00:03:42pigeons_:pigeons_ is now known as Guest15943
00:07:40jaromil_:jaromil_ is now known as jaromil
00:07:45Pan0ram1x_:Pan0ram1x_ is now known as Pan0ram1x
00:07:47K1773R_:K1773R_ is now known as K1773R
00:07:52CryptOprah_:CryptOprah_ is now known as CryptOprah
00:08:07Pan0ram1x:Pan0ram1x is now known as Guest53956
00:11:59[\\\\]:[\\\\] is now known as [\\\]
00:26:52Guest15943:Guest15943 is now known as pigeons
00:32:50luke-jr_:luke-jr_ is now known as Luke-Jr
03:27:52phantomcircuit_:phantomcircuit_ is now known as phantomcircuit
03:28:22EasyAt_:EasyAt_ is now known as EasyAt
03:28:41justanot1eruser:Will sidechains really be able to arbitrarily have things like scrypt? Seems like scrypt would have to be a predefined sidechain option, or the definition of the sidechain rules would be very big and cause bloat
03:29:53justanot1eruser:And if it's not in the transaction, it would have to be in the SPV proof
03:30:08justanot1eruser:perhaps there is a better way to do this that I'm missing.
04:20:28andytoshi:you'd have a translator sidechain that knows the rules for sha256d and the rules for scrypt, and translates between them somehow
04:21:16andytoshi:s/somehow/by virtue of allowing transfers to sha256d chains as well as transfers to scrypt ones/
04:23:38tacotime:somewhat dumb question: why do uncompressed pubkeys serialize to 65 bytes instead of 64? X and Y together are only 64 bytes
04:25:44tacotime:nm, found the answer
04:37:16justanot1eruser:andytoshi: wouldn't the spv proof for the 2nd level sidechain need to be in the mainchain anyways?
04:40:20andytoshi:no, you'd have to redeem to the translator chain before redeeming to the mainchain
04:42:13andytoshi:as far as the mainchain would be aware, you moved the coins to the translator chain. it doesn't know or care that you later move that same coin to some scrypt chain and beyond
04:46:06justanot1eruser:and the translator chain contains the data to make scrypt possible?
04:50:28andytoshi:it'd be sufficient if the translator chain was sha256d-mined but understood scrypt spv proofs
04:50:42andytoshi:and if that was literally all that the translator chain did
04:52:34justanot1eruser:Have PoS sidechains been discussed?
05:01:15BlueMatt:justanot1eruser: why would you do that?
05:02:08BlueMatt:of course I dont have any idea why the hell you'd want to do a scrypt sidechain either
05:02:11justanot1eruser:BlueMatt: because it may be more secure
05:02:17justanot1eruser:BlueMatt: I don't want a scrypt sidechain
05:02:29justanot1eruser:I was just using that as an example
05:03:20andytoshi:on a high level, the story is the same ... just need a translator chain that understands the PoS proofs
05:03:26andytoshi:but what PoS proofs look like idk
05:04:01andytoshi:i expect they'd have to be totally trust-based because every proof would be forgeable by standard nothing-at-stake
05:04:12justanot1eruser:anyways, I wanted to discuss PoS sidechains because I don't think PoS in currencies has been discussed much (at least from what I've seen) other than PoS for bootstrapping distributed consensus
05:04:36kanzure:PoS isn't just for bootstrapping
05:04:43justanot1eruser:andytoshi: would they? You know I am referring to PoS-in-mainchain
05:04:54justanot1eruser:kanzure: "PoS in currencies"
05:05:01justanot1eruser:I meant to secure currencies
05:05:21andytoshi:justanot1eruser: i'd have to think about that
05:05:36andytoshi:it's a neat idea, pseudo
05:06:10andytoshi:psudo-centralized sidechain to avoid scaling issues with the mainchain, has a different security model wrt history rewriting
05:06:13justanot1eruser:satoshi would constantly have 5% forging power
05:06:22andytoshi:yeah, sure
05:07:15andytoshi:i suspect the devil is in the details
05:07:41andytoshi:e.g. you can't conscript every mainchain participant, but you need to be sybil resistant somehow
05:08:08andytoshi:how do you deal with almost everybody not knowing/caring about individual sidechains?
05:08:55BlueMatt:justanot1eruser: yes, because most people have concluded that PoS is largely useless
05:09:58BlueMatt:wasnt there a case where someone did a huge reorg on a PoS chain because they had legitimately (ie because they were hacked) lost money?
05:10:18BlueMatt:putting mining power in the hands of an economic majority doesnt make all that much sense...
05:10:50BlueMatt:sure, there may be specific cases where it makes sense, but in those cases you can possibly just trust the economic majority...no need for any consensus
05:12:42andytoshi:i think if you could come up with unilateral withdrawal you could have a chain with these ephemeral pos sidechains that only work until trust breaks down, then cleanly reabsorb into the main chain
05:12:59andytoshi:where the benefit of the sidechain is, people not participating don't have to track it, you get a bit of privacy and scalability
05:13:18andytoshi:but that's a pretty enormous if :P
05:15:05BlueMatt:andytoshi: hmm? I'm confused as to how thats useful
05:15:38BlueMatt:and, yes, sure, on a tertiary chain you can do whatever you want, including unilateral withdraw to a secondary chain
05:15:58justanot1eruser:BlueMatt: PoS isn't largely usless
05:16:10justanot1eruser:bootstrapping consensus through PoS is though
05:16:30BlueMatt:this is the conclusion I've seen a lot of people come to, and I havent seen a particularly useful case yet...
05:17:20justanot1eruser:BlueMatt: How about this for a useful case: PoS to stop spam
05:17:39justanot1eruser:I can only use the stake once per day
05:18:08justanot1eruser:I don't think most have come to the conclusion that PoS is completely useless
05:18:23BlueMatt:stop spam??? how does the consensus algorithm have anything to do with spam?
05:18:55BlueMatt:justanot1eruser: go read bitcoin.ninja, please
05:19:02justanot1eruser:the point is that PoS isn't just a consensus algorithm
05:19:21BlueMatt:sure, well then its an entirely different thing
05:19:34justanot1eruser:It's still PoS
05:19:48BlueMatt:well, sure, but normally when people refer to PoS, they mean as consensus
05:19:53justanot1eruser:BlueMatt: I'm pretty sure you're referring to PoS.pdf
05:22:00justanot1eruser:the conclusion of that paper isn't that PoS is useless, rather that it is useless to bootstrap consensus
05:22:29justanot1eruser:I am discussing consensus, just not bootstrapping consensus
05:22:45justanot1eruser:the consensus is still backed by PoW through the mainchain
05:24:51justanot1eruser:andytoshi: The question is "how profitable is caring about these sidechains"
05:25:00justanot1eruser:and miners face the same problem
05:27:16justanot1eruser:I suppose that, unlike mining, there isn't a loss if you are passive and don't forge
05:28:15BlueMatt:justanot1eruser: wait, I'm confused...you want to have what on the sidechain?
05:28:34justanot1eruser:BlueMatt: PoS-in-mainchain
05:28:35BlueMatt:you want to have the sidechain export consensus to the mainchain and then have the sidechain have PoS consensus?
05:29:07BlueMatt:you want bitcoin to use PoS???
05:29:41justanot1eruser:I want to discuss whether a bitcoin sidechain using PoS would be useful since it doesn't have the NaS problem
05:29:56BlueMatt:where do you want to use PoS?
05:30:01justanot1eruser:the sidechain...
05:30:05BlueMatt:for consensus?
05:30:56BlueMatt:how does it not have the NaS problem?
05:31:17BlueMatt:you still have new coins coming into this merged-mined chain with PoS work adjustment
05:31:44justanot1eruser:I don't see how new coins coming in changes anything
05:32:08justanot1eruser:creating alternative histories involves creating alternative histories in the mainchain which is secured by PoW
05:33:13justanot1eruser:Which is why it shouldn't hvae the NaS problem
05:33:48BlueMatt:not really...so you start with a sidechain that is standard PoW to give us flexibility, you then create a PoS sidechain pegged to that PoW chain...the PoW chain starts with X coinse (we dont really care), and the PoS chain starts with 0...now some individual moves X/Y coins to the PoS chain and they own all the coins in that chain
05:34:18BlueMatt:later, they want to create a false history, how can they not?
05:34:26justanot1eruser:BlueMatt: having coins in the sidechain doesn't give you more stake in the sidechain
05:35:23BlueMatt:ahh, so you're doing PoS of total coins? so how does that not result in a similar issue anyway? you had X coins in bitcoin at date X after the creation of these chains, why cant you create a false history after that?
05:36:03justanot1eruser:because the mainchain is secured by PoW
05:36:10justanot1eruser:and I'm doing PoS-in-mainchain like I said
05:36:50BlueMatt:yea, sure, so at date X I had Y coins in the mainchain (and still have those now), why cant I reorg the PoS chain using that?
05:38:10BlueMatt:why do you want to export consensus to the economic majority anyway???
05:38:18BlueMatt:I never quite understood the purpose here
05:38:29BlueMatt:PoW has issues, but PoS doesnt address those
05:39:03justanot1eruser:I want to discuss exporting consensus to an economic majority
05:39:12justanot1eruser:I am not set on using an economic majority at all
05:42:20justanot1eruser:and that would leave us with my last comment 01:27 < justanot1eruser> I suppose that, unlike mining, there isn't a loss if you are passive and don't forge
05:43:02justanot1eruser:and I would add to that "however, 51% is much more expensive assuming a large number of active forgers"
07:20:23sl01_:wondering if the ripple consensus whitepaper (https://ripple.com/files/ripple_consensus_whitepaper.pdf) changed anyones thinking on ripple in general? personally I didn't get much additional insight out of it
07:20:27sl01_:sl01_ is now known as sl01
08:05:16orwell.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
08:05:16orwell.freenode.net:Users on #bitcoin-wizards: andy-logbot cbeams damethos lclc mappum copumpkin CoinMuncher moa eslbaer mortale p15 OneFixt TheSeven justanot1eruser Dr-G3 ebfull harrow tacotime todaystomorrow mkarrer Krellan K1773R nsh- phantomcircuit Guest53956 CryptOprah pigeons EasyAt Alanius_ iddo_ cfields nickler_ gwollon Luke-Jr [\\\] Starduster_ Hunger- Ursium zooko bsm117532 grandmaster2 azariah4 samson_ wiretapped bobke_ drawingthesun starsocceraway midnightmagic mr_burdell Graet
08:05:16orwell.freenode.net:Users on #bitcoin-wizards: tromp HM CodeShark Logicwax maaku gavinandresen fanquake melvster atgreen SDCDev super3 Adohgg polyclef HaltingState2 Muis LarsLarsen1 Sangheili Keefe Anduck xenogis zling_____ michagogo Eliel helo andytoshi crescendo epscy zibbo waxwing tromp_ grubles mmozeiko Guest50253 koshii_ Transisto [Derek] asoltys berndj-blackout BlueMatt digitalmagus7 sl01 dgenr8 weex Iriez abc56889 nuke1989 espes__ lechuga__ jgarzik altoz SomeoneWeird bbrittain
08:05:16orwell.freenode.net:Users on #bitcoin-wizards: nanotube jchp rs0 davidlatapie Guest78271 hollandais grishnakh DougieBot5000 jbenet quackgyver poggy_ TD-Linux gmaxwell Meeh a5m0 BigBitz shesek tjopper spinza catcow amiller Fistful_of_Coins dansmith_btc DoctorBTC danneu2 pi07r LaptopZZ_ postpre Dyaheon- burcin optimator_ jcorgan [d__d] ryan-c kanzure petertodd UukGoblin wizkid057 kinlo so @ChanServ Apocalyptic lianj wumpus nkuttler Ken` BrainOverfl0w throughnothing sipa jaromil chocah warren
08:05:16orwell.freenode.net:Users on #bitcoin-wizards: artifexd pajarillo comboy roasbeef gribble Guest10516 phedny
08:11:48midnightmagic:sl01: Abstract translation: "We show that the trust required in these subnetworks is in fact minimal and can be further reduced by trusting other nodes."
08:17:41gmaxwell:sl01: I'm glad they started attempting to answer the most basic questions about their consensus model that I asked almost two years ago, https://bitcointalk.org/index.php?topic=144471.msg1551096#msg1551096
08:17:55gmaxwell:but their answers seem weird to me
08:18:43gmaxwell:For example, they claim that if the overlap between cliques is large enough there cannot be a fork, even if the overlap is constructed from faulty nodes.
08:19:17gmaxwell:the connectivity of the two cliques surpasses 0.2 ∗ ntotal ,
08:19:18gmaxwell:then a fork is no longer possible, as disagreement be-
08:19:18gmaxwell:tween the cliques would prevent consensus from being
08:19:22gmaxwell:reached at the 80% agreement threshold that is required."
08:19:48gmaxwell:t is interesting to note that no assumptions are made
08:19:49gmaxwell:about the nature of the intersecting nodes. The intersec-
08:19:49gmaxwell:tion of two UNLs may include faulty nodes, but so long
08:19:49gmaxwell:as the size of the intersection is larger than the bound
08:19:49gmaxwell:required to guarantee agreement, and the total number
08:19:51gmaxwell:of faulty nodes is less than the bound required to satisfy
08:19:53gmaxwell:strong correctness, then both correctness and agreement
08:19:56gmaxwell:will be achieved.
08:20:22gmaxwell:But I don't see how this can be so. Because a faulty node could falsely be claiming to agree with both states.
08:22:05gmaxwell:E.g. take figure 2 and make at least one node on each edges that connect the cliques faulty.
08:22:35gmaxwell:other things in it are disappointly sloppy, e.g. claims like
08:22:36gmaxwell:Even if the UNL
08:22:36gmaxwell:has a relatively large pc , say 15%, the probability of
08:22:36gmaxwell:correctness is extremely high even with only 200 nodes
08:22:36gmaxwell:in the UNL
08:23:05gmaxwell:Probablity as a function of nodes? huh? there are other unstated assumptions here— or that claim is just nonsense.
08:23:20gmaxwell:For example, I can give you a UNL that consists of 200 entries— me and my 199 sockpuppets.
08:23:52gmaxwell:The probablity of correctness is zero. And yet the list has 200 entries.
08:24:52gmaxwell:And yet the paper claims "97.8%", there must be some assumption about the attackers capacity for being in the list; yet I'm missing it if they've disclosed it.
08:31:24gmaxwell:in any case, I'm not sure it changes my view much other than slightly reducing my estimate that they end up with a defective UNL topology that causes a consensus split without even a single malicious/faulty node.
08:32:19gmaxwell:(though such an outcome is possible, and they've described no operational procedure to prevent it— ... but at least now I think they have some idea of what situations they can happen in— a year ago I don't think they had any idea)
08:55:55sl01:thanks for the thoughts
08:57:46bobke_:bobke_ is now known as bobke
09:27:56phantomcircuit:gmaxwell, otherwise known as "sybil?? what's that?"
10:56:12wallet421:wallet421 is now known as wallet42
12:05:20fanquake:fanquake has left #bitcoin-wizards
13:15:17hearn_:hearn_ is now known as hearn
13:47:30iddo_:iddo_ is now known as iddo
16:34:13hearn_:hearn_ is now known as hearn
17:03:50cbeams_:cbeams_ is now known as cbeams
17:37:17Guyver2:Guyver2 has left #bitcoin-wizards
18:27:45starsocceraway:starsocceraway is now known as starsoccer
19:43:35gmaxwell:gmaxwell is now known as gregorymaxwell
19:44:13gregorymaxwell:gregorymaxwell is now known as gmaxwell
22:13:01Eliel:gmaxwell: the 200 node UNL case. The way it reads to me is that if you assume each chosen node has 15% propability to be colluding against you, the propability of strong correctness with the resulting UNL is 97.8%
22:14:33Eliel:So, the assumption is that whoever is choosing the nodes in the UNL is trying to avoid choosing nodes that might collude, but is only able to avoid that in 85% of the cases.
22:16:58gmaxwell:Eliel: OK. There isn't an assumption of a single UNL however. I'm unclear about how that addresses what other nodes choose in their own UNLs.
22:18:21Eliel:I expect that'd probably go into the pc variable.
22:18:38Eliel:since a badly chosen UNL leads to you being one of the colluding nodes, whether willing or not
22:19:18gmaxwell:Yea, I gave a topology on bitcoin talk where 100% of your UNL is honest, and a majority of the network is honest, and yet it fails.
22:20:35gmaxwell:You can achieve the same with 20% as the fault tolerant example. Take the clique graphs from that paper. Make the two rightmost members of the left clique dishonest (or any combination on that edge), and you have a network that fails, even with only 20% faulty.
22:20:43Eliel:I think I might have seen it. It's pretty small though. The smallest UNL size that's hinted as being reliable in the paper I've seen so far (only partway through reading it) is 100.
22:22:42gmaxwell:It was an example— the same thing works at all scales.
22:22:59gmaxwell:Having a centerally controlled universal uniform UNL removes many of those issues, and thats the practice today.
22:24:46gmaxwell:My challenge to them back at the beginning of 2013 was to describe the necessary and sufficient criteria— other than a single centerally controlled list— for maintaining UNLs that doesn't result in degenerate topologies that will just fail spontaneously... they claim to have done that in the paper but at least part of their claim seems obviously wrong to me.
22:25:01Eliel:I guess they'd need to come up with some network topology mapping tools that can be used to identify weak points in the network. Then any weaknesses will become public knowledge and will, hopefully, be fixed fast.
22:27:30gmaxwell:It's much harder to figure out weakness when you allow for malicious nodes. I wasted some time on this and could only come up with algorithims that had exponential complexity. (This was assuming you had perfect knoweldge of the topology, of course, it's intractable if you don't know the topo. I don't know if the protocol has any facility to discover the topo. At least on the clients your UNL appears to be private)
22:29:23Eliel:Yes, public topology makes attacking quite a bit easier too.
23:00:34Eliel:Although, I suspect an individual node can get significant hints about it's surrounding topology by creating test transactions and only sending it out to one node in it's UNL. So, if a strategy for improving the cohesion in the network can be based around this kind of probing, it could result in a stronger network without revealing the whole topology to would be attackers.
23:07:59gmaxwell:I don't think that helps much when you consider the possibility of byzantine nodes that are selectively faulty. E.g. if you know the topo you can consider every combination of permitted byzantine nodes and ask if the topology is still convergent... but just checking your local topology can't help unless you can promise the trust graph has special structure.
23:20:22nsh:nsh is now known as cackplanz
23:20:45Eliel:Well, mostly it could only potentially help to reduce weak links between cliques like in the example pictures.
23:22:16Eliel:It'd probably be more useful as a way to search for far-away nodes as potential additional UNL candidates.
23:22:45cackplanz:cackplanz is now known as nsh
23:46:15Adohgg:Adohgg is now known as P_DIDDY
23:47:08P_DIDDY:P_DIDDY is now known as Adohgg