00:32:31home_jg:ebfull, amiller, kjj: bounty payment sent, txid 97257558d7402033ba41fd671fdfdde23b77918a64664523f1415fe246b06a6c
00:32:38home_jg:home_jg is now known as jgarzik
03:24:41jcrubino:is nlock time reinstated into the standard client protocol?
04:29:55jps_:jps_ is now known as jps
05:14:03maaku:jcrubino: nlocktime has always been part of the protocol
05:14:09maaku:also, #bitcoin-dev
06:47:13ericp5:ericp5 is now known as ericp4
08:02:43hearn_:hearn_ is now known as hearn
08:13:35quickcoin23j23j:quickcoin23j23j is now known as quickcoin
15:38:07sl01:screen -x
16:34:31ajweiss_:ajweiss_ is now known as ajweiss
17:34:35mapppum:mapppum is now known as mappum
20:04:30ghtdak:ghtdak has left #bitcoin-wizards
21:10:22zack-bitcoin:im bad at irc. this might be repost. I am trying to make a secure cryptocurrency without any proof-of-work https://github.com/zack-bitcoin/slasher It is based off of slasher to solve the nothing-at-stake problem. http://blog.ethereum.org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm/ It can run 5 nodes on your computer and maintain consensus between them.
21:11:54maaku:zack-bitcoin: slasher doesn't solve the nothing-at-stake problem btw
21:13:53zack-bitcoin:I realize that slasher as stated in the blog post does not solve nothing-at-stake. My implementation has a census block every 2000th block which requires 40% of all coin-holders to sign. This is one of the ways to fix slasher.
21:15:50Eliel:zack-bitcoin: that sounds somewhat dangerous... what happens when the amount of lost coins approaches 60% or goes over it?
21:16:42gmaxwell:zack-bitcoin: That doesn't sound like it stops simulation. Imagine at time 10 maaku and I have >50% stake. We mine. Then by time 15 we sell off or stake and leave the network. At time 1000 our keys fall into evil hands, and the evil party goes back to time 10 and constructs a new complete network history? (really, I think the costlessness of creating an indistinguishable simulation is the most fundimental example of nothing at stake)
21:19:54Eliel:reading stephen reed's cooperative proof of stake reminds me of what my own half baked idea. It was essentially a massively entangled authenticated tamper-proof log.
21:20:11zack-bitcoin:We could distribute the initial coins evenly to 100+ people, and do our collective best to make sure no individual gains more than 50% stake at any time in the last 2000 blocks. (about 2 weeks)
21:20:35zack-bitcoin:s/50% stake/40% stake
21:21:32gmaxwell:zack-bitcoin: but no individual had in my example, I fear you missed the point.
21:21:36Eliel:I'm slowly starting to understand the nothing at stake problem...
21:23:55gmaxwell:zack-bitcoin: you see after maaku and I left the system there was no incentive for us to protect our old keys— perhaps even someone bought them from us. If an attacker can amass keys that controlled a lot of stake in the past but don't anymore (not even 50% but whatever is needed to make the network go, sounds like 40% in your case) then they can just create an alternative history that a new peer couldn't distinguish.
21:25:57maaku:and if signer selection is done by deterministic algorithm over the block history (what else is available to delegate the problem to?), then the attack works for smaller sets of keys and grinding blocks to name yourself as a signer
21:27:03Eliel:gmaxwell: do you think PoS is at least useful to improve the 51% attack resistance of a PoW system?
21:27:09zack-bitcoin:There is a 2 week time period between census blocks, and the attacker needs to purchase keys from 51% of all coins holders, which will be dozens of people. It is very improbable to collect all these secrets.
21:27:38gmaxwell:zack-bitcoin: they have forever to do it— and why would it be hard? the keys are worthless after people left the system.
21:28:42zack-bitcoin:you deterministically elect accounts based upon how much money they had 2000 blocks ago. you cannot grind blocks to make yourself signer. census blocks are too close together to make it profitable. The earliest secret you don't know about is from 900 blocks ago.
21:28:44gmaxwell:maaku: what zack was saying sounded like it invoked a large quourum signature, which would limit the boost you can get from simulation mining. (otoh, it creates a vulnerability to obstruction)
21:29:12zack-bitcoin:the census blocks are a limitation. the census block is every 2000th block. 40% of all coin-holders have to sign it.
21:29:38gmaxwell:zack-bitcoin: you keep repeat this but you have yet to address my very simple example.
21:29:42maaku:zack-bitcoin: and if 61% of coins are offline/lost?
21:30:34gmaxwell:Eliel: maybe, the issue is that is seems every attempt to that end (including my own) creates new attacks. Obviously if there were actual majority hashpower attacks happening then they'd be more justified, but absent them so far none have sounded to me like a great tradeoff.
21:31:23zack-bitcoin:gmaxwell, I am trying very hard to answer your simple example... you are worried that old keys will not be protected, correct? That you can get 60% stake from a long time ago, and build a chain from that point?
21:32:11Eliel:so the root of the problem is that you can keep trying to rebuild the history without any real cost until you manage to do it...
21:32:15gmaxwell:zack-bitcoin: yes (well whatever stake is required to continue the network, in plain POS proposals you would only need a tiny amount, but hey— just assume I could get >half for the purpose of dicussion)
21:33:08gmaxwell:I could even, for example, buy up lots of coins myself at the point in time, and later rid myself of them, while stealing or buying up old keys from other people who have also since left the system.
21:33:52Eliel:(you could also run an exchange)
21:34:03gmaxwell:or hack one, or buy out the wallet of a defunct one.
21:34:03Eliel:and then later use those keys for the attack
21:34:08zack-bitcoin:census blocks could be hard-coded into the sourcecode as they happen, to ensure they are never re-produced?
21:34:35sipa:yup, centralization will solve all these problems
21:34:42gmaxwell:zack-bitcoin: then you haven't built a decenteralized consensus system. Why not dispense with the blockchain entirely?
21:35:07jaekwon1:gmaxwell: you're right, i believe there's nothing stopping a group from creating an alternative chain that is indistinguishable from the "correct" chain, in a pure PoS algorithm. but it is possible to ensure that such a fork doesn't happen within the past X blocks from now. Practically, this means users are responsible for reconnecting to the network every X blocks, or placing trust in nodes that are persistently connected.
21:35:16jaekwon1:zack-bitcoin: have you seen this? http://tendermint.com
21:35:41gmaxwell:jaekwon1: how are you repsonsible for connecting evey X blocks when you haven't even been born yet? :P
21:36:02jaekwon1:How does a new Bitcoin user even know that he's actually connected to the bitcoin network, and not some sham network?
21:36:44gmaxwell:jaekwon1: because they can keep connecting to more and more hosts, and if they _do_ ever connect, they'll reconize it. Information being hard to suppress is an explicit security assumption in Bitcoin.
21:37:04gmaxwell:(which all other systems have too)
21:37:05jaekwon1:that's only true if the sham network isn't disconnected from the true one.
21:37:41gmaxwell:the sham network can be disconnected but the user can't be persistantly partitioned from the honest network.
21:37:58jaekwon1:user can, if the client has been modified.
21:38:17jaekwon1:a new user has to trust.
21:38:21gmaxwell:if the client has been modified it might well just by a GUI on paypal. No promises of behavior can be made in that case.
21:38:28gmaxwell:No, a new user can audit their software.
21:39:19jaekwon1:a user who can audit his software also has the ability to find out what the "correct" chain is in a good PoS system
21:40:05gmaxwell:jaekwon1: There is no 'correct' chain within the defintion of the system, which is why its an example that that class of approach is broken.
21:40:15jaekwon1:there is, actually, in tendermint.
21:40:59jaekwon1:forks are possible, but one who always reconnects within X blocks in tendermint will always know what the "correct" chain is.
21:41:45gmaxwell:Under what assumptions?
21:43:34gmaxwell:Are you still using Zooko's bonded mining approach? It fails if the reorg just goes deeper the the bond duration.
21:43:41maaku:* maaku wishes we had a separate channel for proof-of-x discussions
21:43:52jaekwon1:practical assumptions, that validators are incentivized by coins, and that 1/2 or 2/3 of validators remain online, from one block to the next. 1/2 in the synchronous case, 2/3 for partially synchronous.
21:44:13jaekwon1:reorgs? there are no reorgs in the bitcoin sense.
21:44:35gmaxwell:gmaxwell has left #bitcoin-wizards
21:46:08andytoshi:maaku: i'd write an article about this but people consistently ignore the arguments presented, so i have no idea where the misunderstanding might be
21:46:35jaekwon1:what arguments?
21:47:23jaekwon1:anyways, jesus, i feel like others are ignoring my arguments. i'm telling you, pos consensus is practical, even in cryptocurrencies.
21:47:28andytoshi:the costless-simulation argument and specifically the "no 'correct' chain" argument
21:47:44andytoshi:jaekwon1: and you're wrong, and this has been explained to you over and over
21:47:56jaekwon1:have you actually read my paper?
21:48:08ebfull:how are there no reorgs in tendermint?
21:48:15ebfull:if there are multiple paths to consensus, there has to be reorgs
21:48:17jaekwon1:define reorg, ebfull. then i can answer.
21:48:20ebfull:if forks are possible
21:48:39jaekwon1:right. no forks are possible given the assumptions about byzantine control of voting power.
21:48:43jaekwon1:you solve costless simulation with bonding.
21:49:03maaku:jaekwon1: your assumptions will fail. then what happen?
21:49:04jaekwon1:that gives you X blocks (unbonding period), like a bubble in time in which there is definitely consensus happening.
21:49:09andytoshi:andytoshi has left #bitcoin-wizards
21:49:32jaekwon1:anyone can identify the correct chain by staying in the bubble.
21:50:41jaekwon1:maaku: practically, human intervention should happen. same thing as when say, bitcoin's mining gets attacked by a 51% pool.
21:51:20sipa:it was human intervention that created bitcoin in the first place, and the choice to value it as well
21:51:30sipa:of course human intervention will happen if things go badly
21:51:49helo:does turning and running in the opposite direction of the algorithm count?
21:51:52jaekwon1:unlike as in mining, it's easy to identify who's attacking consensus in a PoS system. so in that sense maybe it's easier to recover from than bitcoin.
21:52:04sipa:but the exercise that i think many in this channel try to do is designing a system that doesn't need such interventions
21:52:35jaekwon1:yeah, well, it's probably not possible at all, even with mining.
21:54:51maaku:jaekwon1: there is a difference between your system and bitcoin in this scenario
21:55:19maaku:with proof-of-work, the honest miners would stay on the old chain and eventually overtake the attacker, and all nodes will reorg back
21:55:35maaku:which sortof describes what happened in 2013
21:56:05maaku:that is to say that your average node will automatically get back on track with the correct consensus once the situation is resolved
21:56:09maaku:that is a very, very important property
21:56:23jaekwon1:eh, honest miners would switch to a new chain if it were longer. the only reason why they didn't in 2013 is because the "new" fork was invalid due to a bug, or something.
21:56:38maaku:jaekwon1: no, the "new" fork was not invalid in 2013
21:56:49maaku:it was actually more valid in a strict sense
21:59:08jaekwon1:the reason why the "old chain" remained and won out is because the other chain was invalid for them.
21:59:28sipa:the rule is that the longest valid chain wins
21:59:39sipa:if the software works correctly, no nodes disagree about which chain is valid
22:00:03sipa:non-resolving forks only appear due to bugs (or partitioning the network through other means)
22:00:35maaku:jaekwon1: i was here when that happened. we had a debate in #bitcoin-dev and aggreed to build off the pre-leveldb chain, even though the majority of the network had updated and it exhibited undocumented restrictions
22:02:02jaekwon1:i think you're arguing that pow mining is superior to pos in some sense because who "wins" is determinable post-facto by measuring the work done on each chain.
22:02:32nsh:* nsh frowns
22:02:59jaekwon1:* jaekwon1 grimaces
22:04:23jaekwon1:yet it's possible to construct the protocol such that forks don't happen in the first place.
22:04:45jaekwon1:given sane assumptions.
22:04:46nsh:a partitioned network is forked by definition
22:04:56sipa:i'm sure it is possible under some assumptions
22:05:00nsh:(and the network is always partitioned)
22:05:04sipa:i'm unsure about how sane they will be :)
22:05:10nsh:it just has very tiny tears most of the time
22:05:26jaekwon1:you always require 2/3 of votes on a block for it to be a "valid" block.
22:05:39jaekwon1:and you punish signers who sign twice at the same height.
22:05:51jaekwon1:now how do you get a fork, unless 1/3 or more get punished?
22:06:03jaekwon1:and, the punishment is pretty severe.
22:06:42jaekwon1:e.g. they lose all of their bonded coins.
22:07:06jaekwon1:so, assuming more than 1/3 never commits suicide, forks aren't possible.
22:07:35sipa:how will you be certain to learn about signers signing twice?
22:07:46sipa:or rather, how will everyone agree on which signers have signed twice
22:07:53sipa:actually, i should read the paper first :)
22:07:53jaekwon1:read the paper. http://tendermint.com
22:08:58zack-bitcoin:the tendermint paper is really long, and it uses language I am unfamiliar with. If it is so good, how come no one has made a simpler description?
22:09:14jaekwon1:hmm, what's confusing?
22:09:34sipa:sipa has left #bitcoin-wizards
22:09:41stephenreed:jaekwon1: I just skimmed your paper. I too reference the BFT survey. It looks like you modify the blockchain.
22:09:42jaekwon1:the language is partially motivated by literature in byzantine consensus protocols.
22:10:10jaekwon1:stephenreed: modify the blockchain? as in, it's different than bitcoin? yeah.
22:10:55zack-bitcoin:oh! tendermint is the pos bonds idea
22:11:10zack-bitcoin:you want to let people puchase the ability to vote on future blocks?
22:11:40jaekwon1:as it is in the paper, that's what happens. other schemes are possible.
22:12:01zack-bitcoin:What if I buy a massive amount of bonds for a couple blocks, and on those exact couple blocks, I spend a ton of money, and then I use my massive amount of stake to double-spend?
22:12:33jaekwon1:if it's so massive that you actually cause a fork, you'd lose your massive bond.
22:13:00jaekwon1:as it is in the paper, human intervention would be required to recover from that, but your coins are lost either way.
22:13:33zack-bitcoin:I think that selecting pos signers at random is kind of like having everyone 100% invested in bonds all the time. It is more secure.
22:13:39stephenreed:jaekwon1: I need to go now, but I would like your critique of my whitepaper at https://docs.google.com/document/d/1C4m-MFnxw0JjDorzrKs_IRQRqD9ila79o0IDt6KsbcE . I use peer attestation of tamper-evident logs to get BTF with less than 50% faulty peers.
22:14:20jaekwon1:ok, i'll read it. also, come to #tendermint if you want to discuss more of tendermint. seems like some people don't like PoS discussion here.
22:14:52justanotheruser:jaekwon1: scamcoins are off topic
22:14:55jaekwon1:zack-bitcoin: if you only require a small set of signers to sign at every block, then you end up with a chain that can be forked.
22:15:09stephenreed:jaekwon1: read this first - it has math http://iris.csail.mit.edu/irisbib/papers/aaom:sosp21/paper.pdf
22:15:16jaekwon1:justanotheruser: i agree that all existing PoS coins suck.
22:15:46zack-bitcoin:I think value units and stake units should be seperated. there should be only like 1000 units of stake. Each unit should be traceable.
22:16:02stephenreed:jaekwon1: Code will speak for itself - with enough good test cases.
22:16:52jaekwon1:zack-bitcoin: i've been thinking about that. that might be better, yeah. either way, i need to decide the *rest* of the coin, e.g. whether it has a turning complete language, a market, multiple coins, debt instruments, etc.
22:17:05jaekwon1:zack-bitcoin: please come to #tendermint later :)
22:17:44sl01:anyone understand what vitalik means by this "solution" for the proof of stake problem? One solution, for example, is to note that every block must have a timestamp, and users reject chains with timestamps that are far ahead of their own. A long-range attack will thus have to fit into the same length of time, but because it involves a much smaller quantity of currency units its score will be much lower
22:18:00sl01:from: http://blog.ethereum.org/2014/05/15/long-range-attacks-the-serious-problem-with-adaptive-proof-of-work/
22:18:28jaekwon1:vitalik's PoS system still involves an element of PoW.
22:18:42jaekwon1:and that PoW, he's thinking, should involve data on teh blockchain.
22:18:43sl01:no i dont think this proposed solutin included pow at all
22:18:50jaekwon1:read slasher. it does.
22:19:16sl01:read that post, starting at Proof of Stake
22:19:35sl01:pretty sure those 2 solutions he porposes are for pure PoS
22:19:50sl01:he goes on later to mention hybrid
22:20:27arubi:sl01, I think it's because coin age is absolute in a certain X time
22:20:50sl01:ah, so timestamp is something derived from coin age?
22:21:01arubi:even if you generate X10 more blocks in a certain time, those blocks would still have the same coin days destroyed in them
22:21:19sl01:yea ok i think that makes sense
22:21:22arubi:and more fees are being wasted
22:21:58arubi:yea, it's a kinda "guard" against honest parties that want to generate more blocks, but it doesn't solve malicious parties
22:22:17arubi:(who don't care about the value of their stake)
22:22:24jaekwon1:you're right. if you try to measure blockchain "score" or "fitness" by adding up the amount of stake votes, then you have a problem because blocks are easy to create. e.g. such a "score" or "fitness" of the blockchain is gameable. the solution is to make blocks "precious", and vitalik's idea is to limit them by time.
22:22:58zack-bitcoin:If block-reward is negative, we don't need to worry about blocktimes or difficulty or POW. People wont make blocks until it is economically viable.
22:23:40jaekwon1:that's still tricky. you need to prevent double spends to really make it economically unviable.
22:24:29arubi:I think the hardest problem with a consensus network (such as pos scheme coins) is censorship.. can't think of one implementation that addresses that
22:24:55jaekwon1:lets say i send Bob 1 million bitcoins, and then I incentivize > 50% of miners to start mining on a fork where I send 0.8M to myself and 0.2M to the miners who help out. How do you stop that?
22:25:02arubi:yea, not relaying, or not inserting certain tx's into blocks
22:25:32arubi:jaekwon1, there are rules as to which tx came first
22:25:47jaekwon1:arubi: i mean, fork from many blocks ago.
22:25:52arubi:if you're artificially sending tx's to miners, then that's outside the rules and anything can happen
22:26:04arubi:many blocks ago in pow?
22:26:32arubi:you can't change just one block in the past
22:26:51arubi:you'd have to re-mine the blockchain from that point on, and still be further away from the real chain
22:27:10arubi:I mean, have a larger chain
22:27:17arubi:that's impossible with a good pow
22:28:02jaekwon1:my point is, it's possible to incentivize a majority of miners to fork the blockchain in bitcoin.
22:28:09amiller:zack-bitcoin, that's assuming people are expected utility maximizers which is empirically not true and besides that based on suspect axioms IMO
22:28:44arubi:jaekwon1, miners can mine whatever they want, nodes will either accept the block or not
22:28:55arubi:depends on the rules
22:29:37michagogo_:michagogo_ is now known as michagogo
22:30:29jaekwon1:arubi. sure. my point is, you can't in tendermint. the only way to create a fork or to double spend is to incentivize miners to lose all of their junk.
22:31:04arubi:how does a miner decide which tx's get into a block?
22:31:19justanotheruser:jaekwon1: sorry for that earlier comment, I thought this was #bitcoin
22:31:29jaekwon1:justanotheruser: no problem :)
22:32:13arubi:I'm not trying to be hostile either. I haven't read the pdf about tendermint
22:32:45jaekwon1:arubi: at each block, a sequence of proposers is determined based on the existing blockchain. proposers are chosen in proportion to the amount of coins bonded, and "grinding" isn't possible.
22:33:11arubi:whoa, way over my head.
22:33:16arubi:don't know the terms :)
22:34:05arubi:link me to the pdf, I'll read up
22:37:18jaekwon1:arubi: http://tendermint.com
23:11:01cbeams:adam3us: Perhaps of interest wrt yesterday's conversation about academics and referenceability of traditional papers vs. (git-backed) docs published on the web: https://guides.github.com/activities/citable-code/
23:45:36zooko`:zooko` is now known as zooko