00:00:34 | gmaxwell: | (though A15 parts also tend to have a lot more cache too, so on the latency bound stuff where they'd be more equal that still usually gives it an advantage) |
00:01:00 | gmaxwell: | it's like atom vs i7 |
00:01:25 | nsh: | how much is the low voltage or whatever hit it is that gives tablet/phone CPUs much performance for the same clock speed as laptops/desktops CPUs? |
00:01:34 | nsh: | *less performance |
00:03:13 | gmaxwell: | it's not a low voltage hit. It's just that they're saving power by using much simpler cores e.g. a7 in order and can only issue a limited set of instruction pairs concurrently, compared to the current i7 cpus which can have something like 100 instructions in flight at once, with someting like 14 actually executing at a time if the mixture of ops and dependencies work out to permit it. |
00:03:46 | gmaxwell: | but all that out of order logic has a a power cost. |
00:05:17 | nsh: | ah, thanks |
00:06:01 | nsh: | are there similar effects at play for memory or can one assume 1Gb tablet RAM =~ 1Gb laptop RAM? |
00:07:40 | gmaxwell: | the ram is usually a fair bit slower but otherwise its compariable... wide fast busses draw a lot of power. Though newer socs are doing things like using fancy packaging where the ram is literally stuck on top of the cpu, which apparently lets them get away with a wider/faster bus in a given amount of power/costs. |
00:07:55 | Luke-Jr: | gmaxwell: but A15 requires non-free sw? |
00:08:23 | nsh: | * nsh nods |
00:08:30 | gmaxwell: | Luke-Jr: many of the A15 SOCs like the samsung one in the odroid require a mfgr signed bootloader. |
00:08:48 | Luke-Jr: | hm |
00:09:15 | gmaxwell: | At least talking to the novena folks before the SOC they are currently using was the only one that had non NDAed engineering specs and didn't have any crypto locking of the bootloader. Of course that might change at any time... they've been working on this design for a couple years now. |
00:09:33 | gmaxwell: | ('the only one' ... or at least the only one in the same relative performance class) |
00:09:56 | Luke-Jr: | * Luke-Jr wonders if they'll get to answering his email before the time limit is up |
00:11:24 | phantomcircuit: | gmaxwell, hmm vias |
00:14:32 | gmaxwell: | Luke-Jr: wrt ram... I don't think the A9s have anything like PAE (I think the a15 chips do, however), and it's 32 bits, soooo... |
00:14:53 | Luke-Jr: | crap |
00:15:38 | gmaxwell: | but then again I've never seen an a15 board with more ram in any case, perhaps it exists as some expensive part in a server enviroment. The novena seems to have the most ram I've seen on just about anything arm. |
00:16:19 | gmaxwell: | I bet we won't see arm systems with >4gb until people start deploying aarch64. |
00:17:02 | phantomcircuit: | gmaxwell, iirc the arm server products had 1gb per node |
00:17:26 | gmaxwell: | there are a bunch of arm parts that I've heard announced but could never find any place to buy. |
00:18:15 | gmaxwell: | e.g. internet is full of announcements about A57 parts (the 64 bit version of the A15), ... go find some board that has one for under $10k. |
00:20:17 | gmaxwell: | I can only guess that it's either all marketing vaporware or some big datacenter operator is swallowing all of them up. |
00:20:42 | phantomcircuit: | gmaxwell, dev boards made with engineering batch chips? |
00:20:42 | phantomcircuit: | ie wait a few months |
00:21:25 | gmaxwell: | well most of the a57 announcements were in december. I would normally expect a product to exist now. :P at least if it were actually 'done' when it was announced. :P |
00:47:36 | Luke-Jr: | well, I went ahead and ordered the $500 board; maybe I'll order a full unit too, but still undecided |
00:47:56 | Luke-Jr: | it's nice to not have to wonder if something will break-even… |
00:55:22 | gmaxwell: | Luke-Jr: you can mine on that fpga you know... :P |
00:55:43 | Luke-Jr: | gmaxwell: *maybe* if the heat is taken care of.. but the answer is a resounding NO |
00:55:50 | Luke-Jr: | (to whether you can break-even on it) |
00:55:52 | gmaxwell: | (oh perhaps you should contact them about getting access to a unit early so they can ship with BFG miner in the default install :P ) |
00:56:13 | Luke-Jr: | gmaxwell: I did email them with their contact form (though I didn't suggest early) |
01:27:16 | gmaxwell: | Its interesting that bytecoin also has the prunability problem that zerocash and zerocoin have. Seems like all the private transaction systems run into this issue. |
03:01:27 | Fistful_of_LTC: | Fistful_of_LTC is now known as Fistful_of_Coins |
04:45:55 | jctb_: | jctb_ is now known as jctb |
05:27:29 | gmaxwell: | ZeroCash paper on Hackernews: https://news.ycombinator.com/item?id=7765455 |
06:32:38 | jcorgan: | 896MB proving key |
06:39:08 | jcorgan: | is there a way to avoid the "trusted setup" using multi-party computation such that none of the generating parties has enough information to create fake proofs? |
06:46:15 | jctb_: | jctb_ is now known as jctb |
06:54:13 | jcorgan: | "Moreover, if one wishes to" |
06:54:13 | jcorgan: | mitigate the trust requirements of this step, one can conduct the computation of Setup using secure |
06:54:16 | jcorgan: | multiparty computation techniques; we leave this to future work. |
06:54:36 | jcorgan: | this is where gmaxwell steps in :) |
07:00:38 | gmaxwell: | MPC appears to completely impractical for this stuff right now, so thats an armwave. :( (In fact, the more efficient active secure MPC proposals start by assuming you have an efficient and secure ZKP for general computation, so that the MPC participants can prove that they're playing by the rules.) |
07:01:22 | gmaxwell: | If it were a question of computing a single value... like a single block of AES encryption, then yes, that could be done. But it needs to produce hundreds of megs of pairing crypto public keys. |
07:02:04 | gmaxwell: | There are different ZKP systems proposed but only at the theoretical level that are based on different cryptographic underpinnings that don't have the trusted setup... but those are even further from production. |
07:02:58 | jcorgan: | :( |
07:03:21 | jcorgan: | it seems to be the main weakness |
07:03:25 | gmaxwell: | one possibility, since the proofs are pretty small— you could perhaps have N different trusted inits, and require N different proofs with the transactions for only an ~N fold increase in transaction size. |
07:03:45 | gmaxwell: | (also N fold increase in proving time and storage for the provers, which might actually be more of a problem than the rest). |
07:05:35 | gmaxwell: | Some people seem to think no one will care about the trusted init... It'll be interesting. Maybe the public is stupid enough that they won't care. OTOH, it's hard enough to convince people that this cryptocurrency stuff is robust (is it really?) that perhaps the easy trusted setup FUD will be too much. Hard to tell. |
07:06:44 | gmaxwell: | Given that Bytecoin (the not stupid altcoin) has worked out fairly strong privacy with fewer compromises and has it already deployed, it's not like ZeroCash will be the only available option. |
07:06:54 | jcorgan: | i suppose one could lessen the required trust by developing an init that would require the collaboration of all initialization parties to collude |
07:07:02 | gmaxwell: | (not stupid as opposed to the person or the completely pointless bitcoin fork) |
07:07:31 | jcorgan: | read through the comments on the link, will have to go study bytecoin now |
07:07:34 | gmaxwell: | jcorgan: well thats what MPC would do... but it looks impractical. |
07:09:22 | jcorgan: | * jcorgan also adds a deep-dive into MPC for my vacation reading :) |
07:49:12 | kostazert: | kostazert has left #bitcoin-wizards |
08:19:40 | sl01: | gmaxwell: prepare for lots of confusion after your pushing of bytecoin.org (because http://bytecoin.biz/) |
08:20:30 | gmaxwell: | Whats bytecoin.biz? |
08:20:39 | sl01: | the original bytecoin |
08:20:44 | gmaxwell: | oh jeuses that thing still has a webpage? |
08:20:57 | sl01: | simple btc fork type alt |
08:21:08 | gmaxwell: | Well the _real_ bytecoin is https://bitcointalk.org/index.php?action=profile;u=490 |
08:21:12 | gmaxwell: | :P |
08:21:50 | gmaxwell: | (I assume he's the creator of the not-stupid bytecoin, though I tried asking him and he hasn't responded) |
08:23:34 | sl01: | also orig bytecoin (BTE) is traded on cryptsy and new bytecoin (BCN) isn't |
08:23:47 | sl01: | a lot of ppl gonna be buying the wrong thing :P |
08:24:47 | gmaxwell: | pft. welp anyone out going around bying up altcoins to speculate is doing something kinda inherently foolish in my book. I can't save them all. :P |
08:25:03 | sl01: | haha |
09:13:59 | _ingsoc: | The new Bytecoin is 80% premined... |
09:14:14 | _ingsoc: | The CryptoNote one. |
09:17:09 | gmaxwell: | I dunno anything about the history, seems like its existed and know about for a while but got ignored by many people (including me) who confused it with other stuff. I don't really care though, the technology is interesting. Maybe for like 5 minutes in my life we can have a conversation about cryptocurrency technology without rabbid speculators crapping over the whole discussion. |
09:17:36 | _ingsoc: | Hah, we can but dream. :P |
09:17:52 | _ingsoc: | Too many egos to trip over. |
09:21:26 | Luke-Jr: | hm |
09:21:33 | Luke-Jr: | I wonder if 80% premine keeps the scammers away? |
09:21:54 | _ingsoc: | Luke-Jr: No. :) |
09:22:06 | Luke-Jr: | aw |
10:20:19 | sl01: | anyone have any opinions on how safe the DH 1536bit group from RFC 3526 is? it's been the group that OTR has used since the beginning, so seems the motivation to do an index calculus attack on it would be huge as it would render OTR into plaintext essentially |
10:27:49 | nsh: | opinion: it's probably safe for now -- justification: less clear |
11:39:58 | fanquake: | fanquake has left #bitcoin-wizards |
16:37:00 | tromp_: | out of curiosity, gmaxwell, where does the hackernews handle "nullc" originate from? |
16:42:36 | andytoshi: | jcorgan: trustless-setup MPC is very new (and completely impractical), iirc 2 years ago it had not been done |
16:45:45 | andytoshi: | yeah, the first one was BZ13 and used program obfuscation which has really shifty assumptions (and at the time way way worse ones) and is completely impractical |
16:46:57 | andytoshi: | last month zhandry http://eprint.iacr.org/2014/301 gave a construction using witness PRFs instead, which still require multilinear maps but are perhaps feasible |
16:50:23 | nsh: | it's a lot easier and more reliable to blow up the computer with a grenade once you've printed out the public parameters |
16:50:55 | nsh: | (preferably in a faraday cage, in the desert) |
16:51:30 | andytoshi: | this is true, it's hard to verify tho |
16:52:41 | andytoshi: | oh, sorry, zhandry 2014 is just multiparty key exchange, not MPC |
16:54:22 | andytoshi: | it might be possible to extend their result from key exchange to some specific CRS setup, these wPRFs are pretty general tools.. |
17:47:48 | gmaxwell: | tromp_: "Null Character", which seemed like a perfectly cromulent BBS handle when I was 13. I still use it on random throwaway sites (e.g. I used it on HN and reddit back when they were far less popular and I didn't expect to see them again). |
17:49:09 | gmaxwell: | andytoshi: there is a pretty straight forward rsa math like passively secure (secure against curious but honest parties that will follow the protocol, insecure if they don't follow protocol) MPC ... to make it actively secure, all you've got to do is run it inside a ZK-SNARK… |
18:18:08 | gmaxwell: | sipa: isn't the usecase for the batch inversion doing a batch verify? If its enough of a speedup it could be worth while even if only the invert is batched. |
18:20:32 | sipa: | well, batch verify right now is pretty pointless (except for batch verifying compact signatures, where the full R can be recovered without doubling the number of attempts) |
20:26:14 | andytoshi: | gmaxwell: are the security requirements for MPC very different from those for multiparty key exchange? |
20:26:23 | andytoshi: | that is, can you get one from the other? |
20:28:27 | gmaxwell: | so, multiparty key exchange is trivial unless you require it to be a single round. In MPC I could imagine that there are places where things like multilinear cryptography could allow much better scaling (e.g. single round multiplies) but thats not usually the main concern. |
20:31:26 | andytoshi: | i gotcha |
21:16:37 | gmaxwell: | I wonder if my response of bitcoin development will get Justus to stop being rude to people. |
21:20:17 | helo: | sounds like reasonable criteria for personal attacks :) |
21:24:14 | sipa: | it doesn't invalidate the request for a written social contract though |
21:24:30 | sipa: | but it shouldn't be seen as a promise by some people to do or not do some things |
21:24:52 | sipa: | just as a way for getting agreement on what the consensus is about how the system should behave |
21:30:25 | michagogo: | And there doesn't have to be one single one dictated by any person or group of people |
21:30:39 | michagogo: | Someone can come up with one. Anyone who agrees with it can sign on, or create their own |
21:30:48 | sipa: | indeed |
21:31:22 | sipa: | it might have been nice if satoshi had written one, as that would have implied that every single user of the system ever agreed with it |
21:31:44 | sipa: | not because he designed the system, but because he was the first user of it :) |
21:34:58 | michagogo: | Well, it would have been (temporarily) true :P |
21:35:13 | michagogo: | But I suspect he didn't realize it would eventually become this huge |
21:35:15 | gmaxwell: | Well, to me the p2p foundation post had that effect— but a lot of people haven't seen it. And even there you can extract some pretty different meanings from it. |
21:35:21 | michagogo: | Of course, I could be wrong |
21:36:59 | gmaxwell: | Besides, it's never that easy. Technology exists to serve man. What happens if you have something where everyone agrees, but their needs change? Are they all screwed because some paper said they must be? ... maybe, they ought to be if really the only alternative is a political free for all, where everything is subject to trust and popular whim. |
21:37:43 | hearn: | the US constitution is an interesting case study in the nature of social contracts over time |
21:38:17 | hearn: | sipa: i guess the white paper, P2P foundation post and the website front page were meant to lay out the point of the project. not sure there’s much of a social contract beyond that. |
21:43:43 | gmaxwell: | (e.g. read different things, I take points about trustlessness— the example of how strong crypto (and implicitly personal computing) remove our need from having to trust a sysadmin to protect our secrets, pretty strongly. It resonates very strongly with things I've cared about for a long time. Other people walk a way with a greater emphasis on transaction rent seeking and micropayments— stuff I care less about. "It's only money" ... |
21:43:49 | gmaxwell: | ... and "transaction fee gouging can be avoided by not spending so much money" :P) |
21:55:09 | hearn: | but is bitcoin really comparable to encryption? crypto gives an unbeatable barrier to reading a message regardless of how strong a consensus about reading it might be. but bitcoin isn’t like that. it’s up to humans whether to pay attention to the database or not. i know satoshi compared it to strong crypto, but i’m not sure his analogy holds |
21:55:50 | sipa: | it's strong crypto - apart from one thing: the order of otherwise valid transactions :) |
21:57:10 | hearn: | where is the crypto? |
21:57:23 | sipa: | ecdsa |
21:57:33 | hearn: | sorry. i was using it as an abbreviation for encryption. |
21:58:02 | hearn: | ecdsa makes a signature. signatures can’t “beat” humans in the same way encryption can. it’s just a …. well, it’s just a signature. it can be ignored. like a Kings Seal. |
21:58:15 | sipa: | right, i see your point |
21:58:46 | sipa: | but it's as good as proving something is authentic as encryption is at making it impossible to read |
21:59:28 | hearn: | right. it stops individuals from attempting to corrupt a consensus through falsification of identity (handwaving away key theft and other practical concerns). but if the human consensus changes, the meaning of the signature becomes irrelevant. encryption isn’t like that. |
21:59:40 | sipa: | agree |
22:01:24 | hearn: | it would be interesting to try and calculate the cost of attempting to retroactively change a bitcoin-like consensus given a varying number of participants |
22:01:25 | gmaxwell: | Digital signatures are very much part cryptography in general— they allow us to take fuzzy and non-trasferable things like handsakes and signatures on notes and turn them into very strong seals. And more the effect— without encryption we're much more exposed to the fancy of the people we're dealing with, with it less so— maybe still to the whim of society at large. |
22:03:25 | hearn: | e.g. some bitcoins are stolen and there’s some very strong, undeniable evidence it was stolen (not sure what that’d be). is there a function f(n, t) that gives the cost of contacting a large economic majority of size n within time t, giving them the evidence, convincing them to undo the consensus, and the resulting damage from transaction chain rollbacks |
22:03:31 | gmaxwell: | Even on the encryption part— encryption might protect your secrets in a way that even if all of society disagrees they're still protected. ... of course, all that protection does you no good if they decide to burn you at the stake anyways! :) |
22:03:54 | hearn: | we tend to assume the result of f(n,t) is so high as to be impractical today, and i suspect that’s true. |
22:04:06 | hearn: | i mean, true for basically any n/t |
22:04:56 | hearn: | it’s not as good as the heat-death-of-the-universe type hardness encryption can give, but i wonder if it’s as good in practice. like, are you just arguing about the relative impossibility of two impossible things |
22:05:19 | gmaxwell: | hearn: well, there is the ozcoin strongcoin thing. But for all of bitcoin, it's harder, in principle its desirable to (regretfully) decline to help there, because without the stronger position there is no clear place to draw a line... and almost any place of line drawing implies extreme increases in transactional costs that we're trying to avoid (basically line drawing degrades the illusion of fungiblity that makes it cheap to accept ... |
22:05:25 | gmaxwell: | ... coins; and also increases exposure to a multitude of abuses). |
22:05:32 | nsh: | Take courage! Play the man, Master Ridley. We shall this day light such a candle, in England, as by the grace of God shall never be put out!" |
22:06:45 | hearn: | gmaxwell: indeed. but i think it works both ways. i moderated a rather interesting panel (well, interesting by conference panel standards) in amsterdam about secure coins. the conversation drifted onto the question of whether in a bitcoin-based world, our society would be essentially quasi-communist |
22:07:04 | hearn: | because people would be afraid to be rich, lest they make themselves a target for consequence-free hacking or extortion |
22:07:14 | gmaxwell: | I think societies accept all kinds of compromises: We put lots of innocent people in prision, sometimes for life (and in some places in the US we execute people who are sometimes innocent) for the sake of having a (maybe?) functioning criminal justice system that discourages crime and (maybe) rehabilitates criminals. Likewise, its arguably a completely reasonable tradeoff to say we will not repair some thefts because reparing them ... |
22:07:19 | hearn: | so everyone ends up sharing the wealth and we get a kind of very even distribution of money :) |
22:07:20 | gmaxwell: | ... means we take other costs. |
22:08:24 | nsh: | hearn, that's an interesting idea, but probably unrealistic. in any world i can conceive of, security still scales pretty well with affluence... |
22:09:18 | hearn: | maybe? rich people still use the same phones and operating systems the rest of us do. it’s not like there’s a luxury high quality software stack that only rich people can afford. even google uses openssl … :) |
22:09:37 | hearn: | over time it seems, actually, that mass manufacturing and economies of scale have reduced the quality of life difference between rich and poor |
22:09:44 | nsh: | mm |
22:10:10 | hearn: | e.g. bill gates wears the same denim, uses the same gadgets, drives on the same roads, travels at the same speed as someone who is basically average or even a student |
22:10:28 | nsh: | depends on how you integrate the wealth curve. there are more poor people than there have ever been... |
22:10:49 | gmaxwell: | I think my software stack is better than joe-averages desktop, certantly my ability to protect myself is greater due to a multitude of privileges— not all of which stem directly from access or proximity to wealth, but all are basically improved by it. |
22:10:56 | nsh: | (but back to crypto..) |
22:11:28 | gmaxwell: | (also, the ability to survive a loss— ripping off my checking account isn't going to put me on the streets.) |
22:11:35 | nsh: | * nsh nods |
22:11:47 | sipa: | gmaxwell: really? i'm sure someone who has no money to pay for electricity has less chance to get his desktop system compromised on the internet :p |
22:11:52 | hearn: | gmaxwell: once you get above subsistence level, i guess that’s a time/interest thing rather than a wealth thing. there are plenty of poor people in places like brazil who are using linux and so on |
22:12:08 | nsh: | certainly the enfranchisement of accessiblity to knowledge means that your security can depend on your ability and ambition for self-development with less of a barrier-to-entry than ever before |
22:12:09 | nsh: | that's great |
22:12:47 | nsh: | right, cf. the eastern-european infosec/programmer brain-pool |
22:13:02 | nsh: | those guys grew up in relative deprivation, but had access to microcomputers and a thriving knowledge-sharing economy |
22:13:06 | nsh: | it paid off |
22:13:18 | gmaxwell: | nsh: yes, you're looking at outliers by definition however. |
22:13:27 | nsh: | true, good point |
22:13:48 | hearn: | consider that it’s not only your security that matters. it’s also the security of the people you care about, around you, because of the possibility of kidnap/extortion. so perhaps rich people can afford to live in a luxury bunker. but can all their friends and family? |
22:13:55 | nsh: | it's hard to regress back to the mean; i live a pretty sheltered existence amongst the outliers |
22:14:00 | hearn: | not sure how you can solve that one |
22:14:23 | nsh: | gated-communities, usually |
22:15:02 | nsh: | or perhaps subsumed into corporate super-organisms |
22:16:20 | nsh: | it sometimes feels like i've living during the (start of the?) analogous era to when eukaryotes emerged |
22:16:25 | hearn: | having to move into a gated community and being afraid to leave because my friend won SatoshiDice would suck. |
22:17:04 | gmaxwell: | (this is a reason that privacy is important…) |
22:17:27 | nsh: | * nsh nods |
22:17:49 | hearn: | privacy is somewhat at odds with enjoying your newfound wealth though. |
22:20:10 | hearn: | i sometimes wonder if satoshi will ever spend his coins. it seems that if an ordinary computer programmer started buying big houses and fancy cars, or whatever it is rich people spend all their money on, and he couldn’t explain to anyone how he became so rich … that’d inherently attract unwanted attention |
22:22:08 | midnightmagic: | hearn: or he's a neuromancer fan and realises that long-term he might end up like tessier-ashpool on freeside.. |
22:22:15 | midnightmagic: | or his kids. |
22:22:27 | hearn: | unfortunately i didn’t get to that bit of pop culture yet :) |
22:22:46 | sipa: | satoshi was just invented by asic fabs |
22:22:48 | midnightmagic: | it's been 30 years man. :) |
22:22:53 | midnightmagic: | catch up |
22:23:02 | hearn: | i’m still working my way through neal stephenson :) |
22:23:17 | hearn: | fortunately nowadays we have wikipedia plot summaries! civilisation! |
22:23:22 | midnightmagic: | that's wayyy after william gibson |
22:24:23 | midnightmagic: | stephenson is cool oases of ideas in a dry desert of prose. gibson is more like.. poetry and artistry. |
22:25:02 | midnightmagic: | although i do like the rat-things.. |
22:31:15 | Emcy: | i see we are discussing life in a libertarian paradise |
22:37:35 | hearn: | i’m not sure it’s libertarian, per se. i guess you could have a cash based authoritarian society with the same problems |
22:37:39 | Emcy: | i might even get to read some gibson and stevenson and related if i ever unbrick my bloody brand new tablet |
22:38:19 | hearn: | interesting crypto paper of the week: http://eprint.iacr.org/2014/345.pdf … maybe PIR will eventually actually work after all |
22:38:34 | Emcy: | hearn baiting libertarians is fun :p |
22:40:52 | gmaxwell: | path oram is a fun protocol, only takes a few minutes to implement. I boggle at running it under homomorphic encryption and considering the result fast. But I guess it's only ~2 HE operations per access. |
22:45:56 | hearn: | 30 mins to query 4.2 million records |
22:46:25 | hearn: | with an unoptimised implementation. i’m still reading but they claim 1-3 orders of magnitude speedups possible wth optimisation |
22:46:40 | hearn: | that’s getting into the territory where it might be useful for redphone and textsecure |
22:47:36 | gmaxwell: | I have queued the paper for reading, but I expect there are some limitations on the basis of understanding that it's using path-oram. I suspect the querying party has to author the database initially. |
22:47:37 | jcluck: | jcluck is now known as cluckj |
22:47:52 | gmaxwell: | (or at least someone trusted by them) |
22:52:41 | hearn: | ah yes. reading on, i think you may be right |
23:01:32 | gmaxwell: | path-oram lets you very simply have completely private remote storage (data is private as well as the details of your access patterns, other than the total amount of usage)... the cost of path-oram is that each read/write has a log(storage size) scale overhead. Seems they invoke the homorphic encryption here to remove the overhead. |
23:02:31 | nsh: | Emcy, bricked a brand-new 11" tablet too. about two months ago. still haven't bothered getting it sorted out. :( |