00:30:49cookiemonster:hmmm there are test failures in bitcoinj
00:46:30gmaxwell:sipa: a potentially interesting observation: per node obfscuation of data stored in databases might serve the purpose of better isolating the database behavior from being consensus normative.
00:47:00gmaxwell:sipa: e.g. if the database had some crazy bug that made it lose some records, if the records have per node scrambling then its unlikely that consensus splits would fall along version lines.
00:47:16sipa:good point yes
00:50:44gmaxwell:(oblivious ram is the insane logical conclusion of that argument… but perhaps even the simple version is useful)
01:04:09phantomcircuit:oblivious wat
01:04:52gmaxwell:hah. I recommend the path oram paper: http://arxiv.org/abs/1202.5150
01:05:11gmaxwell:It meets Peter Todd's "could an art student implement this" test.
01:06:02gmaxwell:ORAM is the tool that answers the "I have some small device which wants to use untrusted storage; and I want the untrusted storage to learn nothing about what I'm storing or about my access patterns (other than the total amount of access)"
01:08:17phantomcircuit:gmaxwell, that's pretty neat
01:09:13gmaxwell:and path oram has non-insanse overhead (okay, it's pretty bad if you want to use it for actual ram), and is simple to implement.
01:09:44gmaxwell:you actually _could_ use it for ram though... which I guess is surprising.
01:12:01nsh:nice intro here: http://bristolcrypto.blogspot.co.uk/2012/03/oblivious-ram.html
01:12:27nsh:"If I recall properly, there's no actual, formal security definition given for oblivous RAM. I messed around trying to formalize a game-playing/oracle-distinguishing kind of notion once, but wasn't happy with some of the details. (I had a masters student look into it too.) Have you guys worked this out?" hmm
02:07:28amiller:nsh that makes no sense, the formal definition for oram was given in like 1980s
02:07:51amiller:its a pretty simple definition
02:16:23nsh:ah, ok
02:28:47copumpkin:copumpkin is now known as thedevilhimself
03:54:44maaku:maaku is now known as Guest52846
03:56:25cookiemonster:what's a wizard?
03:58:30Neko3:a powerful internet being
03:58:57pigeons:not just the internet, they are also painted on the side of vans
03:59:35amiller:someone with too much time
04:01:00Luke-Jr:amiller: lol, not really
04:01:20Luke-Jr:cookiemonster: a bitcoin wizard is someone who studies cryptocurrency beyond bitcoin today
04:01:34Luke-Jr:so basically what scamcoiners pretend to be
04:02:02cookiemonster:haha do you guys know of any offchain blockchain projects currently active?
04:03:25cookiemonster:do you guys think ethereum will take off?
04:03:28amiller:do you just mean non-bitcoin projects? what exactly do you mean by offchain
04:05:30cookiemonster:oops sorry, it's getting late, offchain transactions projects
04:06:01cookiemonster:i saw some work done https://en.bitcoin.it/wiki/User:Aakselrod/Draft
04:06:51cookiemonster:and the project development post decentralbank.com not sure if they will be implementing oracles though. https://bitcointalk.org/index.php?topic=718112
04:11:53pigeons:yeah maybe look at #bitcoinj micropayment channels, altough they all get settled on the chain of course
04:14:15cookiemonster:is there anything that allows for offchain transactions or is open transactions voting pools the only one?
04:14:29cookiemonster:for transactions to be realized off chain
04:14:44super3:who is working on microtransactions/microchannels now?
04:14:59cookiemonster:decentralbank and open transactions
04:15:07super3:i've only seen bitcoinj implementation really working
04:15:15cookiemonster:oh wait not sure if open transactions is doing it that way.
04:15:53cookiemonster:shawn congratulations of the crowd sale
04:16:02super3:cookiemonster: thanks
04:16:46super3:like to put some of that BTC towards better microchannel/microtransaction support
04:18:08cookiemonster:i'm trying to make a simple version of open transactions voting pools
04:19:12zooko:Which sale?
04:20:16super3:all praises go to gmaxwell
04:20:31super3:just a step closer to autonomous bitcoin agents
04:21:34cookiemonster:what's the progress of driveminer?
04:22:10zooko:* zooko reads http://cointelegraph.com/news/112028/storj-to-release-metadisk-and-begin-crowdsale
04:22:17super3:i got an earful about the whitepaper so i'm working on that now
04:22:36super3:after thats finished, i can put our component libraries together and show off a little demo
04:22:38cookiemonster:not technical enough? lol
04:22:49cookiemonster:what matters is code!
04:22:55super3:well when i wrote it bitcoin 2.0 was still new
04:22:59super3:cookiemonster: thats what I said!
04:23:02zooko:* zooko looks at http://storj.io/crowdsale.html
04:23:36super3:would love some eyeballs for peer review of the introductory paper on metadisk
04:24:09super3:which is the precursor to storj
04:26:06cookiemonster:btw how are you gonna implement proof of resource?
04:26:22super3:its essentially a hash challenge algorithm
04:26:50super3:you take the file, a seed, and generate a unique hash
04:27:49super3:you generate a bunch of these deterministically, then put into a merkle tree
04:27:58super3:you store the merke root in the blockchain
04:28:23super3:then you issue these challenges to node hosting/farming a chunk of your file
04:29:53cookiemonster:seems simple
04:29:56super3:it really is
04:30:14super3:tl;dr hashing
04:30:25super3:the best solutions are simple
04:30:36cookiemonster:what do you think of these guys https://bitcointalk.org/index.php?topic=718112
04:30:55cookiemonster:they seem to be working on microchannels
04:31:16super3:hmmm, something to look at
04:31:28super3:whats with all these whitepapers on github?
04:32:01cookiemonster:it's more accessible i suppose lol
04:32:32cookiemonster:you should post yours on github.
04:36:44super3:it makes them unreadable
04:37:44cookiemonster:haha! better use latex then. lol
04:39:05super3:yeah i'm learning latex now, i'm stating to think its a trail by fire you have to go through for a good whitepaper
04:40:35cookiemonster:ethereum's gavin woods yellow paper is a piece of art
04:42:35super3:i did a test on a user that gave me some grief, he couldn't even answer a question about Sybil attacks
04:43:02super3:the more equations and the longer you make people will just assume that you know what you are talking about
04:43:34super3:kinda sad, but Satoshi did it right
04:43:53cookiemonster:satoshi must have had experience as an academic
04:44:44super3:kept it short, and keep your statistical analysis(with all those fancy math symbols) for the end
05:06:33cookiemonster:what are some tor alternatives to preserve a client's annonimity?
05:07:10gmaxwell:there is no real tor alternative. (There is i2p, but it is a very small network compared to tor— and anonymity loves company)
05:07:47gmaxwell:cookiemonster: whats with the academic comment above?
05:08:35luke-jr_:luke-jr_ is now known as Luke-Jr
05:10:05cookiemonster:when i first saw satoshi's paper it gave me the impression of someone academic. i have submitted papers to top conferences and they look similar
05:10:11gmaxwell:cookiemonster: you mean the white paper which was _very_ clearly written _not_ using latex? (It was written with openoffice, though its really obvious not latex just from the appearance, notice that it doesn't have half the lines hyphenated, and the text is full of vertical whitespace rivers)
05:10:22cookiemonster:yes his paper
05:10:45cookiemonster:gavin woods used latex.
05:11:09Luke-Jr:cookiemonster: also, using bitcoin over tor is *still not* anonymous
05:11:15Luke-Jr:Bitcoin cannot be used anonymously
05:11:33gmaxwell:* gmaxwell is a little tired of seeing people claim that the bitcoin whitepaper being typeset in latex as evidence of something when it really obviously was not typeset in latex
05:12:01gmaxwell:it isn't at all.
05:12:08cookiemonster:it isn't
05:12:19gmaxwell:(not to mention that the bitcoin whitepaper uses clean, plain languge, and is completely free of the fashionable academic jargon...)
05:12:37Luke-Jr:* Luke-Jr wishes he had time to make a latex file that produced the pdf pixel for pixel <.<
05:13:03gmaxwell:Luke-Jr: would be pretty difficult. unless you mean just embedding eps. :P
05:13:08cookiemonster:oh my, i started something here.
05:13:09Luke-Jr:gmaxwell: :P
05:13:30Luke-Jr:cookiemonster: see what happens when you bore us with "anonymity" talk? :D
05:15:18Emcy:no one really believe bitcoin will ever be grafted with some solid anonymising technology do they
05:15:53Emcy:as default for muh anonymity set
05:15:57super3:Emcy: the current altcoin fad says so
05:16:21super3:anonymous coins are all the rage now
05:16:36Emcy:yeah if their technology works
05:16:56Emcy:or rather if they have new technology and its not just 100% nullshit
05:17:04super3:its 100% nullshit
05:17:27gmaxwell:Emcy: the bytecoin and forks aren't nullshit, but the rest are.
05:17:27Emcy:no some ive heard have had interesting ideas
05:17:51super3:i remember someone was like "I'm going to create a awesome new coin with Tor support thats super anonymous"
05:18:14super3:then I pointed out that you could already use Bitcoin through Tor.
05:18:18Emcy:i get the feeling that too much stuff is relying on tor overall these days
05:18:49gmaxwell:Emcy: you can always build whatever more anonymous protocol you want and run it on top of tor.
05:19:09Emcy:sounds painful
05:19:18Emcy:sounds latent
05:19:18gmaxwell:why? tor makes things a lot easier.
05:19:32Luke-Jr:gmaxwell: hm, if we go with weekly daughter-chains, those could probably make good use of bytecoin's privacy stuff
05:19:33gmaxwell:no realtime anonymity system can be very anonymous anyways.
05:20:12Emcy:how does bitmessage fit with that
05:20:17Emcy:its pretty realtime ish
05:20:50cookiemonster:how much does bitmessage lag?
05:20:54gmaxwell:Emcy: bitmessage recievers could be very anonymous— except for some bad design in bitmessage. Senders are not very anonymous, at least to an attacker with lots of network visibility.
05:21:23gmaxwell:Luke-Jr: you think my interest in the ring signature approach is purely academic? :P
05:21:32Luke-Jr:gmaxwell: :P
05:21:37phantomcircuit:Emcy, realtime necessarilly means senders are not anonymous
05:21:47Emcy:cookiemonster the main lag in bitmessaging is the pow of the messages
05:21:53Emcy:its like 2 minutes
05:22:31Emcy:doesnt the fact that that the receiver on bitmessage is very anon make the sender also rather anon
05:22:40Emcy:given that the contents of the message are also crypted
05:22:54cookiemonster:wasn't there some mit kid who was doing something faster and more secure than bitmessage?
05:22:56phantomcircuit:Emcy, not really no
05:23:07cookiemonster:can't remember the name of his project
05:23:14phantomcircuit:Emcy, you can trade bandwidth for time though
05:23:18Emcy:you can see the a send sent a mesage but you dont know what or even to whom
05:23:26gmaxwell:I like pond, though its a pretty different model than bitmessage.
05:23:51phantomcircuit:basically construct an onion routing network in which each node has a connection to n other nodes and every x seconds transmits y random looking nonsense
05:24:01phantomcircuit:the problem is that is very expensive to operate
05:24:07Emcy:i really thoght tor already did that
05:24:35Emcy:i ran a meshnet thing years ago that had the option for bandwidth saturation obsfusication
05:24:53Emcy:well i started it, it was a meshnet so i didnt run shit
05:26:04gmaxwell:Emcy: sadly even making bandwidth constant doesn't prevent confirmation attacks.. not without completely unreasonable network designs.
05:26:18gmaxwell:because, e.g. I can _interrupt_ your connection and then see if the traffic stops.
05:26:19Emcy:phantomcircuit if the internet accounting really comes to the point where we really are counting bytes becayse bytes matter then we are so fucked for so many things
05:26:48gmaxwell:so the only kind of low latency design that is completely free of confirmation attack is one which either delivers all packets or no packets.
05:26:48Emcy:damn youre right
05:26:54gmaxwell:(to everyone in the network)
05:26:57phantomcircuit:gmaxwell, yeah i've thought of that
05:27:08phantomcircuit:there's essentially no way to deal with that afaict
05:27:17gmaxwell:There is at least one paper that suggests how such an all-or-nothing thing could be built, but it would be trivial to DOS.
05:27:23phantomcircuit:except to randomly break connections for long periods of time
05:27:35gmaxwell:The only thing you can do is have very high latency, making the confirmation attacks hard to pull off without being noticed.
05:28:21gmaxwell:(and presumably if you notice you'll stop sending, thus thwarting the attack)
05:28:35zooko:gmaxwell: wait, there could be dummy traffic, couldn't there, that originates not from the sender of the actual cleartext.
05:29:05Emcy:so new research ground has to be broken before the endgame of technology overcoming surveillance falls in our favour...?
05:29:08zooko:So then you'd be vulnerable to the person responsible for generating that -- since they can presumably tell, then they can participate in a confirmation attack... ?
05:29:15zooko:But not to everyone else?
05:29:17gmaxwell:zooko: there can be dummy traffic but you have to make the real traffic stop if the dummy traffic stops. Thats what I mean by all or nothing.
05:29:45gmaxwell:indeed, the privacy set for the dummy traffic could be less. I think thats what the paper I was thinking of above proposed. Can't remember the name.
05:29:58gmaxwell:result is still that it makes the network quite fragile.
05:30:15Luke-Jr:what if the lag was unpredictable, and a message could be years old before people see it?
05:30:32zooko:I don't follow "you have to make the real traffic stop if the dummy traffic stops". I wass imagining that there's a sender, and a cloud of anonyrouters, and a recipient
05:30:48zooko:and the confirmation attack is that you DoS the sender and then observe whether the traffic stops flowing to the recipient.
05:31:16zooko:And I was wondering if that attack could be prevented by having some other party whose job is to provide dummy traffic to that recipient for you, but only if your real traffic isn't using up all the bandwidth.
05:31:25zooko:Disclaimer: I've had one scotch, it's late, I'm dumb, etc.
05:31:30gwillen:I was having the same thought as zooko, I think, but I haven't spent more than 10 seconds thinking about it
05:31:40zooko:Yeah, you're like 1 second ahead of me there. ;-)
05:31:59gmaxwell:zooko: in most attacks on anonymity networks the recipet is conspiring with (or at least observed by) the attacker. Otherwise just encryption is sufficient.
05:32:28zooko:Hm, I was assuming that the recipient himself isn't attacking you. Good point.
05:32:38gwillen:so, in the 'observed from outside' case you should be safe, if the recipient's link is constantly saturated with cover traffic
05:32:45gwillen:if the recipient is conspiring then you're in trouble
05:32:52zooko:So now we need to hire someone who can generate dummy traffic that appears to be you *to your recipient*. And also doesn't ruin your score in the game by playing badly while you're being DoS'ed. ;-)
05:32:53gmaxwell:you can get greater privacy with a dummy source, but blocking the dummy source must equally block the traffic or the recipent can tell.
05:33:09gmaxwell:which is why I was saying it makes the network fragile.
05:33:21zooko:That part I don't understand.
05:33:31zooko:Assuming the recipient isn't part of the attack,
05:33:51zooko:then it seems like we could have a set of dummy sources, where blocking a subset of them has no effect on the observed output.
05:33:56gmaxwell:if the recipent isn't part of the attack you more or less don't need an anonymity network (assuming that encrypted traffic isn't censored)
05:34:19zooko:The attacker I'm thinking of can observe the recipient's ciphertexts and timings and so on, but not his cleartexts.
05:34:25zooko:Is that what you meant?
05:35:03zooko:So I want to send ciphertexts to someone, and I assume that you can't decrypt them, but it is important to me that you can't figure out to whom I'm sending them.
05:35:27gmaxwell:or at least— a CBR anonymity network is sufficient, under that model.
05:35:41zooko:What's that?
05:36:59gmaxwell:everyone connected always sends at a constant bit rate, regardless of if there is data to send or not.
05:38:05Emcy:that would be doable for a text system i would think?
05:38:07zooko:Oh, yeah.
05:38:45zooko:So, I don't understand how your and my models are differing. To prevent the attacker from figuring out — or confirming — which recipient I'm sending my ciphertexts to, I need something like a mix network, right?
05:39:00gmaxwell:Emcy: it would be, but it still doesn't help in the case of confirmation where the attacker sees the recievers plaintext.
05:39:28gmaxwell:zooko: they're different when the reciever is the attacker (or conspiring with)
05:39:37Emcy:endpoint security is kinda another sphere
05:39:50gmaxwell:(or insecure to, as emcy kinda notes)
05:40:22Emcy:a fatal one if youre targetted, but owning endpoints cant or isnt being done wholesale
05:41:03gmaxwell:Emcy: and when someone compromises a service widely used by many people?
05:41:14zooko:gmaxwell: okay, I think I see the point that if the attacker can see the recipient's cleartext, then confirmation by DoS of a suspected sender is a very strong attack.
05:41:49Emcy:people shouldnt be using 'services' any more for important stuff
05:41:52Emcy:thats like snowden 101
05:42:01Emcy:the MS ruling yesterday
05:42:10zooko:I was confused earlier because I thought you were saying that defense against confirmation attack required this all-or-nothing broadcast thing, and it doesn't sound like that to me, for the case that the attacker can't see the recipient's plaintexts.
05:42:31gmaxwell:zooko: yea, sorry I was adopting a stronger attack model and not making that clear.
05:43:21gmaxwell:Thats normally the attack model I think of, some bitcoin influence— we usually use a strongly adversarial / byzantine model, everyone is potentially a traitor. :)
05:44:21zooko:Yeah, that's an interesting added threat for me to keep in mind. Thanks for bringing it up.
05:44:21nsh:. o O { i wish there was a #bitcoin-wizards digest... }
05:44:56gmaxwell:nsh: start writing one? :P
05:45:12nsh:convince the foundation to pay me :)
05:45:35gmaxwell:there are other sources of funds out there!
05:45:41nsh:(nah, i don't need money; money is stupid)
05:45:55nsh:i have a five million dollar bill to pay! (allegedly)
05:46:05zooko:Better get to work.
05:46:11nsh:* nsh nods
05:47:06midnightmagic:gmaxwell: Your scenario is similar to: Tormail servers are found and compromised and FBI is trying to unmask future clients that visit the site via traffic analysis?
05:47:48midnightmagic:(or traffic futzing)
05:47:58gmaxwell:midnightmagic: not just that, a lot of times we use an anonymity network because we aren't sure if we trust the target. Otherwise plain encryption would keep the content of our discussion private.
05:48:03zooko:midnightmagic: good example
05:48:16zooko:gmaxwell: well I think there are three cases, not two.
05:48:47zooko:1. You don't mind if 3rd-party attacker sees the traffic patterns as long as they can't see the plaintext,
05:49:23zooko:2. You don't want 3rd-party attacker to know to whom you're speaking (and of course therefore other things about the traffic patterns become an issue), but you don't mind if the person to whom you're speaking knows that it is coming from you,
05:49:33zooko:3. You don't want to 2nd person, to whom you're speaking, to be able to identify you.
05:49:52zooko:I was assuming 2 until now, and I'm glad to have 3 brought to my attention.
05:50:16gmaxwell:right this is the case— say when someone in most of the world accesses wikipedia, or google, or etc. 2. is when you are in the middle east and access a gay rights site (probably— ) (3) might be the case when the aformentioned gay rights site is a sham run by the iranian goverment to entrap homosexuals.
05:50:40gmaxwell:(or in a bunch of other cases— I used that to show that you can't tell if you're in (2) or (3) reliably)
05:50:55zooko:Yeah, that's a good point.
05:51:04zooko:People probably often assume 2 when their enemies can make it 3.
05:52:17Emcy:try russia for that
05:53:17Emcy:what about the journalist-source relationship model
05:53:48Emcy:thats a very real world thing
05:54:35Emcy:snowden just used pgp email, which he had to beg greenwald for weeks in plain emails to learn before he would talk
05:54:51gmaxwell:Well thats just a point that usability matters.
05:55:37Emcy:but i guess if nsa were actively watching their employees all the time he would have been nabbed way before he even got to say anything
05:56:17Emcy:well i think he used a burner computer and cafe wifi so perhaps not
05:57:57zooko:The fact that Snowden succeeded at that seems like a very important data point to me.
05:58:08zooko:I don't believe for a minute that NSA deliberately let him do any of that.
05:58:15zooko:And so the fact that they failed to prevent it means a lot to me.
05:59:13zooko:And related to the threat modeling here, it also indicates to me that it was a type 2 situation.
05:59:40Emcy:perhaps it was hubris
05:59:42zooko:NSA was watching the recipients, at least Appelbaum and Poitras, for sure, and this implies that NSA was unable to read their plaintexts.
05:59:47Emcy:or really just rank incompetence
05:59:58Emcy:but we dont know how much they have thightened their ship up now
06:00:03zooko:Yeah, good point.
06:00:17Emcy:i sort of hope the internal paranoia will be a deleterious factor for them
06:01:48Emcy:why should those sods get all the efficiency benefit of a stong and open hierarchical organsation while normal people have to live their lives like the french resistance or just capitulate tot he lack of privacy
06:03:53Emcy:zooko you mean snowden was in contact with appelbaum along with greenwald and poitras?
06:04:32gmaxwell:yes, kinda.
06:05:07Emcy:hm i never heard that before
06:05:14Emcy:i wonder why he contacted him
06:05:20gmaxwell:Jake actually interviewed him as a tech vetting thing, because e.g. greenwald wasn't technically versed enough to tell snowden from a k00k.
06:05:52Emcy:wait was jacob the guy that tought greenwald how to pgp
06:06:25nsh:via poitras
06:06:55Emcy:no wonder he lives in germany now
06:06:56nsh:they live next door to each other in berlin iirc (appelbaum and poitras)
06:11:59gmaxwell:Emcy: kinda worse, because not too long before the snowden stuff was made public Jake had been in hawaii for a birthday party. (I wouldn't be surprised if there were some folks in this channel that were there); he'd interviewed snowden before then but had no clue about him, it was coincidental... but it looked an awful lot like he'd gone and turned snowden or something.
06:14:34Emcy:if that was me germany wouldnt be far enough
06:14:45Emcy:i dont know where would be
06:15:05gmaxwell:and then there is this crazy substory of John Gilmore, also right before this making a quasi prank call along the lines of "they're onto us! dump the documents!" and hanging up, also nicely coincidentally timed.
06:15:32gmaxwell:Emcy: there is an optimization problem where too far and you're in some place with no political might of its own and maybe you just get vanished.
06:15:42Emcy:yes exactly
06:15:56Emcy:that is the meaning of global jurisdiciton
06:16:19midnightmagic:i thought germany was pretty bad for the unjustified, endless surveillance and harrassment thing
06:16:38Emcy:well.......they sure used to be
06:16:58gmaxwell:midnightmagic: germany still feels guilty for the whole killing the jews thing, so actually they seem to be pretty concerned about Doing The Right Thing in this space.
06:17:34zooko:gmaxwell: that's interesting.
06:17:47zooko:To whom did John Gilmore make this prank call?
06:17:47Emcy:theyre were up to their necks with the NSA though, and the outrage was fake before they found out the embassy was spying on merkels govt too not just the plebs
06:17:59midnightmagic:there was a CCC(?) talk once where a woman described in excruciating detail her experiences being harrassed basically forever by local authorities. she had a really rough go of it..
06:18:05Emcy:i think they sort of take it more seriously after that
06:19:32Emcy:midnightmagic that was east germany?
06:19:42Emcy:or after reunification....?
06:19:54pigeons:i listened to that too
06:20:01Emcy:fuck what
06:20:08gmaxwell:zooko: I'm not sure I remember the story well enough to tell it relably. I just remember it was apparently coincidentally timed with this stuff, and ended up contributing to some people's fear that they'd be implicated in snowden's actions.
06:20:09pigeons:well this was her husband she was talking about
06:20:40Emcy:well here
06:21:24midnightmagic:Emcy: No, I'm trying to find it now, it was just some poor woman who was only tangentially related. She did a whole talk about her experience, it was mind-warping.
06:21:49Emcy:an woman just got raided by drug squad on a total bullshit warrant last week the day after she posted pictures of our current chancellor at her flat dancing and on coke in the early 90s
06:21:53Emcy:so why am i surprised
06:22:54Emcy:midnightmagic id watch that
06:22:56midnightmagic:pigeons: was it CCC? google sucks for history these days
06:23:32pigeons:yes it was
06:24:05pigeons:her husband was an artist or something and had some contact with activists who may have had a plan to do something considered terrorist
06:24:15pigeons:but yeah it made you cry
06:24:22pigeons:probably around 2007 or so
06:24:38Emcy:midnightmagic it must be maddening to never know if its just beureocracy being mindlessly indifferent to your suffering as it does, or if theyre doing it on purpose specifically for you.
06:24:46zooko:gmaxwell: cool
06:27:39pigeons:midnightmagic: http://events.ccc.de/congress/2007/Fahrplan/events/2381.en.html
06:28:07pigeons:that's the one i was thinking of
06:28:36gmaxwell:Emcy: why not both?
06:28:36zooko:zooko has left #bitcoin-wizards
06:29:20Emcy:it being ;nothing personal' hardly mkaes it ok
06:30:23Emcy:pigeons thanks ill watch it later, when im in the mood
06:30:40pigeons:i wonder if it would still even bother me 7 years later
06:30:47pigeons:kinda jaded now
06:31:02Emcy:might be interesting to see if it does
06:31:13Emcy:theres a torrent, thats handy
06:31:35midnightmagic:I have a copy also if the torrent seeders are gone
06:31:53pigeons:is that the one you were referring to?
06:31:54midnightmagic:pigeons: yeah you beat me to it, that's it.
06:32:00Emcy:yeah doesnt look seeded lol
06:32:19midnightmagic:hang on i'll upload it somewhere
06:33:21Emcy:eh DHT says 19 peers but getting nothing
06:33:51gmaxwell:meanwhile, I'm busily deleting posts on the Spondoolies-Tech thread in the mining subforum because yet another crazy asshole is responding to every poster who says anything positive about Spondoolies and accuses them of being a jew. :-/
06:33:58gmaxwell:Emcy: hurray for DHTs.
06:34:23Emcy:yes the peer numbers seem to be completely unreliable
06:34:30midnightmagic:PTSD for the years-long siege :-/
06:34:37Emcy:im not even sure if htey refer to what i think they refer to
06:35:46Emcy:gmaxwell literally a jew?
06:36:26Emcy:pigeons link seems to time out :(
06:36:58midnightmagic:hang tight 30s to go I'll give you a HS link, fire up your torbrowser bundle
06:37:05gmaxwell:Emcy: yea, I'm not sure if they're anti-semitic or just trolls that picked up on that as a good way to piss people off.
06:37:55Emcy:i think the jew thing has become a bit of a silly meme on the internet lately.......
06:39:37gmaxwell:pretty embarassing to share a forum with such things.
06:40:17Emcy:oh well, at least you dont have to patrol the altcoin forum
06:40:33midnightmagic:Emcy: check pm
06:40:59gwillen:gmaxwell: I think most of the 'jew' stuff online is just trolling
06:41:14gwillen:because it's only like, half a slur, so people can get away with it
06:41:22gwillen:but it's enough of a slur to get a rise out of people
06:44:44gmaxwell:yea, thats what I meant by 'not sure'—
07:13:56cookiemonster:^ot wizards
08:27:23cookiemonster:why does bitcoin not use a dht?
08:31:08gmaxwell:cookiemonster: because a DHT is not generally applicable technology.
08:31:39gmaxwell:They don't accomplish something we need to accomplish (bitcoin does not do sparse random access lookups), and don't offer a security model which is compatible with what bitcoin needs.
08:32:15gmaxwell:(The only DHT's that have any real degree of attack resistance are the anti-sybil-social-network-routed ones like Freenet and CJDNS.)
08:33:19cookiemonster:what about kademlia?
08:33:21gmaxwell:(wow, and I answered that without breaking a sweat, the drugs must be working!)
08:35:10gmaxwell:cookiemonster: about all all kademlia accomplishes is that (unlike simpler designs) is not exponentially likely to fail completely when a couple of nodes innocently go offline... sybil attacks are still super effective against pratically all of them. And again, they don't do something bitcoin needs.
08:35:53gmaxwell:It's like asking if why Bitcoin doesn't use A* path finding and a z-buffer.
08:36:18wumpus:they could be used for UI effects :o
08:37:19gmaxwell:Indeed, even on DHT's there are uses in the bitcoin ecosystem— just not the bitcoin blockchain itself. Sometimes I'm a little narrowminded... to that I'd mostly say "'cause no one has done it yet"
08:37:43gmaxwell:snazzy effects in wallets would be fun. :) "take that dogecoin"
08:38:37wumpus:or a coin with human-player mining like huntercoin could use A* in the block chain for NPCs
08:39:24wumpus:but yes this gets into dogecoin territory :)
08:39:38gmaxwell:well the question wasn't why doesn't huntercoin use a dht. :P
08:40:38wumpus:well the point is just that I see more uses for A* path finding and z-buffers in bitcoin than dhts :)
12:43:15randy-waterhouse:randy-waterhouse has left #bitcoin-wizards
13:39:57wallet421:wallet421 is now known as wallet42
14:38:02amiller:iddo, have you gotten any feedback on your proof of activity paper
14:38:06amiller:from academic circles
14:38:25amiller:does anyone grok it? are you doing anything else to formalize the assumptions about stake holder's incentives and decision making
14:38:46amiller:you're presenting it at a future workshop is that right?
14:50:24iddo:amiller: so far i presented PoA at two universities, austin/texas to david zuckerman et. al. but there few grad students due to summer (i asked if i sounded convincing and they said yes), and in athens/greece to crypto people there (who try to analyse some other stake systems), they seemed less convinced
14:51:12iddo:amiller: about formalization, it's possible to try to do it as rational MPC, where participants have utility function
14:51:45iddo:but it's complex, the model should capture that participants can send coins to other participants to modify their utility function...
14:53:26iddo:i'll present it to Bitcoin people in bitcointlv.com/en (this conference was postponed due to security problems in israel)
14:56:28jgarzik:gmaxwell, heh. RE your sidechain comments at http://www.reddit.com/r/Bitcoin/comments/22vn4m/why_do_people_think_that_sidechains_are_going_to/cgqy5w6
14:56:30iddo:amiller: if people at UMD are interested and wish to invite me to discuss this kind of stuff then it might be nice:) my co-author in other Bitcoin-related papers (Ranjit Kumaresan) was from UMD
14:56:57jgarzik:gmaxwell, it would be interesting to put the verifier code inside https://github.com/jgarzik/moxiebox
14:57:08jgarzik:gmaxwell, then you have provable execution of verifier code
14:57:26jgarzik:at a second level (you have 1st order with simply verifying, of course)
15:00:56amiller:" but it's complex, the model should capture that participants can send coins to other participants to modify their utility function." that sounds like a wacky model :)
15:06:52iddo:it'd be interesting to try rigorous rational analysis given well-defined assumptions, but it'd be difficult to have assumptions that capture reality, i think
15:11:53iddo:jgarzik: when SNARK is ready for prime time we may try 2-way pegging without relying on miners (as are the concerns in the reddit thread that you linked to)
15:13:29iddo:anyone knows what's the business model of sidechains dev team? how are sidechains supposed to generate revenues for the developers?
15:49:48Guest52846:yes, snarks are a pretty striaghtforward pathway to full validation of the side chain
15:49:59Guest52846:if you can find a performant, non-CRS snark that is
16:26:23nsh:interesting: http://redecentralize.org/interviews/2013/10/17/07-jeremie-telehash.html
16:41:04Guest52846:Guest52846 is now known as maaku
17:00:22super3:iddo: they could use the ethereum model :-P
19:31:13BigBitz:where are the smart people :)
19:31:19BigBitz:I have a question regarding nonce values...
19:31:42amiller:the smart people are waiting to hear your question first before embarrassing themselves
19:31:55BigBitz:Is it correct to say a miner cannot set a nonce value as it's an unknown element?
19:32:07BigBitz:ie; all miners ae guessing the nonce and only one nonce is correct to hash the blockheader?
19:32:46amiller:by "correct" you mean results in a valid proof of work?
19:33:01gmaxwell:It's not clear to me what you mean by "cannot set"
19:33:05BigBitz:Yeah - becoming a valid 'nonce' on the blockheader/blockchain.
19:33:13amiller:there can be many nonces that work
19:33:29gmaxwell:And no, many nonce values may be correct... though for the overwhelming majority of work template no nonce values are correct.
19:33:53gmaxwell:(also depending on exactly what you mean by 'nonce', I was assuming above you just meant the nonce field in the header)
19:34:04BigBitz:gmaxwell so - let me explain what I wanted to do... We were planing a little bit of fun in OTC (little raffle) and I suggested we used the nonce value of Block XXXXX.
19:34:18BigBitz:ie; a user selectes a number from 0000 - 9999 (ie; 4 chars)
19:34:30BigBitz:and when the successful block hits the network we use the nonce value from that block.
19:34:50BigBitz:I was trying to keep it simple but some people have suggested that a miner could actually control their own nonce (which I didn't believe to be correct)
19:34:54gmaxwell:miners can influence that at no cost to themselves. (pratically, there might be a cost)
19:35:24BigBitz:So they /could/ influence their own string of 4 chars to be 'valid' in that nonce value ?
19:35:27gmaxwell:(e.g. because their hardware happens to be setup to only be able to increment the nonce in particular ways)
19:35:33gmaxwell:BigBitz: yes
19:35:44BigBitz:OK so for this purpose using a nonce value would be stupid, right?
19:35:48gmaxwell:BigBitz: yes
19:35:48Anduck:if they entry 1000 and start searching correct nonce near their entry value, it's then biased
19:35:53BigBitz:OK. Nice.
19:36:04Anduck:for example 1000*
19:36:25BigBitz:thanks gmaxwell / amiller :)
19:37:04amiller:BigBitz, try using the residual bits in the black hash
19:37:06gmaxwell:Designing cryptosystems— and thats what your lottery is— safely is hard.
19:37:11amiller:like the ones on the opposite side of all those zeroes
19:37:18gmaxwell:Miners can still influence that, but its no longer free. :)
19:37:31BigBitz:gmaxwell / amiller what would you suggest?
19:37:50BigBitz:I wanted to keep it relatively simple and only let users submit a 4 string long value ie 1234 or 4567 etc.
19:37:51Anduck:i guess last 4 bytes of blockhash is safe enough when the prize is 0.1 btc and sacrificing a valid block costs a bit too much
19:38:19Anduck:sacrificing / holding. not even ghash.io would try it
19:38:30BigBitz:Heh not for 0.1BTC \o/
19:40:30gmaxwell:You can prevent miner cheating by having someone announce X such that H(Y)==X then after the block happens, they announce Y, you compute H(Y||block_hash) and use that to determine your winner. Then a miner can only influence if they collude with the party that created X (and with a minor modification you can have multiple Xs). Also note, If your number of players isn't a power of two you do have to take some care to not bias your ...
19:40:36gmaxwell:... selection.
19:41:43gmaxwell:(e.g. just simplisitcally taking an index from the nonce would produce a biased selection, unless your player count was a power of two)
19:42:12petertodd:gmaxwell: "per node obfscuation of data stored in databases" that's a real-world issue I found in the counterparty audit - good idea
19:42:37gmaxwell:petertodd: oh yea, what was the issue like?!
19:43:38BigBitz:gmaxwell thanks.
19:43:40gmaxwell:while I was typing that I was thinking that the class of problems it would help were really unlikely. (and that making all the records constant size would accomplish a lot of the benefit by itself)
19:44:06gmaxwell:BigBitz: http://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle
19:44:42gmaxwell:oops that isn't the link I wanted.
19:44:49petertodd:gmaxwell: they were catching exceptons in a way that made them consensus critical
19:46:25gmaxwell:oh yea it is, it discusses the issue in the "modulo bias" section
19:46:50BigBitz:Yeah just reading it.
19:48:10gmaxwell:Doesn't give a solution, easiest way is to just use repeated hashing to have your input generate a potentially infinite stream of random numbers, you pull out enough bits to be equal to or greater than your range, and if the number is too big— you throw it out and take the next random number.
19:48:51gmaxwell:e.g. if you need 1000 players, you pull out 10 bit numbers, and if you get a 1001 you discard it and take the next random number until you get one that isn't too big.
19:49:34BigBitz:Sounds sane.
19:50:40gmaxwell:(there are more 'entropy' efficient methods, but they're much more complicated and people are more likely to get them wrong.)
19:51:48BigBitz:Haha. Well... I guess we're trying to keep it simple. We want to use a small value for some fun.
19:52:07BigBitz:If you're bored we are going to run another raffle with a bigger prize you could design something slicker for that :)
19:53:52gmaxwell:I don't consider raffles terribly interesting! (also, complexity is generally bad news)
19:55:11BigBitz:I didn't think you would heh. It's just to try and shake things up a little. A giveaway for some fun.