00:41:20Luke-Jr:dsnrk: wat?
00:43:26dsnrk:Luke-Jr: uh, just likening your early Eligius blocks with religious texts in the coinbase to the Bytecoin block chain having bits of a book in it as well. didn't mean anything untoward by it.
00:45:08dsnrk:just got the impression looking at the output strings that they gained inspiration from Eligius.
02:13:54BlueMatt:amiller: damn, quite a bit of press on permacoin...
02:14:25amiller:yeah i'm livid that people keep clling it "Microsoft's Permacoin" on reddit.
02:14:47amiller:it's because of these two posts by neowin.net and winbeta.org, and also that the page on microsoft resaerch previously didn't list anyone else's affiliation by mistake...
02:15:12BlueMatt:most of the media lists microsoft research first
02:16:15amiller:that's regrettable, i wonder if i should have anticipated that somehow and done something different.
02:16:49BlueMatt:well its not like a single one of the media did anything more than check that the link to the paper works
02:16:58BlueMatt:no way they got past the first word, let alone the by lines
02:17:13amiller:the cointelegraph article is by far the best
02:17:32BlueMatt:ehh, Im just gonna skip the coverage and skim the paper :p
02:17:38amiller:oh well no one will remember any of this in 2 days :)
02:18:05amiller:still it's the most press *i've* ever gotten so i can't say i'm not hitting f5 and sweating :p
02:18:20BlueMatt:heh, I know the feeling
02:19:01BlueMatt:bitcoin is funny that way....lots of media paying attention, not that many smart people making interesting things
02:22:25amiller:so when i gave the official talk for Permacoin, at the IEEE Security and Privacy conference, Ian Goldberg (invented OTR, professor at U. toronto, was briefly vitalik's advsior when he was a student) and Ross Anderson (professor at cambridge, invented guy fawkes signatures) totally chewed me out with good criticisms.
02:22:41FRCJoe_:FRCJoe_ is now known as FRCJoe
02:23:13amiller:ian goldberg said that despite spending a lot of effort trying to prevent miners from just outsourcing their storage, the best scheme in Permacoin still only prevents it as much as mining pools
02:23:35amiller:basically we made a puzzle where, if you aren't storing the file yourself, then whoever is storing the file can "steal" your puzzle solution
02:23:44amiller:(though it will be publicly evident that they've done so)
02:24:07wyager:I’ll eat my shoes if anyone invents a PoW algorithm that does “useful” work and can’t be gamed
02:24:09gmaxwell:oh I'd thought the permacoin work was a lookup throughput puzzle
02:24:09sl01:amiller: do you have a more brief/condensed overview text about how permacoin works
02:24:23amiller:gmaxwell, yes it is a lookup throuhgput puzzle yes
02:24:49gmaxwell:then how can one efficiently outsource storage (except in the TMTO sense?)
02:25:06amiller:well the point is you can outsource the storage AND the mining
02:25:10amiller:i don't know what is TMTO
02:25:17gmaxwell:oh cloud mining it, sure.
02:25:44gmaxwell:time memory trade trade off.
02:25:49amiller:ah right
02:25:53gmaxwell:wyager: well sure, depends on how broadly you define 'gamed', I've generally considered "useful" work to be inadvisable.
02:26:25amiller:Ross Anderson basically said "200 TB? For $80 million dollars? and you call that recycling? what horrible efficiency" and that's a good point too.
02:26:30gmaxwell:(certantly there are better and worse ways to do it, and some of the better are probably okay enough)
02:26:49gmaxwell:yea, agreed there.
02:37:48maaku:also depends on what you mean by useful
02:37:56maaku:i consider the ticking timelock pow very userful
02:39:34gmaxwell:yea, perhaps that one is of a class which is the most useful POW possible, since its something we don't have other ways to accomplish.
02:40:53FRCJoe:I'd personally like to see protein folding as a PoW
02:41:47gmaxwell:* gmaxwell roles eyes
02:42:00gmaxwell:Really I'm probably going to have to ban PoW discussions from this channel.
02:42:39amiller:ian goldberg is at waterloo not toronto for the record, i just transpoed because vitalik is currently in toronto (not the university)
02:42:39FRCJoe:sorry, didn't realize that wasn't an allowed topic
02:43:09gmaxwell:We've already had people flame out over them, they're — for the most part — the _least_ interesting stuff you can talk about, but they're the kind of superficial thing that people who don't know much yet feel ready to give endless opinions on and the conversations just loop.
02:43:49FRCJoe:sorry that you feel that way.
02:43:55gmaxwell:Most things do not make for good cryptocurrency POWs.
02:44:02kanzure:the xkcd irc channel used to have a rule about not repeating yourself (it was just based on message text equivalence, though)
02:44:44gmaxwell:FRCJoe: It's not a feeling thing. It's just disrespectful to constantly loop the discussions without doing the background research.
02:44:46sl01:any links on ticking timelock pow ?
02:44:54dsnrk:how is everybody going with peter todds timelock?
02:44:56FRCJoe:well my apologies then.
02:45:14amiller:so, serious talk, i'm working on a generic useful proof of work that would even include the protein folding example.
02:45:20gmaxwell:No offense on my part here.
02:45:25gmaxwell:gmaxwell has left #bitcoin-wizards
02:45:36dsnrk:I've got my search up to 1.7M/s but I'm hitting thermal limits on my CPU.
02:45:49sl01:amiller: details
02:46:18amiller:roflmao gmaxwell parted the channel when i said that.
02:46:42dsnrk:amiller: I really don't believe that is possible. by all means prove me wrong, but I don't see how that works in the constraints of what a PoW needs to be. gmaxwell is annoyed because we have this conversation over and over, PoW is utterly and totally boring.
02:47:07sl01:lol yea, i've never seen someone make him ragequit before :P... but seriously, I remember him or someone esle talk about making a generic proof of work using SNARKS except that would be so slow that it probably would stop being useful
02:47:19amiller:well my approach isn't that.
02:47:27dsnrk:anybody who tries to make PoW "useful" has misunderstood the constraints of what a PoW should be.
02:47:30FRCJoe:here's a silly proposition: make another channel to discuss these ideas as not to clutter this channel with unwanted talk?
02:47:41amiller:i have a good grasp of what the requirements are and i care more about staying within those than making it superficially useful
02:48:08amiller:secure first, useful second, rather than the other way around.
02:48:18sl01:amiller: can you give any rough details on how your idea would work?
02:50:39amiller:express the 'check' of a computation as a circuit, each attempt you have to hash over every internal wire of the circuit
02:52:05dsnrk:yeah, look, you're not the first to think of that either.
02:52:06sl01:is that similar or related to snarks ?
02:52:24sl01:that sounds similar to gmaxwells simplified explanation of snarks https://people.xiph.org/~greg/simple_verifyable_execution.txt
02:54:27amiller:unrelated to snarks
02:55:00amiller:i'm not surprised if i'm not the first to think of that but i haven't been able to work out a good explanation why it doesn't work
02:55:36sl01:do you have any idea how much it would slow down the computation?
02:56:10amiller:slow down the computation relative to bitcoin or relative to the ordinary useful purpose (computing the energy of a protein configuration)?
02:56:16sl01:the latter
02:56:53amiller:probably a whole lot, i think this at best will have to err on the side of hardly useful at all
02:58:31dsnrk:currently to verify a bitcoin block you need a few hundred bytes and a little less than two sha256 hashes. even systems like Litecoin are far too intense for what they are doing.
02:59:03sl01:have you looked at ripple's consensus mechanism ? it gets rid of "useless work" and 51% attack, and only requires a slight amount of centralization via the setup (you have to make/use a list of parties, 50% of which you trust not to collude to defraud you)
02:59:26amiller:i've looked into ripple's consensus mechanism and hate it, i can't figure out what their security model is, i don't think it makes much sense
03:00:01amiller:i started to try doing a more rigorous analysis/post but kind of got stuck because they've written so little about it i have to make up their position for them
03:00:03sl01:the security model is you baiscally have to list who you trust not to defraud you
03:00:07amiller:"we think assuming X and Y that Z is the case"
03:00:15amiller:yes but that doesn't make much sense
03:00:21amiller:someone on your list could be trusting someone that defrauds you
03:00:38sl01:right, i assume in practice most people will use mostly the same list
03:00:40amiller:that's not really complete enough
03:00:40sl01:with slight variations
03:00:54amiller:if everyone uses the same list and everyone on the list is good, then it's not so hard
03:01:03sl01:not everyone on the list has to be good
03:01:14sl01:you just have to trust that 50% of them wont collude to screw with you
03:01:15amiller:ok ok yes but some constant fraction of the people on that list
03:01:22amiller:the whole fun of bitcoin is moving away from assumptions like that and replacing them with incentive structures
03:01:38amiller:"wont collude to screw you" is kind of the way towards madness
03:01:44amiller:what if they collude for other reasons than to screw you
03:01:51amiller:they could collude to screw someone else and you could get stuck with it
03:01:54sl01:i agree , bitcoin is nice because its more pure but, that 51% attack is gonna loom there forever
03:02:23sl01:amiller: right, i think the idea is, its not that hard to make a list where 50% colluding is just impratical
03:02:42sl01:also since its relatively easy to broadcast proofs that people colluded and did naughty things
03:02:59amiller:there are a lot of naughty things that can be done that don't leave such clear evidence
03:03:16sl01:yea you're probably right
03:03:37amiller:i think for my penance for pissing off gmaxwell i'm going to collect a list of every "useful proof of work" discssuion that's been here and put it on gist.github
03:03:42sl01:still i think getting a very large number of people and organizations to collude in secret is pretty damn hard
03:04:17sl01:vs bitcoin, only one powerful organization needs to decide to screw with bitcoin, and that can be done in secret easily, without any proof of who actually did it
03:04:47kanzure:amiller: put it on the wiki instead
03:04:55FRCJoe:amiller: need some help?
03:05:06amiller:FRCJoe, yes, please!
03:05:20FRCJoe:awesome, I can start with the 2013 logs
03:05:35dsnrk:amiller: there's been more than I can count here, on #bitcoin, #bitcoin-dev and on other forums. you have some work to do.
03:05:59kanzure:i estimate less than 800
03:06:09amiller:it gets easier once they start falling into bins
03:06:15amiller:then i just start incrementing a counter
03:06:28amiller:FRCJoe, if you help with this for real i'll dispense btc.
03:06:38FRCJoe:I'm already starting :)
03:06:59Luke-Jr:amiller: you pissed off gmaxwell⁈ :|
03:07:02FRCJoe:i think i was part of the problem pissing gmaxwell off :P
03:09:16dsnrk:Luke-Jr: in his defence PoW is really, really boring.
03:10:53FRCJoe:* FRCJoe likes boring
03:11:01amiller:dsnrk, do you know hte nonoutsourceable puzzle idea? i am still happy with that one, but in general i think useful pow is boring and asic resistant pow is boring
03:11:30kanzure:there was a paper about two years ago about verifiable distributed computing that had a bit of a media blitz. does anyone know which one it was? :\
03:12:16kanzure:probably used the word "trust" in the title
03:12:29amiller:gotta be this paper kanzure http://citeseerx.ist.psu.edu/viewdoc/summary?doi=
03:12:38amiller:Non-interactive verifiable computation: Outsourcing computation to untrusted workers
03:12:54amiller:they menition the folding@ seti@ in their first paragraph
03:13:40dsnrk:amiller: nobody has really ever proved that something is "asic resistant" much less that such a property is desirable. just today our favourite new Bytecoin on the block just got it's first public GPU miner despite having quite a part of their whitepaper devoted to talking about how their design was perfect at preventing this.
03:14:13kanzure:that's just a software implementation, right? they didn't manufacture a new gpu?
03:19:03amiller:i really cna't find more than one previous -wizards conversation about useful pow
03:19:17amiller:i grepped for "protein" in my bitcoin dev log and didn't find anything but i think my log isn't old enough.
03:19:27amiller:maybe my log is rotated i dunno
03:19:41petertodd:someone found the solution to the first chain of my timelock: 0a3f87ccf2e42a94108f4e318f22ac66485fe5f4ce418d283926a95b7e6f7a4a, 2Mh/s implied (I can get 3Mh/s on my hardware)
03:20:09dsnrk:I'm struggling along at 1.8MH, how on earth are you getting 3?
03:20:26petertodd:dsnrk: model name : Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz
03:20:31FRCJoe:amiller: I'm digging through here by hand while i get all the logs
03:21:58dsnrk:petertodd: yep, right you're clocked higher than me even with an overclock. I don't stand a chance.
03:22:39dsnrk:petertodd: nice system though regardless, I like how it works.
03:22:42petertodd:dsnrk: yup - I fully expect some overclocker to win this round, and maybe a overclocked FPGA to win the next round
03:23:22dsnrk:I can't go any higher just because of thermal limits, wish I had a watercooled rig lying around
03:24:12petertodd:ah, too bad, of course, I wish I had one of those too :)
03:24:41petertodd:I rented two 32x EC2 servers for the night to compute it - interestingly they have more like 16x actual cores from the looks of it
03:24:49dsnrk:this is the first time I've actually needed single core performance, normally that's not needed
03:25:21dsnrk:I guess you could also just generate the keys on a GPU if you had the tool
03:25:37petertodd:yup! I really want to see someone write that, the parallelism would be awesome
03:26:55dsnrk:could do with a big fat FPGA lying around for stuff like this
03:27:57petertodd:in any case, what I'm actually more excited about is a scheme Amir and I came up with for incentivising publication of data along the same lines - basically just make a merkle tree of your data, commit publicly to the top hash, reveal a subset of the data via non-interactively based on a random beacon (e.g. the blockchain) and finally, create bounty addresses that force the publisher to reveal encryption keys to collect the funds
03:28:00home_jg:home_jg is now known as jgarzik
03:28:45amiller:that sounds pretty neat
03:28:58sl01:petertodd: sounds pretty similar to what vitalik described for his "dropbox on ethereum"
03:28:59petertodd:you can even do this with standard bitcoin addresses, and with non-standard scriptPubKey's you can make it possible for bidders to undo their bids
03:29:13petertodd:sl01: quite likely - nice to do it on bitcoin :)
03:29:14amiller:the idea of revealing an encryption key as the last step is a pretty cool trick i saw something similar described for bittorrent
03:29:35sl01:petertodd: totally agree (just fyi: http://www.reddit.com/r/IAmA/comments/1xb5rj/hi_were_the_ethereum_founding_team_ask_us_anything/cf9rlir)
03:29:35petertodd:amiller: oh yeah? I'm sure it's been re-invented a few times by now
03:30:09petertodd:sl01: nice! yeah, I think we discussed something like that in -wizards a few months ago too
03:30:11amiller:it's a small idea, the context of bittorrent is that you transfer a whole file ecept for an encryptoin key and prove that it's good... then revealing the encryption key only takes a tiny last step
03:30:32petertodd:sl01: of course, what's different with this is we've got someone actually implementing it
03:30:42petertodd:amiller: ah right
03:30:45sl01:haha nice
03:31:05amiller:this solves some kind of incentive problem that happens if you can learn certain parts of the file in plaintext or something, it's subtle
03:31:18amiller:cool petertodd
03:31:34amiller:petertodd, consider using erasure coding too
03:31:35petertodd:amiller: yup, the incentives in paypub are almost the opposite - reveal parts bit by bit if you want
03:31:54petertodd:amiller: what to make revealing parts quickly reveal all?
03:32:31amiller:random sampling like you just described isn't a good way of forcing someone to store the file securely
03:32:38amiller:you can have a low amount of bitrot and not get caught
03:32:46amiller:erasure coding makes that irrelevant
03:33:04petertodd:(paypub == the name amir and I came up with; we considered DARK ASSASSINATION TEXTS MARKET RELOADED but thought it was a bit unweildly)
03:33:49petertodd:amiller: right - we're envisioning a model where the bidders would alrady have the encrypted file. we're not trying to solve distribution (although you can also just reveal the file in the blockchain for small files)
03:34:39petertodd:phantomcircuit: incedentally, the absolute shite name "timelock" for my timelock thing was to win a bet... I claimed I could come up with an even worse name than coinbase and blockchain
03:38:10phantomcircuit:petertodd, LOL
03:41:17dsnrk:petertodd: I prefer the original name
03:42:39dsnrk:I normally advocate the use of unicode control characters in product names
03:43:09petertodd:dsnrk: I'll just call it ☭☭☭☭☭ then
03:44:48dsnrk:petertodd: zalgoo text would be better. break everybodies clients no matter what they are.
03:45:21dsnrk:yeah, that's the stuff. good product name.
03:46:06petertodd:D̯̯A̱͕̩R̺̝̖͟K̙̲͚͚̮͉͉̀ ̝̳́ͅA̲̺͚̮͉ͅS̞͉̗̺S̘͖̗̱͝A̲̫S̠̤̩͍S͇̠I̻N̬̮͇̱A̤̖̹̲͡T̪̲Ḭ̶͔̱̤͔̗͖O̲̭̤͈̫̘N ͚̹́T̯͎̱͘E̛̦͇͉̪̹ͅX̹̙̙̲͔̼̣͝T̻̩͓͓̳͘S̳͕͍̩̙̺ ̖̹̣͔͚͍̥M̤͔̠̻͖͚A̞̯̠͜R̰͉͇͓K̯̭̘̺͚͍͞E̗̖̱̺͍̻T̵̮͚̩͉ ̸͕͚̪̠R͔͕̭̜̭̠É̤͈L̺O̜̲̙͈̮͖ͅA̩̠̮Ḑ̙̤̜E̻D
03:46:11dsnrk:I honestly don't even know what most of those characters are or why you can stack them vertically
03:46:19dsnrk:^ perfect!
03:46:21petertodd:heh, I wonder what that'll look like on the website
03:46:41phantomcircuit:dsnrk, they're accent marks which can be applied to arbitrary letters
03:47:10dsnrk:why can you stack them though? I've never seen to stack graves before
03:47:23pigeons:needs some tonal numbers too
03:47:27dsnrk:never needed to stack them.
03:47:38amiller:that so great i dont see why you need another name than that
03:48:09petertodd:amiller: each release should be renamed with an even higher stack of zalgoo: ...
03:48:12petertodd:... t̺̠̝̪͇̘̳͎̘̲͇̲̦̪̤̱̹͓̣͇̬̳̙̰̪̰̼̝̲͉̤̫̼̺̙̫̲͓̟͇̦̝̯͚̬̝̺̗̣̱̞̪̦͚̬̰̩̦̯̜̩̱̱̺̺͈̤̳̲͍̲͍̜̼̞͈̹̱͇͍̻̙̻̯̬̗̰̗̱̼̪̥͇͎ͦ͐͂̔̇͊̊́̒ͦ̉̋̊̑̏̉ͣͫ͐͂̊̆ͬͧ̏̂̉͋͊̔͛͌̾ͮ̆̂ͭ̈ͧͤͨ̿̃̏̏̏ͦ͋̑́͊͐̽͑͑̈͂͂ͣ̊̿͛̅̄ͣͫͧ̿ͬ̈́̉͆̄ͣͭ̆̔̅ͫ̈́͐̈́̓ͦͭ̆́̾̏̑̽ͮ̀ͦ̾̅͑̓̚̚ͅͅͅͅͅͅhÌªÌ¼Í™Ì¦ÍšÌªÌ°Í•Í“Ì«Ì³Ì–ÌžÍÌ®Ì°Ì¹Ì ...
03:48:18petertodd:... ¼ÍÌºÍŽÌ¯ÍšÌÍ‰ÌÍšÌ¦Ì°Ì™Í•Í”͚͕̭̤͎̰̞̥̖͖̲̬͈̘͕͕̳̝̗̩͓̜̥̻̺͙̼̣̙̥̘̻̣̠͎͇̻̼͙̞͉̯̖͈͉͚̣̜̟̱̘̗͙͖̦͓̹̤͇͇͙̭͈̙͓͚̯ͨ̂̇ͯ̽͛̓̈ͤ̂͛ͩ̔̔ͪ̈́̽͗̈́͛̃ͭ̽̈͐͑̽̂̇̓ͣͤͭ̔ͧ̓ͪ͐ͯ͐̉̑ͤͣ̐ͩ͌͛͊̂͒͒͌̀͋͆ͨ̽ͧͥ̽ͮ̑͐ͩ̅̓͊͗̉ͯ͐̓̅̂̆ͬ̿͑̊̎ͯͩ̃́̽͑͊͆ͯ͂ͬ̎̂ͤ̾͆͆̚̚ͅiÌ»Ì¹ÍˆÍˆÌÌÌ®Ì¹Ì¤Ì˜Í“Ì°Ì Í•Ì³ÌÌ¬Í‡Ì Ì Ì–Ì¼Ì­Ì˜Ì©Í‰Ì–Í‡Ì¼Ì£Ì³ÍÍŽÍ™Í–Ì¼Í ...
03:48:24petertodd:... ŽÌ®Ì³Í•Í‡Ì–̤̘͓̜̼͚͕̻̤̜̮̳̬̗͕̖̭̖͓͓̙̹̪̜̭͍̗͚͔͎͔̱̬͕̞͓̣̘̣̘͉̣̹͈͈̮̹̮͍̜͍̩͈͔̥̥ͪͬͨͬ́ͩͯ͋̓̌ͩ̆̉̇̈͑ͨ̈̃͗͌̀̿ͬ̐ͭ̄̔͐̽͑̈́͐̀͒͊͑ͦ́ͪ̌ͨ͛̓ͦ͋̔͗ͫ͋̍ͪ̐̆̏͗ͯ̐̈́ͫ͊̅ͩͮ͑͆͂̄̈́̋̍ͣ̒ͯ͗̈̏ͬ̋̑̓̔͆͒͒̓͒̌̏̽͊͂ͤ̈̽̔ͣ͛̚̚ͅͅsÍ‡Ì©Ì©Ì»Ì¼Ì–Ì¤Ì¦ÌœÌŸÍ“Ì¹Í™Ì Ì©ÌÍˆÍ™Ì–ÌªÌÌ¼Ì¦Í“Ì Ì­Ì»Ì«Ì²Ì¬Ì¤Ì¼Ì«Ì—Í‡Í”Ì°Ì¬Í‰Í‰Í‡ÍˆÌ™Ì¦Ì–Í‡Ì©ÌŸÌ–Ì«ÌžÌœÌ Ì°Ì ...
03:48:30petertodd:...  Ì–̼̱̣̝̮̮̥̲̝̱̻͎̻̞̻͕̫̭̞̲̝̩̞̰̯͇̹̠̼̣̝̻̫̭͓̟̟̮̙͔͉̩̮̣̓͌̎ͩͬ́͗̅̀͗̅ͥ̿͋̆̉ͧͭͯ̿̾ͭͩ̓͊̉́̓́͌̏̈̈́ͯ̅̄̿ͮͤ̄̊̆ͯ̈́͗̍ͭ͊̽ͪ͂ͬͬ͒̿ͨ̋̄̋ͭ̾ͥ̑ͮ̉̿̈̿ͯ̄͌̒̓̍̅̀͑̉ͬͫ͒̌ͥͯ̄̍̏͂̌̅̄ͣ͗̒̃ͮ̚̚̚̚
03:48:38petertodd:sort of like the tex versioning scheme...
03:49:16dsnrk:"if your browser crashes you know you're on the latest version"
03:49:23amiller:i suddenly feel like buying a drug and killing a diplomat and publishing a document all at once
03:49:49petertodd:amiller: "THIS IS YOUR BRAIN ON HASH FUNCTIONS"
03:49:52phantomcircuit:amiller, "buying a drug"
03:50:04dsnrk:phantomcircuit: I would pay good money to see a place where most unicode characters are used, 99% of them seem to have been added just out of boredom
03:50:22petertodd:dsnrk: oh, you mean china? yeah, that usually costs good money to get too
03:50:29phantomcircuit:dsnrk, there's so much just absolute nonsense available in unicode
03:50:43phantomcircuit:and yet the emoji people still use the private unicode space
03:51:13dsnrk:petertodd: nah, take a look around, there's weird stuff. chinese characters are easy street.
03:57:04dsnrk:all of the fun ones don't render in my terminal, lame.
03:57:22petertodd:heh, it's impressive enough that unicode renders at all on most terminals!
03:57:36dsnrk:the OSX one does emoji
04:00:38Luke-Jr:Luke-Jr has kicked petertodd from #bitcoin-wizards
04:02:56petertodd:* petertodd needs to come up with a legit cultural reason to be using zalgoo
04:17:20petertodd:btw, does anyone know if openssl implements the sha256 opcodes intel now has? it occured it me what I should do is make the inner-loop be to just repeatedly update the midstate - should reduce the performance advantage of custom asics a bit
04:19:02petertodd:someone on the cryptography email list also suggested random lookups from L1 cache and/or integer multiplication (with serial data dependencies on the longest ot compute result bits)
04:19:21petertodd:see: https://password-hashing.net/interaction.html
04:22:09petertodd:hmm, actually, even better might be to target AES, given that bulk encryption of data is a common optimization target, e.g. target the AESENC opcode
04:24:45sl01:petertodd: openssl does make use of aesni instructions for aes using their EVP api
04:25:16sl01:not sure about sha
04:25:43petertodd:sl01: cool, I'll change it to aes then and take the last encrypted block as the output of the chain
04:26:38sl01:openssl speed [ -evp ] -- to test with and without, seems sha isnt any faster w/ evp
04:27:27petertodd:huh, well, at least the aes version is much older - my computer at home has support for the instructions for instance
04:33:34petertodd:ah nifty, so you can disable the aesni instuction by setting OPENSSL_ia32cap=~0x200000200000000, w/ aesni disabled on my machine the speed is halved
04:34:25petertodd:some small dependency on block size too, so I'm probably best initializing the aes with the IV, encrypting zeros as the chain, and using the last block as the secret
04:38:47petertodd:er, actually scrap that - I'll bet you it's slower than it needs to be because aes is obviously going to try to do something with the encrypted data, and the silicon implementation is probably slower serially for that
04:42:11sl01:you could just do a single sha hash on the last aes block or something
04:42:35sl01:err nm
04:42:47sl01:i dont get what you mean: " aes is obviously going to try to do something with the encrypted data"
04:43:28petertodd:sl01: I mean, unlike sha, aes presumably has extra circuitry and logical paths to keep the encrypted data and store it to registers rather than just update the midstate
04:44:25sl01:so you mean an aes asic will have more perf gain than a sha asic?
04:44:29petertodd:I mean, I'm basically saying "lets make this something that's been optimized to death alredy for good scalar performance"
04:44:34petertodd:sl01: yup
04:53:45sl01:sounds like intel chips w sha extensions arent out yet
05:49:07justanot1eruser:justanot1eruser is now known as justanotheruser
06:41:39phantomcircuit:petertodd, whatcha doin with aes?
07:07:34petertodd:phantomcircuit: probably making a fool of myself
07:08:14petertodd:phantomcircuit: I was thinking of using it for timelock crypto - basically in something akin to CBC mode to turn a nonce into a digest after much work
07:11:29phantomcircuit:petertodd, hypothetically a block cipher with an iv generated based on the data should make a decent hash function
07:11:48phantomcircuit:basically just apply aes over the first block of data to generate the iv
07:12:00petertodd:phantomcircuit: yup - my real goal w/ using aes was to take advantage of the dedicated aes hardware available
07:12:03phantomcircuit:and then xor outputs
07:12:18phantomcircuit:reduce the advantage an asic will have
07:12:26phantomcircuit:probably by an order or magnitude
07:13:22petertodd:secondly, aes (and sha used on blocks) can reduce the disadvantage of the *language* used, as the bulk of the computation in the inner loop can be done directly in the support library
07:15:18phantomcircuit:petertodd, iirc the aes-in stuff doesn't include the setup step
07:15:45petertodd:phantomcircuit: which is fine! you basically pretend you're hashing a gigantic file full of zeros
07:16:24phantomcircuit:does it actually default to zero though?
07:16:55phantomcircuit:(im just guessing at this point, so feel free to ignore me)
07:17:12petertodd:well, heck, that wouldn't actually matter anyway with the right aes mode
07:17:38petertodd:though yeah, just giving cbc mode zeros should be fine
07:24:53sl01:i was trying to lookup some stats on aes hardware accel to compare with intel aesni cpus, but couldn't find any docs with detailed #s
07:27:41petertodd:sucks. for my purposes I'd also want to know some pretty detailed stuff about how it's implemented, for instance where the aes hardware actually is relative to other parts of the cpu, in particular the registers. similarly, how pipelined is it? of course, it may be all done with microcode too, in which case neither question is really correct
07:28:50petertodd:basically, an optimal asic implementation of this stuff will likely be some crazy unrolled pipeline with very short wires and clocked like crazy (or async!)
07:29:51sl01:sigh.. why the hell dont academic papers have dates on them
07:32:31nsh:why doesn't google let you input a string and tell you when that string first appeared on the internet?
07:32:52wumpus:sl01: oh yes I remember that annoyance, always having to hunt for the year something was published, even having to guess it from the references
07:33:12sl01:nsh: i think you can do that manually, by moving the search date range slowly backwards
07:33:16nsh:* nsh nods
07:33:47nsh:début is a deliberation of the dance, not the débutante
07:57:17petertodd:eb714fb12c2d1c839fb3115420881cc65f6ad15c305de75f07ba6b148d23faec <- second chain cracked
07:58:04petertodd:~4MH/s, not bad!
08:00:05Luke-Jr:anyone done a chess PoW yet?
08:05:27sl01:proof of bandwidth brought to you by the u.s. navy - https://docs.google.com/file/d/0B7r4osQgWVqKTHdxTlowUVpsVmJRcjF3Y3dtcTVscFhEaW5F/view?sle=true
08:11:09sl01:Such a scheme would be vulnerable to colluding groups of clients and relays, however, who can simply sign each other’s transfer tokens without actually transferring any bandwidth. We address this challenge via the TorPath scheme described below. TorPath restricts clients’ ability to choose their own path, ensuring that most paths in-clude at least one non-colluding participant (the client or at least one of the three relays). Assignmen
08:14:18sl01:wtf this sounds exactly like maidsafe
08:20:02sl01:isn't it possible to setup a torlike network where all bandwidth is paid for with BTC microchannels
08:20:55[nsh]:what a horrid idea
08:25:01sl01:ah gmaxwell already tearing it up: https://news.ycombinator.com/item?id=7850738
13:00:06qwertyoruiop:qwertyoruiop is now known as Guest46928
13:28:03Guest46928:Guest46928 is now known as qwertyoruiop
13:52:02mr_burde_:mr_burde_ is now known as mr_burdell
14:22:47hearn_:hearn_ is now known as hearn
14:41:41shinybro__:shinybro__ is now known as KawhiLeonard
14:45:59KawhiLeonard:KawhiLeonard is now known as Kawhi_desu
16:32:43maaku:maaku is now known as Guest56466
16:33:29Guest56466:Guest56466 is now known as maaku
16:53:21samson2:samson2 is now known as samson_
16:53:48kanzure:some okay complaints about the torcoin proposal: https://news.ycombinator.com/item?id=7850738
17:30:26wallet421:wallet421 is now known as wallet42
17:38:41coyo:coyo has left #bitcoin-wizards
21:55:02FRCJoe_:FRCJoe_ is now known as FRCJoe