00:03:42 | pigeons_: | pigeons_ is now known as Guest15943 |
00:07:40 | jaromil_: | jaromil_ is now known as jaromil |
00:07:45 | Pan0ram1x_: | Pan0ram1x_ is now known as Pan0ram1x |
00:07:47 | K1773R_: | K1773R_ is now known as K1773R |
00:07:52 | CryptOprah_: | CryptOprah_ is now known as CryptOprah |
00:08:07 | Pan0ram1x: | Pan0ram1x is now known as Guest53956 |
00:11:59 | [\\\\]: | [\\\\] is now known as [\\\] |
00:26:52 | Guest15943: | Guest15943 is now known as pigeons |
00:32:50 | luke-jr_: | luke-jr_ is now known as Luke-Jr |
03:27:52 | phantomcircuit_: | phantomcircuit_ is now known as phantomcircuit |
03:28:22 | EasyAt_: | EasyAt_ is now known as EasyAt |
03:28:41 | justanot1eruser: | Will sidechains really be able to arbitrarily have things like scrypt? Seems like scrypt would have to be a predefined sidechain option, or the definition of the sidechain rules would be very big and cause bloat |
03:29:53 | justanot1eruser: | And if it's not in the transaction, it would have to be in the SPV proof |
03:30:08 | justanot1eruser: | perhaps there is a better way to do this that I'm missing. |
04:20:28 | andytoshi: | you'd have a translator sidechain that knows the rules for sha256d and the rules for scrypt, and translates between them somehow |
04:21:16 | andytoshi: | s/somehow/by virtue of allowing transfers to sha256d chains as well as transfers to scrypt ones/ |
04:23:38 | tacotime: | somewhat dumb question: why do uncompressed pubkeys serialize to 65 bytes instead of 64? X and Y together are only 64 bytes |
04:25:44 | tacotime: | nm, found the answer |
04:25:44 | tacotime: | https://bitcointalk.org/index.php?topic=42384.0 |
04:37:16 | justanot1eruser: | andytoshi: wouldn't the spv proof for the 2nd level sidechain need to be in the mainchain anyways? |
04:40:20 | andytoshi: | no, you'd have to redeem to the translator chain before redeeming to the mainchain |
04:42:13 | andytoshi: | as far as the mainchain would be aware, you moved the coins to the translator chain. it doesn't know or care that you later move that same coin to some scrypt chain and beyond |
04:46:06 | justanot1eruser: | and the translator chain contains the data to make scrypt possible? |
04:50:10 | andytoshi: | yeah |
04:50:28 | andytoshi: | it'd be sufficient if the translator chain was sha256d-mined but understood scrypt spv proofs |
04:50:42 | andytoshi: | and if that was literally all that the translator chain did |
04:52:34 | justanot1eruser: | Have PoS sidechains been discussed? |
05:01:15 | BlueMatt: | justanot1eruser: why would you do that? |
05:02:08 | BlueMatt: | of course I dont have any idea why the hell you'd want to do a scrypt sidechain either |
05:02:11 | justanot1eruser: | BlueMatt: because it may be more secure |
05:02:17 | justanot1eruser: | BlueMatt: I don't want a scrypt sidechain |
05:02:29 | justanot1eruser: | I was just using that as an example |
05:03:20 | andytoshi: | on a high level, the story is the same ... just need a translator chain that understands the PoS proofs |
05:03:26 | andytoshi: | but what PoS proofs look like idk |
05:04:01 | andytoshi: | i expect they'd have to be totally trust-based because every proof would be forgeable by standard nothing-at-stake |
05:04:12 | justanot1eruser: | anyways, I wanted to discuss PoS sidechains because I don't think PoS in currencies has been discussed much (at least from what I've seen) other than PoS for bootstrapping distributed consensus |
05:04:36 | kanzure: | PoS isn't just for bootstrapping |
05:04:43 | justanot1eruser: | andytoshi: would they? You know I am referring to PoS-in-mainchain |
05:04:54 | justanot1eruser: | kanzure: "PoS in currencies" |
05:05:01 | justanot1eruser: | I meant to secure currencies |
05:05:21 | andytoshi: | justanot1eruser: i'd have to think about that |
05:05:36 | andytoshi: | it's a neat idea, pseudo |
05:06:10 | andytoshi: | psudo-centralized sidechain to avoid scaling issues with the mainchain, has a different security model wrt history rewriting |
05:06:13 | justanot1eruser: | satoshi would constantly have 5% forging power |
05:06:22 | andytoshi: | yeah, sure |
05:07:15 | andytoshi: | i suspect the devil is in the details |
05:07:30 | justanot1eruser: | indeed |
05:07:41 | andytoshi: | e.g. you can't conscript every mainchain participant, but you need to be sybil resistant somehow |
05:08:08 | andytoshi: | how do you deal with almost everybody not knowing/caring about individual sidechains? |
05:08:55 | BlueMatt: | justanot1eruser: yes, because most people have concluded that PoS is largely useless |
05:09:58 | BlueMatt: | wasnt there a case where someone did a huge reorg on a PoS chain because they had legitimately (ie because they were hacked) lost money? |
05:10:18 | BlueMatt: | putting mining power in the hands of an economic majority doesnt make all that much sense... |
05:10:50 | BlueMatt: | sure, there may be specific cases where it makes sense, but in those cases you can possibly just trust the economic majority...no need for any consensus |
05:12:42 | andytoshi: | i think if you could come up with unilateral withdrawal you could have a chain with these ephemeral pos sidechains that only work until trust breaks down, then cleanly reabsorb into the main chain |
05:12:59 | andytoshi: | where the benefit of the sidechain is, people not participating don't have to track it, you get a bit of privacy and scalability |
05:13:18 | andytoshi: | but that's a pretty enormous if :P |
05:15:05 | BlueMatt: | andytoshi: hmm? I'm confused as to how thats useful |
05:15:38 | BlueMatt: | and, yes, sure, on a tertiary chain you can do whatever you want, including unilateral withdraw to a secondary chain |
05:15:58 | justanot1eruser: | BlueMatt: PoS isn't largely usless |
05:16:10 | justanot1eruser: | bootstrapping consensus through PoS is though |
05:16:30 | BlueMatt: | this is the conclusion I've seen a lot of people come to, and I havent seen a particularly useful case yet... |
05:17:20 | justanot1eruser: | BlueMatt: How about this for a useful case: PoS to stop spam |
05:17:39 | justanot1eruser: | I can only use the stake once per day |
05:18:08 | justanot1eruser: | I don't think most have come to the conclusion that PoS is completely useless |
05:18:23 | BlueMatt: | stop spam??? how does the consensus algorithm have anything to do with spam? |
05:18:49 | justanot1eruser: | ... |
05:18:55 | BlueMatt: | justanot1eruser: go read bitcoin.ninja, please |
05:19:02 | justanot1eruser: | the point is that PoS isn't just a consensus algorithm |
05:19:21 | BlueMatt: | sure, well then its an entirely different thing |
05:19:34 | justanot1eruser: | It's still PoS |
05:19:48 | BlueMatt: | well, sure, but normally when people refer to PoS, they mean as consensus |
05:19:53 | justanot1eruser: | BlueMatt: I'm pretty sure you're referring to PoS.pdf |
05:22:00 | justanot1eruser: | the conclusion of that paper isn't that PoS is useless, rather that it is useless to bootstrap consensus |
05:22:29 | justanot1eruser: | I am discussing consensus, just not bootstrapping consensus |
05:22:45 | justanot1eruser: | the consensus is still backed by PoW through the mainchain |
05:24:51 | justanot1eruser: | andytoshi: The question is "how profitable is caring about these sidechains" |
05:25:00 | justanot1eruser: | and miners face the same problem |
05:27:16 | justanot1eruser: | I suppose that, unlike mining, there isn't a loss if you are passive and don't forge |
05:28:15 | BlueMatt: | justanot1eruser: wait, I'm confused...you want to have what on the sidechain? |
05:28:34 | justanot1eruser: | BlueMatt: PoS-in-mainchain |
05:28:35 | BlueMatt: | you want to have the sidechain export consensus to the mainchain and then have the sidechain have PoS consensus? |
05:28:39 | BlueMatt: | wtf? |
05:29:07 | BlueMatt: | you want bitcoin to use PoS??? |
05:29:41 | justanot1eruser: | I want to discuss whether a bitcoin sidechain using PoS would be useful since it doesn't have the NaS problem |
05:29:56 | BlueMatt: | where do you want to use PoS? |
05:30:01 | justanot1eruser: | the sidechain... |
05:30:05 | BlueMatt: | for consensus? |
05:30:11 | justanot1eruser: | yes |
05:30:56 | BlueMatt: | how does it not have the NaS problem? |
05:31:17 | BlueMatt: | you still have new coins coming into this merged-mined chain with PoS work adjustment |
05:31:22 | BlueMatt: | so... |
05:31:44 | justanot1eruser: | I don't see how new coins coming in changes anything |
05:32:08 | justanot1eruser: | creating alternative histories involves creating alternative histories in the mainchain which is secured by PoW |
05:33:13 | justanot1eruser: | Which is why it shouldn't hvae the NaS problem |
05:33:48 | BlueMatt: | not really...so you start with a sidechain that is standard PoW to give us flexibility, you then create a PoS sidechain pegged to that PoW chain...the PoW chain starts with X coinse (we dont really care), and the PoS chain starts with 0...now some individual moves X/Y coins to the PoS chain and they own all the coins in that chain |
05:34:18 | BlueMatt: | later, they want to create a false history, how can they not? |
05:34:26 | justanot1eruser: | BlueMatt: having coins in the sidechain doesn't give you more stake in the sidechain |
05:35:23 | BlueMatt: | ahh, so you're doing PoS of total coins? so how does that not result in a similar issue anyway? you had X coins in bitcoin at date X after the creation of these chains, why cant you create a false history after that? |
05:36:03 | justanot1eruser: | because the mainchain is secured by PoW |
05:36:10 | justanot1eruser: | and I'm doing PoS-in-mainchain like I said |
05:36:50 | BlueMatt: | yea, sure, so at date X I had Y coins in the mainchain (and still have those now), why cant I reorg the PoS chain using that? |
05:38:10 | BlueMatt: | why do you want to export consensus to the economic majority anyway??? |
05:38:18 | BlueMatt: | I never quite understood the purpose here |
05:38:29 | BlueMatt: | PoW has issues, but PoS doesnt address those |
05:39:03 | justanot1eruser: | I want to discuss exporting consensus to an economic majority |
05:39:12 | justanot1eruser: | I am not set on using an economic majority at all |
05:42:20 | justanot1eruser: | and that would leave us with my last comment 01:27 < justanot1eruser> I suppose that, unlike mining, there isn't a loss if you are passive and don't forge |
05:43:02 | justanot1eruser: | and I would add to that "however, 51% is much more expensive assuming a large number of active forgers" |
07:20:23 | sl01_: | wondering if the ripple consensus whitepaper (https://ripple.com/files/ripple_consensus_whitepaper.pdf) changed anyones thinking on ripple in general? personally I didn't get much additional insight out of it |
07:20:27 | sl01_: | sl01_ is now known as sl01 |
08:05:16 | orwell.freenode.net: | topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja |
08:05:16 | orwell.freenode.net: | Users on #bitcoin-wizards: andy-logbot cbeams damethos lclc mappum copumpkin CoinMuncher moa eslbaer mortale p15 OneFixt TheSeven justanot1eruser Dr-G3 ebfull harrow tacotime todaystomorrow mkarrer Krellan K1773R nsh- phantomcircuit Guest53956 CryptOprah pigeons EasyAt Alanius_ iddo_ cfields nickler_ gwollon Luke-Jr [\\\] Starduster_ Hunger- Ursium zooko bsm117532 grandmaster2 azariah4 samson_ wiretapped bobke_ drawingthesun starsocceraway midnightmagic mr_burdell Graet |
08:05:16 | orwell.freenode.net: | Users on #bitcoin-wizards: tromp HM CodeShark Logicwax maaku gavinandresen fanquake melvster atgreen SDCDev super3 Adohgg polyclef HaltingState2 Muis LarsLarsen1 Sangheili Keefe Anduck xenogis zling_____ michagogo Eliel helo andytoshi crescendo epscy zibbo waxwing tromp_ grubles mmozeiko Guest50253 koshii_ Transisto [Derek] asoltys berndj-blackout BlueMatt digitalmagus7 sl01 dgenr8 weex Iriez abc56889 nuke1989 espes__ lechuga__ jgarzik altoz SomeoneWeird bbrittain |
08:05:16 | orwell.freenode.net: | Users on #bitcoin-wizards: nanotube jchp rs0 davidlatapie Guest78271 hollandais grishnakh DougieBot5000 jbenet quackgyver poggy_ TD-Linux gmaxwell Meeh a5m0 BigBitz shesek tjopper spinza catcow amiller Fistful_of_Coins dansmith_btc DoctorBTC danneu2 pi07r LaptopZZ_ postpre Dyaheon- burcin optimator_ jcorgan [d__d] ryan-c kanzure petertodd UukGoblin wizkid057 kinlo so @ChanServ Apocalyptic lianj wumpus nkuttler Ken` BrainOverfl0w throughnothing sipa jaromil chocah warren |
08:05:16 | orwell.freenode.net: | Users on #bitcoin-wizards: artifexd pajarillo comboy roasbeef gribble Guest10516 phedny |
08:11:48 | midnightmagic: | sl01: Abstract translation: "We show that the trust required in these subnetworks is in fact minimal and can be further reduced by trusting other nodes." |
08:17:41 | gmaxwell: | sl01: I'm glad they started attempting to answer the most basic questions about their consensus model that I asked almost two years ago, https://bitcointalk.org/index.php?topic=144471.msg1551096#msg1551096 |
08:17:55 | gmaxwell: | but their answers seem weird to me |
08:18:43 | gmaxwell: | For example, they claim that if the overlap between cliques is large enough there cannot be a fork, even if the overlap is constructed from faulty nodes. |
08:19:17 | gmaxwell: | "If |
08:19:17 | gmaxwell: | the connectivity of the two cliques surpasses 0.2 ∗ ntotal , |
08:19:18 | gmaxwell: | then a fork is no longer possible, as disagreement be- |
08:19:18 | gmaxwell: | tween the cliques would prevent consensus from being |
08:19:22 | gmaxwell: | reached at the 80% agreement threshold that is required." |
08:19:46 | gmaxwell: | and |
08:19:48 | gmaxwell: | t is interesting to note that no assumptions are made |
08:19:49 | gmaxwell: | about the nature of the intersecting nodes. The intersec- |
08:19:49 | gmaxwell: | tion of two UNLs may include faulty nodes, but so long |
08:19:49 | gmaxwell: | as the size of the intersection is larger than the bound |
08:19:49 | gmaxwell: | required to guarantee agreement, and the total number |
08:19:51 | gmaxwell: | of faulty nodes is less than the bound required to satisfy |
08:19:53 | gmaxwell: | strong correctness, then both correctness and agreement |
08:19:56 | gmaxwell: | will be achieved. |
08:20:22 | gmaxwell: | But I don't see how this can be so. Because a faulty node could falsely be claiming to agree with both states. |
08:22:05 | gmaxwell: | E.g. take figure 2 and make at least one node on each edges that connect the cliques faulty. |
08:22:35 | gmaxwell: | other things in it are disappointly sloppy, e.g. claims like |
08:22:36 | gmaxwell: | Even if the UNL |
08:22:36 | gmaxwell: | has a relatively large pc , say 15%, the probability of |
08:22:36 | gmaxwell: | correctness is extremely high even with only 200 nodes |
08:22:36 | gmaxwell: | in the UNL |
08:23:05 | gmaxwell: | Probablity as a function of nodes? huh? there are other unstated assumptions here— or that claim is just nonsense. |
08:23:20 | gmaxwell: | For example, I can give you a UNL that consists of 200 entries— me and my 199 sockpuppets. |
08:23:52 | gmaxwell: | The probablity of correctness is zero. And yet the list has 200 entries. |
08:24:52 | gmaxwell: | And yet the paper claims "97.8%", there must be some assumption about the attackers capacity for being in the list; yet I'm missing it if they've disclosed it. |
08:31:24 | gmaxwell: | in any case, I'm not sure it changes my view much other than slightly reducing my estimate that they end up with a defective UNL topology that causes a consensus split without even a single malicious/faulty node. |
08:32:19 | gmaxwell: | (though such an outcome is possible, and they've described no operational procedure to prevent it— ... but at least now I think they have some idea of what situations they can happen in— a year ago I don't think they had any idea) |
08:55:55 | sl01: | thanks for the thoughts |
08:57:46 | bobke_: | bobke_ is now known as bobke |
09:27:56 | phantomcircuit: | gmaxwell, otherwise known as "sybil?? what's that?" |
10:56:12 | wallet421: | wallet421 is now known as wallet42 |
12:05:20 | fanquake: | fanquake has left #bitcoin-wizards |
13:15:17 | hearn_: | hearn_ is now known as hearn |
13:47:30 | iddo_: | iddo_ is now known as iddo |
16:34:13 | hearn_: | hearn_ is now known as hearn |
17:03:50 | cbeams_: | cbeams_ is now known as cbeams |
17:37:17 | Guyver2: | Guyver2 has left #bitcoin-wizards |
18:27:45 | starsocceraway: | starsocceraway is now known as starsoccer |
19:43:35 | gmaxwell: | gmaxwell is now known as gregorymaxwell |
19:44:13 | gregorymaxwell: | gregorymaxwell is now known as gmaxwell |
22:13:01 | Eliel: | gmaxwell: the 200 node UNL case. The way it reads to me is that if you assume each chosen node has 15% propability to be colluding against you, the propability of strong correctness with the resulting UNL is 97.8% |
22:14:33 | Eliel: | So, the assumption is that whoever is choosing the nodes in the UNL is trying to avoid choosing nodes that might collude, but is only able to avoid that in 85% of the cases. |
22:16:58 | gmaxwell: | Eliel: OK. There isn't an assumption of a single UNL however. I'm unclear about how that addresses what other nodes choose in their own UNLs. |
22:18:21 | Eliel: | I expect that'd probably go into the pc variable. |
22:18:38 | Eliel: | since a badly chosen UNL leads to you being one of the colluding nodes, whether willing or not |
22:19:18 | gmaxwell: | Yea, I gave a topology on bitcoin talk where 100% of your UNL is honest, and a majority of the network is honest, and yet it fails. |
22:20:35 | gmaxwell: | You can achieve the same with 20% as the fault tolerant example. Take the clique graphs from that paper. Make the two rightmost members of the left clique dishonest (or any combination on that edge), and you have a network that fails, even with only 20% faulty. |
22:20:43 | Eliel: | I think I might have seen it. It's pretty small though. The smallest UNL size that's hinted as being reliable in the paper I've seen so far (only partway through reading it) is 100. |
22:22:42 | gmaxwell: | It was an example— the same thing works at all scales. |
22:22:59 | gmaxwell: | Having a centerally controlled universal uniform UNL removes many of those issues, and thats the practice today. |
22:24:46 | gmaxwell: | My challenge to them back at the beginning of 2013 was to describe the necessary and sufficient criteria— other than a single centerally controlled list— for maintaining UNLs that doesn't result in degenerate topologies that will just fail spontaneously... they claim to have done that in the paper but at least part of their claim seems obviously wrong to me. |
22:25:01 | Eliel: | I guess they'd need to come up with some network topology mapping tools that can be used to identify weak points in the network. Then any weaknesses will become public knowledge and will, hopefully, be fixed fast. |
22:27:30 | gmaxwell: | It's much harder to figure out weakness when you allow for malicious nodes. I wasted some time on this and could only come up with algorithims that had exponential complexity. (This was assuming you had perfect knoweldge of the topology, of course, it's intractable if you don't know the topo. I don't know if the protocol has any facility to discover the topo. At least on the clients your UNL appears to be private) |
22:29:23 | Eliel: | Yes, public topology makes attacking quite a bit easier too. |
23:00:34 | Eliel: | Although, I suspect an individual node can get significant hints about it's surrounding topology by creating test transactions and only sending it out to one node in it's UNL. So, if a strategy for improving the cohesion in the network can be based around this kind of probing, it could result in a stronger network without revealing the whole topology to would be attackers. |
23:07:59 | gmaxwell: | I don't think that helps much when you consider the possibility of byzantine nodes that are selectively faulty. E.g. if you know the topo you can consider every combination of permitted byzantine nodes and ask if the topology is still convergent... but just checking your local topology can't help unless you can promise the trust graph has special structure. |
23:20:22 | nsh: | nsh is now known as cackplanz |
23:20:45 | Eliel: | Well, mostly it could only potentially help to reduce weak links between cliques like in the example pictures. |
23:22:16 | Eliel: | It'd probably be more useful as a way to search for far-away nodes as potential additional UNL candidates. |
23:22:45 | cackplanz: | cackplanz is now known as nsh |
23:46:15 | Adohgg: | Adohgg is now known as P_DIDDY |
23:47:08 | P_DIDDY: | P_DIDDY is now known as Adohgg |