00:25:17maaku:quantum computers
00:25:18maaku:* maaku runs
00:33:10justanotheruser:maaku: ?
00:37:24dexX7_:dexX7_ is now known as dexX7
00:54:56sipa:* sipa run
01:03:41posita:posita has left #bitcoin-wizards
01:03:46posita:posita has left #bitcoin-wizards
01:05:40Pan0ram1x:Pan0ram1x is now known as Guest21473
02:09:01phantomcircuit: [05:18:11] phantomcircuit: you're in the bay area?
04:51:16dsnrk:petertodd: Shared Coin has been doing the bad mixes as far back as Nov 2013 e4abb15310348edc606e597effc81697bfce4b6de7598347f17c2befd4febf3b
05:14:08petertodd:dsnrk: I was thinking about it this morning, and it may be the system never worked, it's just that it looked like it worked if your specific satoshi-precision vout value happened to match one they already had unspent
05:14:32petertodd:dsnrk: I only did testing by hand, so I wouldn't be surprised if the "random" numbers I picked weren't actually all that random...
05:15:46gmaxwell:petertodd: may also be that they prepopulated their txout sent and it decayed over time.
05:16:14petertodd:gmaxwell: maybe, although they get a lot of users so I'd be surprised if running out was an issue
05:17:41petertodd:dsnrk: of course, I was first testing shared coin before it was even publicly released - that's pre november
05:18:16dsnrk:gmaxwell: they do delay by a block it seems.
05:19:35dsnrk:petertodd: they show an example transaction in October and it was broken as well.
05:19:49dsnrk:( 72316782bf48d0cd232b888a7b9ea03f88ba79fac28273cd2aa1804683235412 )
05:20:08petertodd:dsnrk: yeah, probably just bad luck on my part, and not very thorough testing
05:21:17petertodd:dsnrk: at least the people doing round numbers sends were being protected - I wonder what % of people that ends up being?
05:21:38dsnrk:I don't for a second blame you in that.
05:22:13dsnrk:by spends identified by reddit users were fairly round 0.015 BTC each
05:22:37petertodd:by spends?
05:22:43dsnrk:*my spends
05:23:15gmaxwell:well there is the fact that their own funds are identifyable-ish, but at least that was known
05:23:40petertodd:dsnrk: yeah, doesn't take many bits of uniqueness to break the algorithm :(
05:24:14petertodd:gmaxwell: an early bug was that their funds were compressed keys and customer funds uncompressed :(
05:24:47dsnrk:their server seems to keep logs of all the private keys used for their spends, there's a function for dumping all the private keys to disk as they are being used. it's likely they have enough logs at this point to expose eveyr send made by the service, even if users couldn't do it as trivially.
05:25:10gmaxwell:These things at least we knew.
05:25:34petertodd:dsnrk: that's why I've always told people having the source code for the service isn't as useful as you'd think
05:26:02dsnrk:gmaxwell: it's implied in their pitch that they don't keep logs "no requirement to keep any logs"
05:27:19petertodd:dsnrk: so what happens if you send funds to an older address?
05:27:25dsnrk:petertodd: I'm half tempted to write a crawler to try and expose all of the coinjoin transactions made by them. I decided that's information I don't want to know though. you can identify them as being from bc.i by using the IP addresses they publish.
05:27:54petertodd:dsnrk: well, identifying the transactions isn't very hard even without ip addr info...
05:28:14dsnrk:petertodd: one of theirs or a temporary user ones in the CJ?
05:28:35petertodd:dsnrk: oen of their addresses - if they're keeping private keys they'll probably spend the funds
05:29:48dsnrk:petertodd: what fingerprint? currently I've got the number of outputs and inputs and the sizes involved, that there's a chain of minimum 1 block apart, and that only a small portion of the outputs carry from TX > TX. are there any other tells?
05:30:16dsnrk:oh and all the public keys are uncompressed.
05:30:38petertodd:dsnrk: that's incorrect, some of the keys are compressed
05:31:04petertodd:dsnrk: anyway, there aren't that many people doing transactions like that - just linking them all together is probably pretty close
05:31:34petertodd:but anyway, identifying bc.i cj transactions in general isn't too much of a privacy issue - identifying input and output links is the issue
05:32:54dsnrk:petertodd: that's interesting. some of the ones in the early SC are uncompressed, the ones in my later example are all uncompressed.
05:33:11petertodd:dsnrk: oh, maybe they finally fixed that bug fully?
05:33:30dsnrk:I didn't notice that change in the repo, but I could have overlooked it
05:34:27dsnrk:but yes, coinjoins aren't meant to be secret. the only reason it's an issue here is that you can easily deanonymise them once you find them.
05:34:51dsnrk:heck you can do them in real time.
05:35:04petertodd:yeah. also having all those extra inputs and outputs adds little to nothing to the privacy, and just makes it harder to notice it's broken
05:36:16petertodd:come to think of it, it'll also reduce privacy by increasing the velocity of their funds, making them more distinguishable from customer funds
05:54:56justanotheruser:justanotheruser is now known as bystander
05:55:07bystander:bystander is now known as justanotheruser
06:15:09dsnrk:petertodd: I hasn't thought of that. the coin-age of their mixes is actually ridiculously slow. for mine it took minutes for them to be spent again. that's probably the best fingerprint of all if you were going to automate it.
08:10:20Pan0ram1x_:Pan0ram1x_ is now known as Pan0ram1x
08:15:56execut3:execut3 is now known as shesek
12:56:30nshsome:nshsome is now known as [nsh]
14:56:01posita1:posita1 has left #bitcoin-wizards
15:52:41hearn:gmaxwell: so how much do you think can realistically be accomplished with snarks that only support hand-crafted circuits? any idea how complicated a circuit to do the core of the EC signature verify is? i mean using your scheme that moves the bulk of it out of the snark
16:05:13gmaxwell:hearn: my scheme results in only needing a point add inside the snark for the verify ... so a lot smaller than a full verify. though I haven't thought through what the most efficient construction would be for a point add over a differently sized larg arithmetic circuit.
16:06:12gmaxwell:Probably the easiest semi-useful thing to implement is a hash tree membership query. "This UXTO is a member of blockchain X"
16:06:43hearn:yeah, that's what i thought. the released code is _very_ basic. you get templates for: AND, OR, NAND, summing (not a gate), toggles, bit-packing and unpacking, demuxing, one or two other things. and that's about it.
16:07:34hearn:i guess a circuit for SHA256 is the first step
16:21:42[BNC]dansmith:[BNC]dansmith is now known as dansmith_btc
16:54:12maaku:phantomcircuit: I thought you were in the UK for some reason. you going to any of the meetups?
16:55:23maaku:maaku is now known as Guest84338
17:17:08mr_burde_:mr_burde_ is now known as mr_burdell
17:23:47Guest84338:Guest84338 is now known as maaku
17:24:06maaku:stupid internet
17:25:01phantomcircuit: [16:54:12] phantomcircuit: I thought you were in the UK for some reason. you going to any of the meetups?
17:25:06phantomcircuit:i havent' been in the uk for a while now
17:26:59maaku:ah well i hope we have a chance to run into each other
17:27:14maaku:i'm in san jose and don't often go to the meetups, but if there were wizards there i might
17:30:14phantomcircuit:maaku, where abouts in san jose?
17:35:32phantomcircuit:ah nvm
17:36:08phantomcircuit:maaku, that's mountain view not san jose :P
18:03:28maaku:i'm willow glen, but yes the meetup is mountain view i think
18:03:31maaku:sorry multi-tasking
18:03:57maaku:there's also one in SF, but I never make it that far
18:04:58gmaxwell:sunnyvale, but it's on tuesdays when I usually have other things to do.
18:05:20maaku:it moved from hacker dojo?
18:20:34jonpry:sipa when are more header-first patches expected?
18:22:57jonpry:we need this technology for miniblockchain project
18:25:39gmaxwell:"miniblockchain project"?
18:26:20jonpry:some info here http://bitfreak.info/mbc-wiki/index.php?title=Main_Page
18:26:39jonpry:it's similar to ultimate blockchain compression
18:28:28gmaxwell:Pretty troubling that the page there appears to make no mention of security assumptions.
18:31:30jonpry:some page has a list of attacks
18:31:46gmaxwell:jonpry: that white paper seems to be very confused.
18:32:01jonpry:yeah i know
18:32:17jonpry:it's also out of date. the real implementation looks not to much like it
18:32:57jonpry:users always have the option of not pruning the chain and not running from a pruned chain so there are no security implications in that case
18:33:23jonpry:also if you only prune behind checkpoints there are no practical attacks
18:38:04andytoshi:jonpry: a "checkpoint" in that sense seems to represent a point of trust in the consensus system.. but in bitcoin a "checkpoint" has nothing to do with trust or consensus
18:38:25andytoshi:i'm updating my alts.pdf to merge in the PoS stuff and elaborate on distributed consensus issues. it'll be done in under an hour, i encourage you to read it
18:39:23andytoshi:oh, i don't mean actually done, i just mean the distributed consensus section will be done
18:39:42jonpry:i mean checkpoint in bitcoin sense. it's simply a point which a user chooses to not accept forks behind
18:40:00jonpry:it doesn't matter is users choose the same point or if it is a correct point. it's just their choice
18:41:23gmaxwell:jonpry: sipa and I are hoping to remove those as part of the headers first change.
18:42:22jonpry:remove checkpoints?
18:42:29gmaxwell:They cause severe misunderstandings about the security model, and headers first largely removes the actual use of them.
18:42:58gmaxwell:They're only not a massive violation of the security model when— like now— they largely do nothing.
18:43:49gmaxwell:If you're talking about nodes that never retrive the history at all, thats a pretty substantial difference. (since it means that a short term burst of hashpower could basically violate any rule of the system)
18:44:06jonpry:they have real implications for pruning system. once somebody chooses a fixed point in the chain it becomes possible to remove all tx data prior to that point without problem
18:44:17gmaxwell:Thats a misunderstanding of pruning.
18:44:50gmaxwell:We have pruning almost completely implement in bitcoin core and there is absolutely no impact on the security model, and no need for checkpoints.
18:45:27jonpry:thats doubtful
18:45:48andytoshi:jonpry: what attack do you believe checkpoints prevent?
18:45:49gmaxwell:jonpry: As I said, you misunderstand it.
18:45:59jonpry:pretty sure i don't
18:46:14jonpry:the fundamental problem is that you have to download the UTXO set at some point in time
18:46:30gmaxwell:jonpry: no, you download the blockchain— you do not, however, have to store it.
18:46:42gmaxwell:Since you produced the utxo set yourself there is no change in the security model.
18:46:49jonpry:we do not download block chain
18:47:06andytoshi:then how do you verify it?
18:47:21jonpry:the set is hashed into the block headers
18:47:41jonpry:and we have elaborate system to provide proofs of partial UTXO sets
18:47:43gmaxwell:Doing that is a non-trivial reduction in the security model.
18:48:09jonpry:it's all the same if you only prune behind checkpoints
18:48:14gmaxwell:(not that it doesn't have uses, I mean— I proposed this back in 2011)
18:48:16andytoshi:it's completely not
18:48:46gmaxwell:This is part of why we're going to remove them in bitcoin core, since they seem to inspire this kind of very severe misunderstanding of the security model.
18:49:56jonpry:its all a matter of scale. like say you issue a checkpoint every millenium for part of the tree that is 500 years old
18:50:27gmaxwell:jonpry: if you do things like that you are just left trusting people to give you valid data— in the design of bitcoin we work very hard to avoid having any third party trust. Miners are only trusted to provide ordering, the fact that it's viable to do this is— in part— because they're not able to do much while violating that trust.
18:51:15jonpry:i'm telling you that the only security violation is the same as using checkpoints
18:51:22andytoshi:jonpry: you are wrong
18:51:34jonpry:you have not seen the code or know the scheme so how do you know?
18:51:58andytoshi:because you are badly confused and the chances of you getting it right without understanding are zero
18:52:14gmaxwell:jonpry: you've asserted this, then linked me to a page which makes no concrete claims about security at all, and which linked a whitepaper where the author clearly had a fairly poor understanding of Bitcoin.
18:52:27gmaxwell:So I'm skeptical, but happy to see—
18:52:59jonpry:i don't have time to explain it all. when the code comes out people will have a lot of fun analyzing it
18:53:35gmaxwell:Well I guess there is nothing to discuss then; if you're nagging sipa for something as trivial as the headers first code I suspect you're not likely to ever implement anything at all.
18:53:56jonpry:i actually have it working
18:54:19jonpry:just the process of a new node syncing is not done. but local pruning works
18:54:26gmaxwell:jonpry: But in any case, I'm on the record saying that I am very skeptical about the security claims that you're making. If you want to go tell people there is no issue, okay— but with notice that sounds more like fraud than ignorance.
18:55:11jonpry:i am just getting paid to write the code. i have no interest in the coins success
18:55:25gmaxwell:Yea, thats clear enough.
18:55:40jonpry:and if it helps the guy insists on doing it in a way that is not secure so no such claims will be made
18:56:06gmaxwell:Thats better. :)
18:56:44jonpry:but what is interesting is that it is secure under same assumptions as checkpoints
18:56:54andytoshi:jonpry: in future, sipa is available on #bitcoin-dev and it's much less likely that we'll assume you're a researcher if you ask there ;)
18:57:09gmaxwell:If you go ask him about this in there you'll cause him to leave the channel.
18:57:16gmaxwell:I suggest you do not.
18:58:17jonpry:i don't understand the problem. i am working on semi difficult problems and have solved some things. i asked about some code you guys are working on and its turning into a flame war
18:58:39jonpry:the proof of security is simple
18:58:55jonpry:checkpoint is a block which is asserted by the user to be good right
18:59:15andytoshi:jonpry: you showed up on a low-volume research channel making false claims and demanding free code which you are going to turn around and charge somebody for
18:59:22gmaxwell:jonpry: The security model is not the same because the design undermines the assumptions that make checkpoints even remotely tolerable (though we consider them unfortunate and want to remove them even considering that)
18:59:58jonpry:block contains hash of UTXO set. it's infeasible to provide a UTXO set with same hash. so therefore the user by choosing a checkpoint has chosen a UTXO set
19:00:18jonpry:assuming that set can be found. no further problem arise
19:00:53gmaxwell:jonpry: Bitcoin core still verifies all the data, a checkpoint that e.g. invents a billion coins out of thin air.
19:01:32jonpry:yes the code cannot verify a checkpoint. but even bitcoin cannot verify a checkpoint is part of most work chain
19:02:01gmaxwell:jonpry: yes, in fact— it can and does. Assuming the user is not partitioned from the most work chain.
19:02:34jonpry:if another most work chain is found with fork point before the newest checkpoint it will be ignored
19:02:47jonpry:it allows the user to choose an alternate view of reality
19:03:12jonpry:which is arguably less extreme than what MBC offers, but i claim its just as bad
19:03:33gmaxwell:Yes, indeed, but also noisly logs it as an error condition. And we're publically committed to never creating one near or in competition in the reference)
19:03:48gmaxwell:* gmaxwell is reminded of 'It is difficult to get a man to understand something, when his salary depends upon his not understanding it'
19:04:06gmaxwell:jonpry: it's completely transparent and still audited by the user.
19:04:17jonpry:we could have the same rules of creating checkpoint
19:04:53gmaxwell:so the security is very clearly not the same, since the software cannot check any of its correctness.
19:04:56Apocalyptic:"and still audited by the user." // talking about checkpoints ?
19:05:01jonpry:the thing is that i don't think it is better. it is just different and better/worse is a matter of philisophy
19:05:09Apocalyptic:because I have yet to see a normal user audit them
19:05:15gmaxwell:Apocalyptic: its audited by the software.
19:05:34gmaxwell:(in fact, it looks like from the whitepaper that it can't even check the proof of work, which is pretty boggling)
19:05:54jonpry:the coin is just a reference implementation for others to looks at afaik. i can't see what the argument could be for not writing it
19:06:13jonpry:whitepaper is fubar
19:06:18jonpry:and it does check proof of work
19:06:50gmaxwell:jonpry: the whitepaper seems to indicate it doesn't (proof chains, and showing no headers in the past) but I believe you fixed that. :)
19:07:25jonpry:the proof chain goes all the way back to genesis for one
19:07:32jonpry:which i think is maybe not in the whitepaper
19:08:02gmaxwell:jonpry: What does that accomplish? If the headers aren't know, then I can just make up anything there.
19:08:15gmaxwell:(because they don't have difficulty— they're not costly to compute)
19:08:48jonpry:i don't know. like i said, the headers are now stored. not sure what he was thinking when that was removed
19:09:28gmaxwell:fair enough
19:09:47jonpry:and we have difficulty it's just computed once a chain is connected
19:09:55jonpry:something about saving 32bits
19:10:20gmaxwell:jonpry: in any case, a non-transparent fixed blockchain state snapshot is a reduction in the security (requires greater assumptions about the honesty of the authors of them and the level of interest in users in verifying them, as Apocalyptic said he's never seen a user manually verify anything). Perhaps thats fine. .. at the same time, as I said, we also have tenative plans to remove or at least drastically reduce checkpoints in the ...
19:10:26gmaxwell:... reference software as part of headers first.
19:10:50gmaxwell:I don't see any great problem with it existing, I do hope people are cautious with the claims about it.
19:11:20jonpry:i'm pretty sure that people will just store all history until some point in the future
19:12:52gmaxwell:Considering the terrible state of mining centeralization shifting more trust on to miners— e.g. with unverified utxo schemes— concerns me greatly. Esp since like a lot of security is's kind of a lemon market, I can make less secure software that works fine until it doesn't.
19:13:44jonpry:the block won't verify if the utxo set is no good
19:14:09gmaxwell:Generally I hope that people eventually advance the ZKP stuff until we can use it to give people signtures that prove utxo correct, but thats not viable yet (too expensive to compute the proof).
19:14:33gmaxwell:jonpry: I can mine a bogus block and give it to you, if you're not verifying anything you can't reject it.
19:14:51jonpry:but all nodes verify utxo
19:15:09gmaxwell:if /all/ nodes verified it, there wouldn't be a point in having it. :)
19:15:47jonpry:obviously we have some difference in model of what is happening
19:16:31jonpry:we use UTXO set to sync nodes at some point in the past. checkpoint or whatever. once node has that. they can apply transactions from an incoming block to the set. rehash it and verify the block
19:17:03phantomcircuit:jonpry, not all nodes verify the UTXO, that is specifically what an SPV node is
19:17:52gmaxwell:jonpry: right, now I can give you a utxo that has an extra fake output that gives me a billion bitcoins. Then later I can give you a block that spends it. You'll have no way of knowing this was completely bogus.
19:18:44jonpry:the utxoset with fake output wouldn't be accepted by other nodes so it would shortly become orphaned
19:19:26gmaxwell:jonpry: sure. Who cares? you're bankrupt now, because I just deposited a zillion coins that never existed and then withdraw all your other coins (as an example).
19:19:43jonpry:i'm not sure if SPV nodes are required in miniblockchain since we are talking about orders of magnitude in reduction of the amount of data to be stored and difficulty of verifying blocks
19:20:04jonpry:maybe SPV nodes don't work
19:20:08gmaxwell:jonpry: storage reduction can be achieved without any of that.
19:20:23jonpry:everything that works in bitcoin is probably not going to work in MBC
19:20:24gmaxwell:SPV is a reduced security model— explicitly so. Which is fine and useful.
19:21:19jonpry:you could require huge depth merkle proofs for SPV
19:22:08gmaxwell:You can run bitcoind today with about 1gb storage... go remove the test for the blocks being there and simply delete the old blocks. So long as nothing tries to fetch the history from you (e.g. you don't have inbound or use history fetching RPCs) it works fine, verifies all new blocks, etc.
19:23:09jonpry:we can sync without downloading all that history. just need history back to checkpoint and utxo set
19:23:59phantomcircuit:he does have a point about checkpoints and just shipping with the utxo upto that point
19:27:45jaekwon:gmaxwell: Remember when we had the argument about new-users needing to have trust in tendermint or proof-of-stake algorithms? I said even new bitcoin users require trust, and you countered that they don't. I think we were both right… new bitcoin users can download a trusted copy of the client and wait indefinitely before connecting to the network for the first time. So trust is required in acquisition of the program or algori
19:30:49Apocalyptic:"needing to have trust in PoS algorithm" // for bitcoin ?
19:31:45jaekwon:no, altcoins that rely on pure PoS.
19:31:52Apocalyptic:I thought it was a consensus that PoS is fundamentally broken since it allows to mine multiple chains at the same time
19:32:43jaekwon:that's been true of existing pure PoS algorithms, but tendermint overcomes that. come to #tendermint if you want to discuss it though.
19:33:21jaekwon:it's still contentious here and it turns into a flamewar, which nobody wants on bitcoin-wizards.
19:33:49gmaxwell:gmaxwell has left #bitcoin-wizards
19:42:18diesel__:diesel__ is now known as Dizzle
20:20:17andrew:andrew is now known as justanotheruser
20:55:13samson2:samson2 is now known as samson_
22:21:48andytoshi:i have a couple questions about bytecoin's ringsigs: (a) is escrow or any sort of multisig possible, (b) does the utxoset just grow super fast because you can't tell which exact outputs are spent?
22:29:35maaku:maaku is now known as Guest40907
22:37:21pangpang:pangpang is now known as pen_
22:46:34andytoshi:ok, page 14 of https://cryptonote.org/whitepaper.pdf explains that multisig is possible, though it's not clear if it interacts well with the ringsigs