.g. like 8 bits per scriptsig) can never be eliminated.
23:43:32roidster:roidster is now known as Guest6827