| 00:13:01 | irc.freenode.net: | Disconnected from irc.freenode.net (Connection reset by peer) |
| 00:14:15 | weber.freenode.net: | topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja |
| 00:14:15 | weber.freenode.net: | Users on #bitcoin-wizards: andy-logbot jgarzik go1111111 execut3 Keefe_ waxwing__ justanotheruser fanquake DougieBot5000 nsh adam3us moa SDCDev Ursium_ jchp Starduster_ Graftec MoALTz RoboTeddy Burrito tromp__ bsm117532 pen smooth koshii DoctorBTC spinza quackgyver michagogo warren BigBitz realzies throughnothing_ Muis artifexd Fistful_of_coins comboy_ mappum grishnakh__ torsthaldo atgreen irclouis azariah4 llllllllll andytoshi sipa jaromil_ mortale todaystomorrow Hunger- |
| 00:14:15 | weber.freenode.net: | Users on #bitcoin-wizards: Dr-G HaltingState TheSeven ebfull dgenr8 melvster nuke1989 zibbo tromp_ fierbuq postpre mkarrer Alanius copumpkin alferz skinnkavaj pi07r bangsnap wiretapp1d forrestv Luke-Jr OneFixt harrow tacotime Krellan K1773R nsh- phantomcircuit CryptOprah pigeons EasyAt iddo cfields nickler_ gwillen [\\\] grandmaster2 samson_ bobke drawingthesun starsoccer midnightmagic mr_burdell Graet HM CodeShark Logicwax maaku Adohgg polyclef LarsLarsen1 Sangheili |
| 00:14:16 | weber.freenode.net: | Users on #bitcoin-wizards: Anduck xenogis zling_____ Eliel helo crescendo epscy mmozeiko Guest50253 Transisto [Derek] asoltys berndj-blackout BlueMatt digitalmagus7 sl01 weex Iriez abc56889 espes__ lechuga_ SomeoneWeird bbrittain nanotube rs0 davidlatapie Guest78271 hollandais jbenet poggy_ TD-Linux gmaxwell Meeh a5m0 tjopper catcow amiller dansmith_btc danneu LaptopZZ_ Dyaheon- burcin optimator_ jcorgan [d__d] ryan-c kanzure petertodd UukGoblin wizkid057 nkuttler wumpus |
| 00:14:16 | weber.freenode.net: | Users on #bitcoin-wizards: lianj Apocalyptic @ChanServ BrainOverfl0w pajarillo roasbeef gribble phedny so kinlo |
| 00:22:47 | gmaxwell: | andytoshi: What do you bet that OP_CAT thread gains more HelpfulSuggestions? |
| 00:47:03 | andytoshi: | hmm, so far it has mainly been the obvious ones ... plus a comment about "reenabling" opcodes |
| 00:47:18 | andytoshi: | gmaxwell: so i think maybe people aren't thinking too hard. so maybe not :) |
| 00:48:16 | gmaxwell: | andytoshi: I'm just continually slapping my forehead, like, people keep drifting into the grand bugzapper of "congrats, your proposal would have broken the network; perhaps you should believe me when I say it's not that easy?" |
| 08:05:17 | orwell.freenode.net: | topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja |
| 08:05:17 | orwell.freenode.net: | Users on #bitcoin-wizards: andy-logbot Graftec RoboTeddy darlidada cbeams adam3us rfreeman_w austinhill1 damethos CryptOprah_ CoinHeavy p15 DoctorBTC todays_tomorrow Guest23543 toffoo irclouis ebfull btc pen TheSeven justanotheruser atgreen mortale Dr-G2 kmels go1111111 nsh Guest582 super3 jgarzik Keefe_ waxwing__ fanquake SDCDev jchp Burrito tromp__ smooth koshii spinza quackgyver michagogo warren BigBitz realzies throughnothing_ Muis artifexd Fistful_of_coins comboy_ |
| 08:05:17 | orwell.freenode.net: | Users on #bitcoin-wizards: mappum grishnakh__ azariah4 andytoshi sipa jaromil_ Hunger- HaltingState dgenr8 melvster nuke1989 zibbo tromp_ fierbuq postpre mkarrer Alanius copumpkin alferz skinnkavaj pi07r bangsnap wiretapp1d forrestv Luke-Jr OneFixt harrow tacotime Krellan K1773R nsh- phantomcircuit pigeons EasyAt iddo cfields gwillen [\\\] grandmaster2 samson_ bobke drawingthesun starsoccer midnightmagic mr_burdell Graet HM CodeShark Logicwax maaku Adohgg polyclef |
| 08:05:17 | orwell.freenode.net: | Users on #bitcoin-wizards: LarsLarsen1 Sangheili Anduck xenogis zling_____ Eliel helo crescendo epscy mmozeiko Guest50253 Transisto [Derek] asoltys berndj-blackout BlueMatt digitalmagus7 sl01 weex Iriez abc56889 espes__ lechuga_ SomeoneWeird bbrittain nanotube rs0 davidlatapie Guest78271 hollandais jbenet poggy_ TD-Linux gmaxwell Meeh a5m0 tjopper catcow amiller dansmith_btc danneu LaptopZZ_ Dyaheon- burcin optimator_ jcorgan [d__d] ryan-c kanzure petertodd UukGoblin |
| 08:05:17 | orwell.freenode.net: | Users on #bitcoin-wizards: wizkid057 kinlo so @ChanServ Apocalyptic lianj wumpus nkuttler BrainOverfl0w pajarillo roasbeef gribble phedny |
| 08:32:28 | gmaxwell: | https://underhandedcrypto.com/ |
| 08:42:58 | nsh: | +1 |
| 08:43:23 | nsh: | surprised that didn't exist previously |
| 08:44:52 | gmaxwell: | though with the unauthenticated anonymous non-multisig donation address, perhaps it — itself— is a bit of an example of underhanded crypto. |
| 08:45:04 | nsh: | * nsh smiles |
| 09:06:17 | gmaxwell: | heh http://www.reddit.com/r/Bitcoin/comments/2fdluo/public_key_for_msgs_signed_by_coinkite_will_be/ck8soky?context=3 |
| 09:06:46 | petertodd: | gmaxwell: as offical coinkite naysayer, I naysayed that... |
| 09:07:35 | gmaxwell: | I have no clue what coinkite is, didn't even follow the link. |
| 09:07:53 | gmaxwell: | Just acting out my peeve for pedants which aren't pedantically correct. |
| 09:07:57 | petertodd: | gmaxwell: wallet service |
| 09:14:15 | Keefe_: | Keefe_ is now known as Keefe |
| 09:26:16 | joss_: | joss_ has left #bitcoin-wizards |
| 10:04:07 | cbeams_: | cbeams_ is now known as cbeams |
| 10:14:00 | rfreeman_w: | rfreeman_w has left #bitcoin-wizards |
| 10:30:27 | waxwing__: | waxwing__ is now known as waxwing |
| 11:47:00 | nsh: | amiller, last year you talked about a feasible derivation of global security from local security against distance attackers through interaction-weighted chain-selection rules ( http://download.wpsoftware.net/bitcoin/wizards/2013/08/13-08-07.log ) |
| 11:47:08 | nsh: | did any of that ever get written up anywhere? |
| 14:14:16 | Pan0ram1x: | Pan0ram1x is now known as Guest95624 |
| 14:17:07 | Adohgg_: | Adohgg_ is now known as Adohgg |
| 16:30:06 | Alanius_: | Alanius_ is now known as Alanius |
| 18:03:57 | e4xit_: | e4xit_ is now known as e4xit |
| 19:04:29 | gmaxwell: | damn, almost came up with a way to implement lamport in existing SCRIPT but I still need op_substr. |
| 19:05:06 | gmaxwell: | get this though, you can get a 'hash' of the transaction as an element on script's stack: |
| 19:06:02 | gmaxwell: | make the scriptpubkey use checksig but require that the signature be some fixed value but allow the pubkey to be anything. Use pubkey recovery to find the relevant pubkey. The pubkey is now your message hash. |
| 19:06:10 | gmaxwell: | commence with OP_SUBSTR based lamport on that. |
| 19:33:22 | luke-jr_: | cute |
| 20:00:31 | jgarzik: | gmaxwell, Do we know what problem caused OP_SUBSTR to be disabled? |
| 20:01:08 | gmaxwell: | All operations which allocated memory were disabled except for DUP I believe. |
| 20:01:44 | gmaxwell: | Many of them obviously lead to exponential memory usage... though at the moment I don't see the problem with substr. |
| 20:02:15 | gmaxwell: | SUBSTR isn't enough to give you an especially efficient or elegant lamport implementation either. |
| 20:49:52 | jgarzik: | gmaxwell, yeah, I don't see the problem with substr either |
| 20:50:06 | jgarzik: | gmaxwell, just one temporary, which is .erase()'d progressively |
| 20:50:13 | jgarzik: | basically a DUP |
| 20:50:35 | jgarzik: | owel. what's done is done. |
| 20:51:39 | jgarzik: | Just curious if there was a fundamental problem with OP_SUBSTR that I was overlooking. |
| 20:52:29 | gmaxwell: | well I'm wondering too, because I'd looked previously and convinced myself that all the disabled ones were actually doom. Maybe I just missed that one. |
| 20:52:37 | gmaxwell: | Lots of them were bad though, more than it seemed at first glance. |
| 20:53:13 | jgarzik: | yeah |
| 21:41:51 | andytoshi: | you can force the signed hash to be 1 using the sighash-single bug (force this by adding a CHECKSIG with a valid sig/pk of 1) ... then you have sorta an "invertible hash" sig <--> pk where if you provide one, the other is easily calculable, but you can't control the output just given the input |
| 21:42:13 | andytoshi: | unless you provide the sig and you know its k value, i think then you can control .. so there is a chameleon-hash like structure here |
| 21:43:49 | luke-jr_: | anyone know off-hand Ripple's launch date? |
| 21:43:54 | andytoshi: | no, even knowing k you can't control the pubkey that comes out of the sig, because there is a (k/r)G in there :/ damn |
| 21:45:08 | andytoshi: | oh, yes you can, you set s to be (r/k)N and then your signature is (N + 1/r)G, which you can set to any point you like :) |
| 21:47:28 | tacotime: | gmaxwell, https://bitcointalk.org/index.php?topic=583449.msg8677607#msg8677607 |
| 21:47:36 | tacotime: | really impressed by the complexity of the attack. |
| 21:48:10 | andytoshi: | wow, slick |
| 21:48:40 | gmaxwell: | That sounds like it was an intentional weakness in the hash. :( |
| 21:48:57 | tacotime: | yeah. now i'm really worried there are other things like it in the code. |
| 21:49:58 | andytoshi: | why do you guys say that? tacotime's post doesn't say anything about why these tx slots didn't factor into the merkle tree |
| 21:50:27 | andytoshi: | which i would have guessed was some stupid overflow bug in some loop, without knowing anything at all.. |
| 21:51:17 | tacotime: | well, the simple patch was this: https://github.com/cryptozoidberg/boolberry/commit/7b7325bdf1648a2141a182f23ae34a1e0b5063c4 |
| 21:51:39 | tacotime: | we did a cleaner one too: https://github.com/rfree2monero/bitmonero/commit/8f17999a87f4f1025e46cc940900a7bdea9747ce |
| 21:52:12 | tacotime: | but anyone who was stress testing the network should have seen this bug, i would guess. |
| 21:52:16 | tacotime: | long ago. |
| 21:54:06 | tacotime: | bytecoin, incidentally, was editing this bunch of code recently: https://github.com/amjuarez/bytecoin/blob/4363a9f1001893c80ee2435399836cfe43b3014e/src/crypto/tree-hash.c |
| 21:56:42 | nsh: | ooo, shenanigans |
| 21:57:10 | nsh: | bytecode created artificial weaknesses to allow them to attack forks? |
| 21:57:33 | andytoshi: | i have no intuition for if this was deliberate |
| 21:57:47 | nsh: | * nsh leans towards whichever reality is more entertaining to imagine |
| 21:58:14 | midnightmagic: | 4363a9f1001893c80ee2435399836cfe43b3014e is a massive commit |
| 21:58:17 | nsh: | (ceteris paribus) |
| 21:58:25 | tacotime: | midnightmagic, yeah, they like to do that. |
| 21:58:48 | tacotime: | they changed their license so we wouldn't use their code either, but we don't really want to anymore. |
| 21:58:53 | tacotime: | given stuff like this happening. |
| 21:59:21 | midnightmagic: | Why can't you use GPL code? |
| 22:00:51 | midnightmagic: | holy crap that's a really really big checkin |
| 22:01:04 | tacotime: | there was something about having to update our MIT licenses and refactor them all that made it a pain in the ass. |
| 22:02:20 | luke-jr_: | … |
| 22:02:33 | andytoshi: | what is that `cnt` variable? |
| 22:02:52 | andytoshi: | is it a count? bitcoind and wizards-wallet have nothing like it in their merkle root calculations |
| 22:03:45 | tacotime: | yeah |
| 22:04:51 | gmaxwell: | It's hard to determine if it's intentional or not. The problem is that all subtle bugs have a shade of "how wasn't this intentional!?" |
| 22:05:12 | gmaxwell: | in the case of BCN the prior dishonesty creates a prior reason to doubt. |
| 22:05:17 | andytoshi: | this whole function seems really weird to me |
| 22:05:26 | gmaxwell: | the whole codebase is weird. |
| 22:05:48 | gmaxwell: | I was kinda happy to page through it, because it emphasized my worldview that the original bitcoin code was surprisingly good. |
| 22:05:54 | midnightmagic: | might just be people trying to be clever. one of satoshi's heap-traversals used bitlogic and was well-publicized by hearn as an example of the sorts of snags he bumped into when converting into bitcoinj. |
| 22:06:06 | midnightmagic: | cnt >>= 1; |
| 22:11:38 | jgarzik: | jgarzik is now known as home_jg |
| 22:13:30 | andytoshi: | wtf is this talking about https://bitcointalk.org/index.php?topic=764189.msg8677851#msg8677851 |
| 22:14:11 | andytoshi: | you can't use p2sh to create loops in script and i didn't even say anything about loops |
| 22:14:26 | gmaxwell: | That guy is kinda crazy, I have him on ignore to remindmyself of that. |
| 22:14:47 | midnightmagic: | I must be missing something. How does this allocate > 0 bytes? ints = alloca((cnt - 1) * HASH_SIZE); ? cnt by then is 1 isn't it? |
| 22:16:18 | andytoshi: | i have no clue what `cnt` is at that point, the `cnt |= cnt >> i` loop looks like it's just smearing ones around |
| 22:16:52 | andytoshi: | then `cnt &= ~(cnt >> 1)` removes any 1's that aren't immediately next to another 1 |
| 22:16:55 | midnightmagic: | i just compiled a testbit with count=1 (which is the lower bound of assertion) which just ends up with cnt because i thought maybe I was reading the bitwise wrong |
| 22:17:14 | midnightmagic: | er cnt=1 by the time alloca() is called with it. |
| 22:17:30 | andytoshi: | oh, i am looking at the wrong fn |
| 22:17:44 | midnightmagic: | this is in tree_branch() |
| 22:18:53 | tacotime: | i gave up trying to follow the code the bytecoin guys wrote, it's a headache. they added that when they did multisig. |
| 22:19:06 | andytoshi: | still no clue what is going on, but every `cnt <<= i` will increase the value of `cnt` |
| 22:20:10 | midnightmagic: | right but not if count = 1. maybe there's something else in there that assures us that count is never 1.. |
| 22:20:34 | midnightmagic: | ehh whatever, i guess i don't care. |
| 22:21:06 | andytoshi: | tacotime: the code was sane before the giant aug 22 commit? |
| 22:21:15 | tacotime: | no, never. |
| 22:21:18 | andytoshi: | oh ok |
| 22:21:19 | tacotime: | it's horribly obfuscated. |
| 22:21:27 | tacotime: | all comments are stripped, too. |
| 22:21:36 | andytoshi: | this is deliberately obfuscated, i think the bugs were deliberate too |
| 22:21:38 | midnightmagic: | they're apple-like codedumps then |
| 22:21:41 | tacotime: | they accidentally left in one of them once, in russian. |
| 22:21:45 | andytoshi: | lol |
| 22:24:46 | gmaxwell: | yea, I glanced over the code when I first saw it— hit my WTF limit almost right away, locked it up in the tighest sandbox I had, on an isolated host that did nothing too important. I didn't suspect foul play though; it's just really common for privately developed code to be very hard to read. |
| 23:02:58 | gmaxwell: | with recent revelations, perhpas I should treat that host as compromised trash it. |
| 23:04:38 | tacotime: | my old bytecoin daemon machine's was. can never hurt. |
| 23:05:45 | gmaxwell: | interesting. |
| 23:06:23 | kanzure: | i've lost more lxc/libcontainer containers than i can remember |
| 23:06:51 | kanzure: | i think sandboxes should be considered mandatory if they aren't already |