02:09:36gmaxwell:andytoshi: wow, your alts paper has grown since last time I saw it!
04:08:54andytoshi:gmaxwell: :) i've almost completed the "how bitcoin works" section (just need to talk about difficulty and adjustments), and i also merged in the PoS stuff
04:15:49ryan-c:If I'm signing different two message with ECDSA secp256k1 under the same key and it is known that there exists a relationship between the k values for the two signatures where k_2 = k_1 + c for some known value c does that enable any key recovery attacks?
04:16:22Luke-Jr:I can't say for sure, but I would think so.
04:17:52ryan-c:It would useful it it did not enable key recovery attacks, but I don't know the math well enough to analyze it.
04:18:45Eliel_:from what I remember, every signature made makes key recovery attack slightly easier at least.
04:19:19ryan-c:it is not true that knowing R_1, R_2, and c discloses k_1 or k_2, but you could get k_1 if you knew k_2 and c.
04:20:49pilu:normally i don't ask questions but would you mind sharing source on text you are working on with "how bitcoin works" section? trying to absorb all i can
04:21:11jamesdean:jamesdean is now known as CryptOprah
04:22:03ryan-c:Luke-Jr: Would using multiplication be any less suspect?
04:25:28ryan-c:I doubt it would be...
04:25:53Luke-Jr:ryan-c: I'm not an ECDSA expert.
04:27:08ryan-c:Luke-Jr: Fair enough.
04:30:47Eliel_:I don't think we have too many ECDSA experts here.
04:45:59iddo:ryan-c: as you said there are two unknowns (any k_1 and k_2 are possible given c), but why is this question interesting anyway? deterministic ECDSA uses k=hash(msg,s), and BIP32 uses s_2=s_1+c (i.e. s_1,s_2 not k_1,k_2)
04:48:10iddo:andytoshi: is this your latest document? https://download.wpsoftware.net/bitcoin/asic-faq.pdf
04:48:59justanotheruser:iddo: it is his
04:55:41iddo:andytoshi: i'm looking at memory hardness in this document, the points in favor of ASIC are good (maybe except footnote 9), but i think that you should elaborate on the counter-point that memory-latency tends to vary much less between fastest and average machines due to manufacturing costs, what you wrote there is sketchy because it only considers what is possible and not the costs, there are several academic papers that consider that
05:47:20CryptOprah:CryptOprah is now known as CryptOprah-ZzZzZ
05:54:39Luke-Jr:iddo: the costs are irrelevant
05:55:02Luke-Jr:iddo: we're talking about currencies here. at some point, the cost will be less than the potential value.
05:55:17Luke-Jr:delaying that point is not a good thing
05:55:38Luke-Jr:(because delaying it means more adoption when it breaks down)
05:55:56Luke-Jr:*(because delaying it means there is already more adoption by the time when it breaks down)
05:58:31Eliel_:* Eliel_ wonders if it would be possible to make a PoW that was based on looking for functions that satisfy certain conditions.
05:59:22Eliel_:that could be a task that might be a bit difficult to do with something other than a general purpose processor
06:01:31iddo:Luke-Jr: what's relevant is that if cost of mem-hard ASIC versus average machines is big relative to the benefit that this ASIC provides, then average machines will participate too, because people already have these machines
06:04:49iddo:Luke-Jr: if you claim that average machines cannot participate for any PoW function, then this can be construed as argument in favor of proof-of-stake :)
10:01:20gmaxwell:ryan-c: yes, I believe a known linear relationship and two signatures gives you the private key... I've never worked through the algebra for that case however.
10:59:57sipa:gmaxwell: it's probably possible in theory, though there is a (m + (k*G).x)/k... if there aree two different (but related) k's are involved, it's not exactly trivial to solve for k anymore
11:18:05gmaxwell:the issue with the linear relation was why I couldn't just use a DSA signature for that old provable hash stuff... I had a couple constructions but they let you recover the 'data' in the private key.
13:36:01andytoshi:ryan-c: after hacking around for a few minutes i don't see a way to break your scheme. i still wouldn't trust it tho.. out of curiosity will you ever reuse the same c with same key?
13:36:19andytoshi:Eliel_: as for "ECDSA experts", if such a thing existed maybe we would have a proof of security ;)
13:36:56andytoshi:iddo: yeah, good point, i'll elaborate on that. counter-counter-point: bandwidth can be way way higher for specialized hardware
13:39:02andytoshi:;;later tell pilu i have no sources on the bitcoin stuff, sorry, just first-hand discussion with devs + wiki + source code. the "theromodynamics of mining" stuff is largely original and based off of discussions here
13:39:02gribble:The operation succeeded.
13:39:40Eliel_:andytoshi: I don't think the bandwidth matters too much if it isn't accompanied with much better energy efficiency.
13:39:46wallet421:wallet421 is now known as wallet42
13:47:18[Tristan]:[Tristan] is now known as Guest79174
13:56:24Luke-Jr:Eliel_: a "general purpose processor" still has SSE, MMX, etc which could be stripped down to make a mining-specific device if not used
13:56:56Eliel_:Luke-Jr: GPUs ar also general purpose processors with much less extra things on them.
13:57:07Luke-Jr:[06:01:31] Luke-Jr: what's relevant is that if cost of mem-hard ASIC versus average machines is big relative to the benefit that this ASIC provides, then average machines will participate too, because people already have these machines <-- no, because the "benefit that this ASIC provides" is always relative to the value of the cryptocurrency, which is unbounded
13:57:26Luke-Jr:[06:04:49] Luke-Jr: if you claim that average machines cannot participate for any PoW function, then this can be construed as argument in favor of proof-of-stake ☺ <-- if proof-of-stake were possible, it might have many arguments in its favour
13:58:16otoburb:otoburb is now known as Guest80981
14:03:08iddo_:Luke-Jr: unbounded? i don't get your argument... just because the value can go up doesn't mean that it will go up
14:03:19iddo_:iddo_ is now known as iddo
14:37:17Eliel_:Luke-Jr: ASIC being the best thing to buy if you want to focus on mining is not a problem. Problem is when it's not worth it to use the commodity hardware you already have to mine.
14:38:16Eliel_:so, if you can't achieve radically better (energy consumption wise) results with the ASIC, then the goal is met.
14:45:29otoburb_:otoburb_ is now known as otoburb
14:52:54s3rigy:s3rigy has left #bitcoin-wizards
16:45:13jtimon:Eliel_ sorry, I missed part of the conversation, which goal?
17:13:03Eliel_:jtimon: the manufacturing industry for chips is pretty centralized. If mining can happen with equipment that's already out there, then takeover by controlling miner production is much more difficult.
17:17:45Eliel_:also, that way mining will still function as a way to pull people into bitcoin as there's no huge investment needed.
17:20:33kazcw:yes, it's good for whatever mining hardware is effective to be widely available. that's what's generally happened with bitcoin; mining power was spread among widely available cpus, the gpus, and asics became more powerful and more widely available at roughly the same time. it only needed to be something everyone already had during bootstrapping.
17:21:53Eliel_:kazcw: I think it'd still be beneficial. Probably not a necessity though.
17:22:47kazcw:Eliel_: there's nothing people already have that would gain significant efficiency if there were high incentives to specialize it for a very particular task
17:22:59Eliel_:well, then again, altcoin mining might be doing the same thing still ... so perhaps it won't make that much difference
18:04:12kanzure_:kanzure_ is now known as kanzure
18:06:44ryan-c:gmaxwell: I'm working on a provable hash type scheme again.
18:06:56ryan-c:which is why i was asking
18:07:40ryan-c:andytoshi: any particular c value will only ever be used once
18:09:39ryan-c:I don't trust the scheme either unless I can come up with a security proof.
18:12:11ryan-c:I have a scheme implemented in python that I'd be willing to share if anyone's interested. (gmaxwell?)
18:13:43ryan-c:I was inspired to try something when I saw the scheme for creating a self-signed ECDSA message that doesn't explicitly include the public key
18:14:13ryan-c:http://www.secg.org/download/aid-780/sec1-v2.pdf section 4.1.7
18:14:42ryan-c:that scheme alone appears to not actually prove that the private key is known though.
18:18:01andytoshi:ryan-c: regarding security proof, as i'm sure you know there is no proper security proof for ECDSA proper...since one would be implied by any reduction from your scheme to a standard hard problem, that's (probably) a dead end. OTOH there is no reason you can't prove that breaking your scheme is as hard as breaking ECDSA, and i'd accept that as a proof of security
18:20:01ryan-c:andytoshi: by security proof, I did mean proving it is as hard to break is breaking ECDSA, yes.
18:20:36andytoshi:okey, just making sure you didn't waste a lot of time :)
18:21:27ryan-c:Is breaking ECDSA proven to be as hard is breaking ECDLP?
18:24:21ryan-c:I thought breaking ECDSA is supposed to be as hard as solving ECDLP, but that it has not been proven that there's not a general polynomial time solution to ECDLP
18:28:05ryan-c:I may be misremembering, and a few minutes on google didn't give me an answer.
18:30:40gmaxwell:there is no proof that ECDSA hardness is reducable to ECDLP. There is one for schnorr signatures.
18:31:33ryan-c:That I did not know.
18:36:57ryan-c:sipa: unrelated, but are there benchmarks of libsecp256k1 vs openssl's implementation online anywhere? Was looking for that yesterday and didn't find anything.
18:37:18sipa:i've done benchmarks, and probably reported the results in here or in #bitcoin-dev
18:37:32sipa:but there have been improvements since
18:37:43gmaxwell:ryan-c: yep, unless one has showed up somewhere and no one knows about it— always possible.
18:37:45sipa:also, the endomorphism optimization was disabled by default
18:38:23sipa:but on 64bit, with the assembly field implementation, without endomorphism i expect it to be around 4x-4.5x faster than openssl still
18:38:39sipa:on 32bit the improvement factor is smaller
18:38:55ryan-c:that's quite a nice speedup
18:39:12sipa:with endomorphism it was 6x
18:40:14ryan-c:why's it off by default?
18:44:49gmaxwell:Because there are patent concerns.
18:48:07CryptOprah-ZzZzZ:CryptOprah-ZzZzZ is now known as CryptOprah
18:49:51jtimon:Eliel_ I disagree that the energetic efficiency advantage must be "radical", in a highly competitive market (in which profits tend to zero) a marginal advatage is enough to drive the less efficient actors out of business
18:49:51jtimon:Anyway, the users can always fight the "takeover" by agreeing on a trivial hardfork to another pow (but of course not scrypt)
18:51:07Eliel_:jtimon: you can't run someone out of business who would be running the device anyway :P
18:51:53jtimon:someone with infinite money to lose? I didn't know that was part of the problem definition
18:52:32jtimon:s/money/resources s/lose/waste
18:53:17jtimon:but If that's the attacker I think you're f@#cked anyway...
19:10:35a5m0_:a5m0_ is now known as a5m0
19:15:47melvster1:melvster1 is now known as melvster
19:35:30Eliel_:jtimon: no no, normal people who have the computer for other reasons than mining but would like mine for a little extra on the side. Currently it doesn't happen because ASICs are too much better than even GPUs.
19:37:39helo:that will never happen
19:40:18Eliel_:even older asics are getting left behind enough that it's not worth the effort to switch them on :)
19:40:34helo:by the time normal people hear about it, some kind of (even marginally advantageous) ASICs will have been made
19:41:41helo:besides, one billion computers splitting the subsidy means $0.00225 per person per day
19:41:47Eliel_:I've got 2 jalapenos sitting on my table. Looks like they'd still get me $5 a month if I could be assed to start them up.
19:42:00helo:per *computer per day
19:42:39Eliel_:you're ignoring the exchange rate increase that would happen if that many people were into bitcoin
19:44:02helo:the clusterstuff that the blockchain (and fees) would become with so many users might negate that shrug
19:49:46jtimon:Eliel_ my point is that even with a marginal advantage on ASICs regular users would lose money by mining, not make any (because they spend more energy than they get in reward)
19:52:06jtimon:also, more miners doesn't mean higher exchange rate at all and anyway exchange rate is not very relevant to mining profitabilty, at 1000 usd/btc you just will get more difficulty than with 600 usd/btc not more profits
19:52:13Eliel_:jtimon: even so, it'd be attractive for them to run it. I'm quite sure many people keep their computers running 24/7 anyway. In that situation it's not a net loss to mine.
19:52:20jtimon:profits depend on competition, not price
19:52:59jtimon:mhmm, your computer doesn't spend the same energy with 100% cpu usage than with 1%...
19:53:35Eliel_:no, but the algorithm I was talking about would most likely be memory latency limited, so I doubt the cpu would actually be running at 100%
19:54:27jtimon:whatever, you will spend more energy mining than not mining, and if the market is competitive enough, regular users will still lose money mining
19:55:48jtimon:maybe we can see where we disagree more clearly if you read my opinion on altpows here (memory-hard algos are specially broken IMO): http://sourceforge.net/p/bitcoin/mailman/bitcoin-development/thread/CAC1%2BkJOSAoz_BBaFnv4u-Dng7Y4h2tqOHSFRfuKvY87eBR71Gw%40mail.gmail.com/#msg32565542
19:56:23tromp__:they're happy to get some coins at above-market prices, just to avoid the extreme hassle of registering to buy btc
19:56:43Eliel_:tromp__: ah, you managed to put to words my point :)
19:58:22jtimon:mhmm, what if that "extreme hassle" becomes less of a hassle?
19:58:36jtimon:btw, registering where?
19:58:56jtimon:if we meet in the street and I buy btc from you...
19:59:09jtimon:for cash
19:59:31Eliel_:jtimon: replace registering with "figuring out how to buy btc from someone trustworthy" and you might get it :)
20:00:00jtimon:fair enough, what if that hassle becomes trivial
20:00:08Eliel_:then it stops mattering
20:00:36tromp__:then mining is left to the big players and the irrational:)
20:01:08jtimon:so do you want to change the pow only so that people don't have to buy btc and can mine them above market price instead?
20:01:49jtimon:competitive != big
20:01:56Eliel_:(I'd actually be somewhat interested in purchasing some monero coins, but have not done so so far because I'm too lazy to figure out a trustworthy place to buy some. Secondarily due to the unwieldiness of the wallet software.)
20:03:05jtimon:I don't know what monero is, but are you proposing to change the pow only so that you can get them more easily?
20:03:47jtimon:there's another way of obtaining btc you may not have thought about: sell goods and/or services
20:04:15Eliel_:I think you missed the word lazy in my excuses ;)
20:04:52Eliel_:anyway, monero is a ring-signature based system
20:05:11jtimon:you can mine btc at a loss already if it's only about laziness and not caring about money...
20:05:12tromp__:monero is one of an increasing number of cryptonote-based altcoins
20:05:36jtimon:oh, right, the ring signature stuff
20:23:57ttgg:You know who else has a ring signature? Sauron
20:53:33diesel_:diesel_ is now known as Dizzle