00:22:29vintagetrex:I heard this is the place
00:24:19vintagetrex:can anyone brief me on what the pros agree is state of the art but currently possible with side chains?
00:27:41kazcw:that's kind of vague. you want to know everything that will be possible with a mechanism that will make just about anything possible? is there a specific kind of thing you're interested in being able to do?
00:28:56vintagetrex:ya, can you use a "root chain" to store the transaction data of a branch chain, thereby allowing the tokens of the branch chain to have the same transaction strength as the "root chain"
00:29:41kazcw:you mean commit to a merkle root for the sidechain in the main chain (or a parent)?
00:33:06vintagetrex:idk man
00:34:21vintagetrex:I think so
00:34:26pigeons:its going to confuse some people thinking that site is a general cryptography review site with that name i get
00:39:17vintagetrex:anybody uploading to datacoin?
00:39:48maaku:vintagetrex: not here
00:43:24maaku:vintagetrex: proof of publication is the name given to any system where you can send data, and have confidence that "everyone else" has seen that data
00:43:30maaku:aka it has been published
00:44:02maaku:bitcoin is such a system for transaction data only under ideal circumstances
00:44:17maaku:because, e.g. a 51% collusion could censor transactions
00:45:03vintagetrex:ya I was thinking of the data witnessing of Bitcoin
00:46:47opencryptoreview:pigeons: I see your point, 'crypto' is a shortenting of crypto-currency. What if I add a short about in the sidebar that mentions cryptocurrencies?
00:51:04opencryptoreview:pigeons: done
00:54:14gmaxwell:opencryptoreview: using 'crypto' as a shortening of crypto-currency reeks of incompetence (or when used as 'cryptos' with unfamiliarity with english too). Crypto to refer to cryptography has a history of decades, and mostly originates out of asset speculators.
00:55:03opencryptoreview:gmaxwell: suggest a better name?
00:56:13gmaxwell:So it looks like there is on the order of 74.135 BTC lost forever due to wallets that 'pay to p2sh' by using a regular p2hash160 script with the p2sh data as the hash160.
00:57:03gmaxwell:This is an estimate based on counting all the unredeemed txouts to hash160s where the same hash160 was used in a p2sh payment.
00:57:23gmaxwell:Damage here multipled by the fact that bc.i displayed the 'payments' under both the hash160 and p2sh addresses.
00:57:28gmaxwell:(until about two weeks ago)
00:57:58gmaxwell:e.g. if you used a p2sh wallet and someone with a moronic wallet paid to the hash160 of your p2sh address, bc.i would show the payment as confirmed.
00:57:59opencryptoreview:justanotheruser: doesn't have the same ring
00:58:36gmaxwell:yes, it doesn't ring of incompetence.
00:58:45sipa:wow, painful combination of bugs :s
00:58:56tacotime:openccreview is fine by me
00:58:57gmaxwell:Seriously, to anyone with actual expirence in this space calling crypto-currency 'crypto' is an embarassing tell.
00:59:23tacotime:but obviously those two letters mean different things to different people, and cc is by no means a universal abbreviation..
00:59:27opencryptoreview:explain why embarassing?
01:00:06tacotime:cryptography and cryptocurrency are just two totally different things.
01:00:21gmaxwell:Because its most common in the tech ignorant asset speculators.
01:00:44opencryptoreview:I see, those who use mintpal?
01:00:51vintagetrex:maybe crypto = (crypto currency + cryptography)/2
01:00:54gmaxwell:and yea, indeed, different things... though some understanding of cryptosystems is important to understand cryptocurrencies.
01:01:22sipa:mostly some applied cryptography/security
01:01:39sipa:but also distributed systems/networking
01:01:51gmaxwell:(so, e.g. if someone is recommending you use a 'crypto' (meaning crypto-currency) this is generally bad news because the term misuse means they likely don't have the tech exposure required to make a good recommendation)
01:01:54tacotime:you might start getting people in your forum writing about all kinds of unrelatable stuff like new ec curves and stream ciphers. ;)
01:02:16vintagetrex:i use the word Crypto just because I want to get away from the Bitcoin vs bitcoin thing. Sometimes you hear people talking about how awesome Bitcoin is and think they're telling you of this investment opportunity
01:02:46sipa:cryptocurrency research is hardly ever cryptography research
01:02:48opencryptoreview:it's it likely that if cryptocurrencies go mainstream then 'using this or that crypto' will become the right shortening for them?
01:02:56opencryptoreview:*isn't it
01:03:07sipa:not in academia
01:03:23tacotime:i hope not
01:04:06sipa:crypto really just means hidden :p
01:04:09tacotime:who coin cryptocurrency? satoshi?
01:04:29sipa:ironically, nothing is hidden in bitcoin like cryptocurrencies
01:04:43gmaxwell:tacotime: no, the term exists since at least the 80s.
01:05:06gmaxwell:There is a fair argument that bitcoin isn't even a cryptocurrency in the original sense.
01:05:11justanotheruser:opencryptoreview: when I use https or http, I don't even use the word protocol. I think it will be the same. People will drop the "crypto" in cryptocurrency.
01:05:17tacotime:ah, okay. it seems like a strange thing to name it if you were to think of what bitcoin is/does.
01:05:53tacotime:it's more like a digital or virtual commodity.
01:06:01opencryptoreview:I wanted to use a name that applied to Bitcoin as well as the various altcoins
01:06:22sipa:opencoinreview? :p
01:06:38tacotime:opencoinreview sounds ok
01:07:01sipa:that does sounds like you're reviewing currencies themselves though
01:07:09sipa:not research.about them
01:09:00vintagetrex:is it possible to sell a zero day whitepaper?
01:10:38gmaxwell:apparently Coinpunk is guilty of sending to HASH160s.
01:10:43gmaxwell:(for p2sh)
01:12:12gmaxwell:oh BC.i is still doing the confused stuff. https://blockchain.info/address/3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
01:12:35opencryptoreview:anymore name suggestions?
01:13:09gmaxwell:vs https://blockchain.info/address/1HT7xU2Ngenf7D4yocz2SAcnNLW7rK8d4E
01:14:19gmaxwell:both have hash160 b472a266d0bd89c13706a4132ccfb16f7c3b9fcb
01:15:35gmaxwell:the P2SH side is the spendable side... but a lot of coins have been sent to the regular hash160.
01:17:33gmaxwell:interesting 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy is some kind of example script
01:20:16opencryptoreview:ok, email me if you think of a better name: dsmurrell@gmail.com, a catchy name is sometimes better than a technically correct name
01:20:44gmaxwell:What was wrong with the coin based ones?
01:20:50opencryptoreview:which one?
01:21:17gmaxwell:18:06 < sipa> opencoinreview? :p
01:21:17gmaxwell:18:06 < tacotime> opencoinreview sounds ok
01:21:50gmaxwell:(coin is already heavily overloaded, so its less of a dogwhistle)
01:22:13sipa:then again, you probably don't want to be associated with opencoin...
01:22:18opencryptoreview:as sipa said, sounds like a review about the coin
01:22:23opencryptoreview:what is opencoin?
01:23:12gmaxwell:why not cryptocoinreview?
01:23:25gmaxwell:perhaps preferable to cryptocurrency
01:29:57vintagetrex:yall, I have a really awesome mining algorithm :D
01:31:37opencryptoreview:most of the domains for cryptocoinreview are taken
01:38:24gmaxwell:vintagetrex: in here we share our ideas and learn from each other... though if 'mining algorithm' means proof of work function, I think most of us are pretty bored of those. (since it's really hard to suggest anything that is 'interesting' and isn't just twiddly tradeoffs, often in hard to analyize ways)
01:40:23vintagetrex:I enjoy sharing my work but I am worried that it will get abducted by capital if I share, so I'm waiting until I have a team ready to execute
01:41:14sipa:then there's no point in mentioning it either
01:42:20vintagetrex:I know im just so excited
01:43:54vintagetrex:I think I got P2P proof of storage down, a feel for proof of retrieval, and then this other one
01:44:49vintagetrex:so there's a teaser
01:46:14gmaxwell:vintagetrex: have you read the altcoin treatize on bitcoin.ninja? Keeping things secret is starkly at odds with producing correct cryptographic tools, even potentially at odds with ethical behavior if these are things that you'd ask other people to use or invest in.
01:46:56gmaxwell:Virtually no one in the altcoin space is actually writing any software so there is farily little risk of someone implementing something out from under you. The greater risk is that ethereum will add it to their whitelist of features and give you no credit for it.
01:47:05gmaxwell:But that seems more or less harmless.
01:47:14gmaxwell:(and perhaps it's becoming a right of passage at this point… :P)
01:48:26gmaxwell:Beyond getting you feedback (esp. essential impossibility feedback) you also establish priority, new ideas in this space are not hard, you just ask the right questions with the right background and they pop out. How would you feel if someone else invented your idea too but they went and patented it? Publication prevent them from getting a valid patent on something you also thought of.
01:49:03gmaxwell:Go look at https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas for some very interesting ideas, pratically none of which have been implemented by anyone https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas
01:49:41vintagetrex:the patent laws changed, publication doesnt really help you out unless you patent
01:49:51gmaxwell:vintagetrex: Thats untrue.
01:50:15gmaxwell:First to file is not at all about prior art, it deals with how cases of two people patenting the same thing are arbritrated.
01:51:13vintagetrex:well my problem is that im not a developer so its fairly easy for someone to pass me up
01:51:27vintagetrex:also, theres an isue
01:51:38vintagetrex:BTC isn't inflationary forever
01:51:46vintagetrex:and this creates competition for side chains
01:52:00vintagetrex:so I dont want my side chains to get made on BTC
01:52:31gmaxwell:vintagetrex: I think if you're just looking to currency ponzi you should probably go elsewhere.
01:52:39vintagetrex:it would be easier to make them on BTC, but this would hurt the people using the side chains, as a result, I don't want to post my math until I have a project redy to accept them
01:53:33gmaxwell:Hm. you probably shouldn't use 'side chains' to refer to altcoins. The term is already being used for non-new-currency chains (e.g. other blockchains that trade in actual bitcoin).
01:53:41gmaxwell:You should say 'altcoin' unless I'm misunderstanding you.
01:54:07gmaxwell:vintagetrex: in any case, especially if you are not a developer— your ideas are probably not actually workable.
01:54:08vintagetrex:ok Crypto 2.0 that entails an alt "root chain" with "side chains"
01:54:42gmaxwell:(or aren't actually new)
01:54:51vintagetrex:ok man, sorry for calling out Gavin and Garzik...
01:55:11vintagetrex:now chill out and realize there's going to be new innovations in the crypto space
01:55:35vintagetrex:and bitcoin will be disrupted sooner or later
01:55:54gmaxwell:I have no clue what you're talking about wrt Gavin and Garzik. But if you're interested in currency ponzying rather than tech you don't really have any business in this channel.
01:56:04gmaxwell:gmaxwell has kicked vintagetrex from #bitcoin-wizards
01:56:16tacotime:saw that one coming.
01:56:39gmaxwell:Was I out of line?
01:56:54tacotime:nah, i had no idea what he was talking about.
01:57:29gmaxwell:the nature of open development is that some people are going to take and give nothing back, but it kinda irritates me when there are people conspicuously doing so.
01:57:52gmaxwell:esp these 'business' people who have 'amazing ideas' if only they could get people to program them.
01:58:42gmaxwell:they're generally not actually a threat to anyone, since their ideas are usually unworkable... but it kind of annoys me that if they could they would learn everything there is to learn from me, extend it one inch further, and patent the result so I couldn't use it.
01:59:26gmaxwell:oh he was already banned in #bitcoin by jgarzik
01:59:32tacotime:but programming is the fun part. *stuck on the same leveldb bug for past three hours*
01:59:40tacotime:yeah, well, that's the state of patent laws i guess.
02:01:33petertodd:gmaxwell: 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy is Hash160('') - a fun thing to do would be to bruteforce a valid pubkey that was also a valid script
02:03:08gmaxwell:petertodd: yes, but with 160 bit values that 2^80 work to find such a pair.
02:03:23petertodd:gmaxwell: nope, the script might be valid just because it's two useless pushes
02:04:34gmaxwell:hm. doing it by finding a pubkey which is also a script is 2^256 / number-of-possible-spendable-scripts-of-that-size
02:04:54petertodd:gmaxwell: here, gimmie five minutes...
02:05:57gmaxwell:yea actually it's huge. e.g. short push and then a long push equal to the length.
02:06:13gmaxwell:would be easier if OP_RETURN worked in pubkeys.
02:08:11sipa:it sounds trivial?
02:08:48sipa:idon't think it requires more than grinding 16 bits of the pubkey
02:10:18sipa:actually, 8 bits
02:11:14sipa:02 + 2 bytes + 1C + 28 bytes
02:11:35sipa:or 03 + 3 bytes + 1B + 27 bytes
02:11:58petertodd:here you go: KyKEbFdAovbNe32tPH5H6iYpgGi5T9raagTAgJnkPUvhRADi6T9y -> 025ce41d7aec0b0f88c510d045305178659c16251a876aca6cb785194334bbf896 -> CScript([x('5ce4'), x('7aec0b0f88c510d045305178659c16251a876aca6cb785194334bbf896')])
02:15:17gmaxwell:oh right I see. for some reason I was thinking the data inside would be the redeemscript, I was thinking one level too deep.
02:17:35petertodd:here's an even better one: L1P7zisxzFSHXZTCQddK1xaGdgdqKiVCs47kb6j4jGwWysrtbqaX 03641eee1b2919d6a7a0dd5ea30dbfee0e687948e57e70b347eb8c32feae01d96d "asm" : "-7216740 2919d6a7a0dd5ea30dbfee0e687948e57e70b347eb8c32feae01d9 OP_2DROP"
02:21:26gmaxwell:if these are common enough you could use them to rip off someone using wallet software that makes the bc.i mistake of confusing the two.
02:22:01gmaxwell:e.g. get them to generate addresses until they hit one that is a redeemable p2sh. Then pay them as p2sh, and they'll think they are paid.
02:22:04gmaxwell:Then take the funds back.
02:23:30petertodd:fairly high success rate on that too
02:24:11petertodd:well, eligius will hopefully confirm this 0100000001862cf1300b45d8de24ebe31e42ffd324c719b37f32f56135a2a598942fc489900000000023512103641eee1b2919d6a7a0dd5ea30dbfee0e687948e57e70b347eb8c32feae01d96dffffffff0150c30000000000001976a914d3e604621abfc263162af107834b5a04011b975188ac00000000 soon, and if you're on bitcoin master, you can send the script locally too with Gavin's IsStandard() relaxation patch
02:25:18petertodd:code here: http://0bin.net/paste/RtE8e76Yh8Xeqky0#KmdSj9rvIrNfrcKVihADtbRshhNPiHd1buENJbtdrkI
02:25:45petertodd:5mBTC to anyone who cleans that up a bit and submits a pull-req for python-bitcoinlib's examples directory
02:26:12kanzure:what is unclean about it besides the conspicious "while True"?
02:26:40petertodd:kanzure: it should pretty-print the P2SH address for you and have a copyright (un)notice
02:27:12petertodd:kanzure: I mean, I'd spend the 5 minutes to do it myself, but nice to give newbies an opportunity to do something useful
02:27:34opencryptoreview:petertodd: pm'ed you
02:27:35kanzure:i see. i was eyeballing examples/ today so it's somewhere near the top of my head.
02:27:37gmaxwell:should perhaps work by addition of G to an initial random secret.
02:27:52gmaxwell:getting the point multiply out of the inner loop will make it hundreds of times faster probably.
02:28:14petertodd:gmaxwell: yeah... still haven't had a chance to figure out how to add point multiply stuff to python-bitcoinlib's key handling
02:28:37petertodd:^ for that, specifically BIP32 support really, 500mBTC bounty
02:28:51kanzure:if you actually cared about speed and still wanted something resembling python you'd probably end up using cython
02:29:19petertodd:kanzure: indeed, anyway that script returns results in just a minute or two
02:29:48gmaxwell:it's only interesting because of broken software that treats p2sh and non-p2sh the same.
02:30:46petertodd:yeah... be fun to do a analysis to find out how much BTC has been destroyed due to that mistake
02:31:25gmaxwell:I did. If all the errors are on the pay-to-pubkeyhash where they should have been p2sh side, ~74 btc.
02:31:57gmaxwell:I could narrow it some by looking to see which of the two (if any) side have successfully spent.
02:32:05kanzure:why is it pay-to-pubkeyhash but pay-to-sighash is p2sh
02:32:37gmaxwell:kanzure: looks like someone has implemented p2sh by sending as pay-to-pubkeyhash. e.g. just ignoring the version byte.
02:32:53petertodd:gmaxwell: counterparty did that
02:33:03gmaxwell:thogh _most_ of that 74 is the hash of the empty string.
02:33:09gmaxwell:like 65 btc of it or so.
02:33:21gmaxwell:so that might be a different problem
02:33:26sipa:that sounds like a bug too, but a differemt ome
02:34:00kanzure:gmaxwell, actually my question was much more boring (it was about abbreviations)
02:34:27gmaxwell:we don't have an abbrivation for pay-to-pubkeyhash other than 'address'
02:35:17sipa:p2pkh :)
02:35:35sipa:bindeed, unysed and probably not recognizable
02:38:39petertodd:interesting: https://blockchain.info/address/3M1S3tZVkEJw7zVBtn1Mq8McVyfnNMAuoX isn't showing the re-use bug like Hash160('') does
02:39:04gmaxwell:petertodd: bc.i supposidly fixed it
02:39:11gmaxwell:what it seems like they did was just fix it going forward.
02:39:38gmaxwell:they also seem to have not disclosed this, but instead just fixed it quietly.
02:40:14gmaxwell:but at least if we exclude the Hash160('') case it's not a _ton_ of coins potentially lost.
02:40:25petertodd:yeah, less than other fuckups
02:40:50gmaxwell:about 6BTC-ish less whatever is wrong in the other direction (the p2sh is the unspendable side)
02:41:26gmaxwell:the victims there probably don't even know it yet.
02:41:56petertodd:what do you mean?
02:43:26gmaxwell:Joe blow is using some p2sh wallet. He asks someone to pay him. He sees the payment come in on bc.i. He think's he's paid.
02:43:35gmaxwell:But really the sender used coinpunk and the coins are lost.
02:43:53gmaxwell:someday he will go to spend those coins, and they won't be there in his p2sh wallet.
02:44:10gmaxwell:but until he does, he may have no clue that he doesn't really have those coins.
02:44:33petertodd:ah, I see what you mean, agreed
02:46:58petertodd:lol, 3PhyP1FWB8KgwrNgUPbjP7iv6YfoH3GhK7 is kinda hilarious....
02:47:50gmaxwell:what this?
02:48:41petertodd:gmaxwell: e.g. 70c8405bd0ec10bea49b78a819dfbf46c1082e7e620588f9da65a90b71e52bbd which spends an output of it...
02:48:56petertodd:"asm" : "OP_IF OP_HASH160 c11697659735859a6975f3736a0f132d7cd37dee OP_EQUALVERIFY OP_HASH160 9752d0cc5c375099063f7c0b9063bc8d2077d395 OP_EQUALVERIFY OP_HASH160 fa66143f81182941d0c4d6ee672c118d7273c6fe OP_EQUAL OP_ELSE 04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f OP_CHECKSIG OP_ENDIF"
02:51:05gmaxwell:I suggested dsnrk try to see if OP_DUP OP_HASH160 OP_DROP2 OP_CHECKSIGVERIFY showed up as payments to on bc.i wallets, but I dunno if he tried it.
02:51:34petertodd:gmaxwell: like, scriptPubKey == that?
02:51:34gmaxwell:I thought it likely they would, and if so you could make payments to bc.i users that only you could spend but would show up for them.
02:51:53gmaxwell:e.g. if their function for extracting the address just grabbed the push at a particular offset.
02:51:58gmaxwell:and ignored the rest of the script
02:52:04petertodd:ah, seems unlikely
02:52:22petertodd:* petertodd wonders if a non-std pushdata would show up
02:52:24gmaxwell:well I would have called it unlikely until p2sh and p2pkh aliased each other.
02:52:53petertodd:well, that's a mistake I can kinda see from a "fuck it, I'm too lazy to do this right" standpoint
02:53:06petertodd:not obvious that it'll cause issues if you're not security minded
02:53:51gmaxwell:well considering that they used to show things with no verificatio nat all…
02:54:07gmaxwell:e.g. https://people.xiph.org/~greg/21mbtc.png
02:54:22petertodd:yeah, not an impossible mistake...
02:56:16phantomcircuit:gmaxwell, coinjoin question, has there been any progress on a decentralized coinjoin system?
02:56:33phantomcircuit:petertodd, also to you
02:57:17petertodd:phantomcircuit: in terms of implementation? AFAIK no - darkwallet has long-term plans for that, but short-term they need to make their existing stuff more robust
02:57:41petertodd:phantomcircuit: that said, what darkwallet does *is* a decentralized scheme, that only happens to run on a centralized transport layer for now
02:58:02petertodd:phantomcircuit: so any work to make it more robust/attack resistent is dual-use
03:16:16petertodd:lol, maidsafe had the impression that the #bitcoin-wizards were investors: https://maidsafe.org/t/bitcoin-core-developer-peter-todd-critique-of-maidsafe/735/9
03:28:42gmaxwell:'investors' in what?
03:34:25petertodd:gmaxwell: maidsafe
03:37:28gmaxwell:oh I see hahah
03:37:46gmaxwell:well obviously because technologically savvy people wouldn't be interested…
03:39:03petertodd:kind of a shit situation, because I *really* wish maidsafe/storj would just scale down their goals to something we know can actually be achieved, like a simple pay-for-data by hash network that doesn't make unrealistic promises
03:40:21jbenet:petertodd how do you feel about filecoin?
03:40:45petertodd:jbenet: haven't read much about it, but I'd be more than willing to bet a beer that it's the same situation...
03:40:56kanzure:that's hilarious.
03:41:28kanzure:check the logs
03:41:30jbenet:petertodd look fwd to hearing you thoughts :)
03:41:55jbenet:aww kanzure, now he won't be unbiased :'(
03:44:15petertodd:jbenet: I'm arrogent enough to believe that all the other -wizards are fools whose thoughts are worthless in comparison to my all knowing self - so no worries re: bias
03:44:34kanzure:i meant you should check the logs, not petertodd
03:44:43petertodd:kanzure: lol
03:44:51jbenet:petertodd haha sounds pretty biased to me :)
03:45:07pigeons:if petertodd thinks your idea is really doomed, he might consult for you ;)
03:45:30petertodd:jbenet: hehe, anyway, in all seriousness, always consider making your first project in this space something we're confident can actually be done :)
03:45:50petertodd:pigeons: hey! I consult for the non-doomed too, although usually the latter needs my help less...
03:47:02jbenet:kanzure talking to me? not sure which message you refer to. Am new in this channel, so *shrug*
03:47:21kanzure:yeah, i think there's an adequate treatment of your proposal in the logs already
03:47:33jbenet:petertodd would love to hear anything about filecoin that you're confident can't be done :)
03:47:49tacotime:speaking of doomed
03:48:23tacotime:apparently there's a whitepaper for something called "slingshield" which enhances the amount of network hash rate required to double spend from 51% to 71%
03:48:47tacotime:i have no idea where these numbers are coming from though, and i'm not really even terribly sure how the algorithm works.
03:48:49gmaxwell:jbenet: I just don't understand why you think the storage being outsourcable is at all attractive. ISTM the logical conclusion is that there will be one pool that stores everything, and serves nothing that isn't required for the production of a block, and even if you want to compete with them you'll have a hard time to become effective since you may only be able to learn the historical data via what dribbles out in proofs. (then add ...
03:48:55gmaxwell:... to the the risk that said pool is able to skip a lot of the storage due to a CSPRNG oracle)
03:49:23jbenet:kanzure: odd, are http://download.wpsoftware.net/bitcoin/wizards/ correct? searched for filecoin in last three days and nothing, yet i know messages exist.
03:49:47petertodd:jbenet: ^ like I say, this stuff is a lot more doable when you don't try to make what are probably unrealistic promises. Just create some nice software to pay for data by hash and call it a day.
03:50:02kanzure:jbenet: http://download.wpsoftware.net/bitcoin/wizards/2014-07-17.html
03:50:23tacotime:yeah, 13th and 17th of this month
03:50:37kanzure:either you grepped or you have a better memory than me
03:51:03tacotime:the former, i clone the directory
03:51:41jbenet:gmaxwell i'm not necessarily for or against outsourcing. expect a follow on paper addressing this.
03:52:20gmaxwell:tacotime: what you linked to isn't described clearly enough for me to comment on, but it ~seems~ that the author is under the mistaken impressions that the network participants have a globally synchronous clock.
03:53:11gmaxwell:jbenet: well I mean, in the presence of what I described I don't see why such a system has much value at all. Or certantly any differential value against, say, people paying coins to someone who stores data.
03:53:27jbenet:(let me rephrase that): i'm very certainly for outsourcing in bitcoin's case. but did not need to enter this iteration of filecoin.
03:53:45tacotime:gmaxwell, i'm having a lot of trouble following it too. i thought it was something along the lines of there being different difficulty adjustments when blocks are empty, and if there are more blocks happening quickly you need greater fees to include tx into those blocks (i guess???)
03:53:56gmaxwell:(or saying it the other way, ni cut and choose proofs for proof of storing data are fine and useful and someone should make a storage that does it— but there is no reason to build an altcoin out of that except to turn it into an investment scam.)
03:55:24kanzure:are there any scenarios where you'd really need amazon s3 or their glacier thing to return a hash to you after uploading data?
03:55:54petertodd:kanzure: it's an obvious way to verify the data really got there intact
03:56:01jbenet:gmaxwell that's not true at all. among reasons, consider a market protocol, allowing providers to come in and out fluidly. there are properties useful when built on its own blockchain, though it can certainly be done on top of others.
03:56:07kanzure:aren't the other protocol layers handling that
03:56:23gmaxwell:kanzure: one issue with these services is the risk of storage-ponzi, where you pay them to store your data but they just dump it to /dev/null.
03:57:00gmaxwell:this is especially interesting if you don't want to have storage monopolies where there isn't effective competition because only the most trusted storage providers are safe to use.
03:57:02jbenet:kanzure yep, gmaxwell is spot on this is why the field of proofs-of-retrievability exists
03:57:05kanzure:jbenet, there are many other designs you can pick for a market
03:57:30phantomcircuit:gmaxwell, proof of storage at least gets you something
03:57:42phantomcircuit:using it as the sole basis for payment though seems a bit daft
03:57:52gmaxwell:but saying that these proofs have some value is not the same as saying they have any value in connection with some altcoin.
03:58:06jbenet:true, so we'll have to see :)
03:58:21petertodd:jbenet: if I were you I'd write a patch to add the necessary opcodes to create scriptPubKey's that can only be redeemed in the future, and only by providing a merkle path from a chunk of data chosen randomly by the previous blocks in the chain
03:58:42gmaxwell:also even retrievability proofs are pretty limited, especially non-interactive ones... since they don't prove that you're not censoring the data.
03:58:51petertodd:jbenet: get dogecoin or something to implement it, and then write your software to leverage that to incentivize randoms around the network to store the data in hope of collecting the reward later
03:58:58gmaxwell:A much stronger system would be one that proves retreviablity interactively by satisifying PIR queries.
03:59:32petertodd:jbenet: couple that with the obvious "send me this data and I'll pay you" thing and you're golden - see amir and I's paypub for details on that
03:59:55jbenet:petertodd: cool, go for it :)
04:00:09kanzure:no, he's telling you to do that so that your reputation doesn't go down the drain..
04:00:14petertodd:jbenet: ^
04:00:19tacotime:gmaxwell, uh, hm. https://github.com/fractalcoin/fractalcoin/blob/527c242b4076ea77634584fc596bdc21aa98416a/src/main.cpp#L1311-L1327
04:00:36petertodd:jbenet: you're far better off if you do a series of projects that actually work, even if they're less ambitious...
04:00:55gmaxwell:tacotime: wow I dunno how anyone could have extracted the paper from that or vice versa!
04:01:06gmaxwell:also that code is psycho.
04:01:10tacotime:yeah hahah
04:01:32tacotime:my head is spinning
04:02:59jbenet:it's common to see every new idea with lots of skepticism at first. And that's fine, otherwise really bad ideas would waste lots of resources. We'll continue the discussion, and you might come to agree, or you might not. all i ask is we hang on to reasoned arguments as time goes on and this service unfolds :)
04:03:26kanzure:those words totally ignore everything that has been said to you
04:03:41petertodd:jbenet: I mean, hell, look at my track record: stacks of little ideas that actually get implemented, usually by others, and occasionally by myself with small proof-of-concept demos that Actually Work
04:04:00gmaxwell:it's okay, it's also the case that it's unlikely to actually exist in any case. Most ideas don't get implemented.
04:04:07jbenet:kanzure: no, i hear it, we are all saying valid things without finding precise opposition.
04:04:18kanzure:petertodd, that might not be a good argument because his bounds for "working" might include "someone is actively attacking my system, but i'm okay with them successfully attacking"
04:04:56petertodd:jbenet: this isn't about opposition, this is advice for how to become better known and make money. You *will* achieve that by making working tools that are less ambitious a lot faster than what you're doing.
04:05:28gmaxwell:jbenet: well I gave you a novel attack which you were apparently unaware of but you didn't care... I suppose you didn't care mostly because the storage part of the system is nearly irrelevant— which was the other fold of the criticisms around it, with the trivial outsourcing of the storage it seems likely that the storage won't be useful just a marketing point.
04:05:31kanzure:oops i meant "someone is actively and successfully attacking my system, and i'm okay with this"
04:05:43petertodd:kanzure: unfortunately true :(
04:06:07gmaxwell:which really juts makes it sound like its yet another hope and dream get rich scheme, and most of those don't actually get implemented (e.g. go look at the proshares whitepaper).
04:06:41petertodd:jbenet: oh, and my other bit of advice: if you see someone elses good idea that isn't implemented, if you're the first person to implement it in the public's mind you'll get the credit for the idea no matter how much you make it clear who really invented it. So do that!
04:07:13jbenet:petertodd thanks for the advice, i think this holds lots of promise, and many people agree. let's keep the discussion on the system. believe me it will be implemented.
04:07:23tacotime:it is good advice probably. my first foray into cryptocurrencies was designing and then trying to implement my own pow/pos hybrid system, and pretty much everything i do takes longer than expected and there's still no guarantee at the end of the day that what i create will be useful or secure.
04:07:52kanzure:tacotime, but you can have evidence of insecurity
04:08:17tacotime:that's true. i guess negative results are something of value.
04:08:20jbenet:sorry gmaxwell, having a hard time keeping track of all messages and responding on a phone, sec
04:08:38petertodd:tacotime: +1 my first foray into cryptocurrencies was opentimestamps, a project so boring I actually got it to work even with all the overdesigning I did at first
04:09:25jbenet:gmaxwell, by novel attack you mean censoring the data?
04:09:58gmaxwell:jbenet: the CSPRNG attack.
04:10:50gmaxwell:(which permacoin is vulnerable too, and I kinda surprised amiller with it when he first described permacoin in a workshop.. though permacoin has some argument where its at least complicated due to the forward error correction).
04:13:52jbenet:Oh, yeah what we discussed yesterday. The claim is that attack isn't rational to do when it costs more to add than you get from the proofs. your claim then was that you could still use it at cost to ensure you can claim certain blocks, am i right?
04:15:20petertodd:jbenet: assuming rationality needs to be your last resort; the issue here is an irrational attacker isn't spending very much to attack the system
04:16:10gmaxwell:At least if you're going to make an economic argument the lines should be clearly seperated. The idea that someone could spend upfront in order to have a big perpetual advantage seems odd and concerning.
04:16:18petertodd:A good case in point is the decentralized Twitter thing Twister, which got attacked repeatedly early on until they gave up and centralized it via checkpoints.
04:16:20jbenet:petertodd parse error, sorry. can you please make your claims really precise? what will you have the adversary do here?
04:16:53petertodd:jbenet: the adversary does the CSPRNG attack, which is very cheap for them - your irrational attacker can be very small
04:17:22gmaxwell:Does the attack even have a cost at all if the attacker is initially a miner?
04:17:36phantomcircuit:if you're irrational attacker is small enough then maybe they're rationally entertaining themselves
04:17:41petertodd:gmaxwell: indeed - sounds like a fun weekend project
04:17:43petertodd:phantomcircuit: +1
04:18:26petertodd:Never mind that they may have come up with a clever idea for paying for data, argued about it a lot on IRC, and will be butt hurt if filecoin turns out to work.
04:18:36jbenet:it isn't cheap: the attack must pay to add each block and control enough such pieces or power in the network to ensure he can claim a block using them
04:18:47petertodd:jbenet: but pay what?
04:19:04gmaxwell:e.g. I am mining the system, In my blocks I 'store' data which is asymmetrically cheap for me to retrieve, helping to cement my position as the best outsourcer for storage in the future.
04:19:22jbenet:petertodd: yep, coins mined.
04:19:29gmaxwell:I'm not sure why a rational miner wouldn't always produce maximum sized blocks, padded with CSPRNG data in such a model.
04:19:48petertodd:jbenet: ...and those coins are going to be worth very, very little
04:19:59jbenet:gmaxwell because a miner must compete with all other miners that might legitimately store and use that data
04:20:32petertodd:jbenet: yes, but the attacker's cost to compete is far lower
04:21:31gmaxwell:jbenet: Can you say that more clearly? I am attempting to produce a block. There are no data storage transactions available at the moment, why will my block not attempt to store however much CSPRNG data I can (or alterantively, however much minus whatever there are fee paying transactions for).
04:22:41jbenet:gmaxwell because when you add the data, you must pay for all its future payout from proving it upfront. then broadcast the data to other miners, who will then be able to use it to claim those rewards.
04:24:16jbenet:the adversary must ensure being the first to find a PoW that lands on _that_ specific PoR challenge, first, before all other miners. in every case.
04:25:26gmaxwell:Thats not so— it's only so if they are to be sure that they get 100% of the funds back. Of course, even that isn't a challenge if they've driven everyone else out of business because they have much lower storage costs.
04:26:22jbenet:a valid form of this attack is this: if miners are able to chose a large TTL with insignificant reward, they might be able to exploit this. so, this may introduce the need for a lower bound on the reward, will think about this more
04:26:54jbenet:gmaxwell uhhh if they've driven everyone else out of business they don't need to do this attack at all.
04:26:57jbenet:they are >51%.
04:27:22gmaxwell:this attack is part of how they drive everyone else out of business.
04:27:47gmaxwell:(because they can mine more efficiently than everyone else, so why would anyone else bother?)
04:32:13jbenet:gmaxwell, not quite. let's look at a concrete case, suppose we have N pieces already out, where N > 10000, and miners so far have been honest (this is easy bootstrap, it's ~1TB of data). as an incoming attacker with no coin, what do you do? you could mine a few blocks honestly, get some coin and then perform the CSPRNG attack, introduce some easily
04:32:14jbenet:regenerated data.
04:33:30jbenet:the adversary broadcasts the data and must now continue to compete on computation, hoping to get a challenge landing on these pieces BEFORE others claim the rewards.
04:34:22petertodd:no, the adversary is simply gradually making the cost of getting the reward lower and lower for them.
04:34:23jbenet:(( btw, this totally ignores on-demand secondary markets, which will certainly emerge, making it much harder to perform this attack ))
04:36:29jbenet:petertodd sorry, your claims aren't precise, please point out in this model how the cost of the reward is "getting lower and lower", given the upfront cost which can be claimed by any other miner
04:36:42petertodd:jbenet: it's very simple: I pay an upfront cost to make my long-term cost of mining lower
04:37:48jbenet:petertodd, we're talking past each other :) your statement ignores mine.
04:38:01jbenet:anyway, gmaxwell, would love to discuss more later, i've to head out atm, but will be back in a few hours. see you 'round.
04:38:11petertodd:bbl myself, got an audit to finish
04:38:12kanzure:you can't claim a cost
04:40:00jbenet:oh and gmaxwell, this paper has nothing to do with crypto, but i'd love to get your thoughts on this file system: http://static.benet.ai/t/ipfs.pdf
04:40:14jbenet:you can see it as roughly, dht + git + bittorrent + the web.
04:40:42jbenet:(disclaimer: it's not finished, bitswap hasn't been analyzed at all and is probably broken atm.)
04:42:16jbenet:* jbenet afk
09:35:26kill\switch:kill\switch is now known as kill\switch\away
09:59:23irc.freenode.net:Disconnected from irc.freenode.net (ERROR :Closing Link: S0106c0c1c0894c25.vs.shawcable.net (Ping timeout: 264 seconds))
10:04:38sinisalo.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged at http://download.wpsoftware.net/bitcoin/wizards/. For questions about the logs talk to andytoshi.
10:04:38sinisalo.freenode.net:Users on #bitcoin-wizards: andytoshi-logbot grandmaster wallet42 e4xit cym MoALTz jaumeWSN edulix justanot1eruser nairb Emcy_ Graet grubles Hunger- p15 aburan28 Logicwax mortale TheSeven prepost Transisto todaystomorrow zenojis Ursium Luke-Jr jctb HaltingState jaekwon Alanius Aquent copumpkin zling_ [nsh] michagogo irclouis fanquake mapppum jchp digitalmagus irc88 K1773R jgarzik spinza phedny Mikalv so ranjit_ DoctorBTC kazcw gmaxwell jaromil tromp OneFixt samson_
10:04:38sinisalo.freenode.net:Users on #bitcoin-wizards: HM forrestv wizkid057 nkuttler kinlo quackgyver mmozeiko Eliel_ lechuga_ helo espes__ ryan-c Fistful_of_Coins pi07r UukGoblin kanzure epscy keus Krellan Sangheili Muis amiller artifexd CryptOprah nikitab smooth melvster a5m0 heakins catcow midnightmagic EasyAt Pan0ram1x roasbeef petertodd Apocalyptic andytoshi crescendo comboy_ Ken` @ChanServ gribble mhanne at0mat SomeoneWeird tromp__ jbenet wumpus sl01 lianj danneu burcin ebfull
10:04:38sinisalo.freenode.net:Users on #bitcoin-wizards: phantomcircuit danielpbarron aynstein_ BlueMatt [\\\] pajarillo harrow otoburb Anduck zibbo [Derek] Keefe warren asoltys LaptopZZ gwillen rs0 weex altoz realazthat poggy Guest79174 maaku sipa nanotube throughnothing justusranvier LarsLarsen drawingthesun waxwing pootieta1g super3 optimator_ iddo quickcoin gigavps mkarrer Cory NikolaiToryzin jcorgan Kretchfoop jj88 kiddouk abc56889_ pigeons