00:12:53Keefe_:Keefe_ is now known as Keefe
01:38:25realz:realz is now known as Guest7756
01:46:56jgarzik_:jgarzik_ is now known as jgarzik
03:02:20ghtdak:ghtdak has left #bitcoin-wizards
03:27:44Guest26703:Guest26703 is now known as gmaxwell
04:26:42gmaxwell:I was telling sipa, bluematt, maaku, and jtimon elsewhere today about brisque's bloom comments.. one thing I forgot to mention is that the same approach would be useful for making rescans faster.
04:26:59gmaxwell:or continuing to support rescans for pruned nodes.
05:23:44tacotime:gmaxwell: I added blinding, albeit in a sloppy way as I sign hsx concatenated with hsy https://github.com/monero-project/urs/blob/master/urs.go#L547-L752
05:23:50tacotime:with the ephemeral key
05:25:07tacotime:And it uses the URS scheme, so you generate two useless hsx, hsy values that consume an extra 256 bits but ehm
05:25:36tacotime:I need to change the comments too, tomorrow i guess.
05:27:17moa:tacotime: blind ringsign?
05:27:44tacotime:moa: refer to https://download.wpsoftware.net/bitcoin/wizardry/ringsig-blinding.txt
05:27:59moa:thnx, that was my next question :)
05:28:22tacotime:I also added the same Q to each pubkey, I didn't think it mattered and it saves space
05:28:43moa:any limit on the number of signers in the ring?
05:29:20tacotime:only internal ones from memory allowances in golang, so not really as far as i'm aware.
05:29:37moa:so physical not theoretical i guess
05:29:54moa:really really interesting
05:30:01tacotime:the signatures also scale linearly so, eventually they'll get big too
05:57:54Guest37774:Guest37774 is now known as SomeoneWeird
08:05:16kornbluth.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
08:05:16kornbluth.freenode.net:Users on #bitcoin-wizards: andy-logbot shesek Guyver2 nsh- ericp4 mapppum ebfull lclc drawingthesun copumpkin dgenr8 mortale melvster TheSeven Graftec eslbaer_ nuke1989 atgreen epscy Adohgg jaekwon mr_burdell zenojis Jason SDCDev moa prepost pajarillo cym qualiabyte BlueMatt koshii jchp jbenet bbrittain crescend1 jgarzik SomeoneWeird wiretapped bsm117532 zling______ go1111111 GAit waxwing cannon HM Guest10131 Emcy oujh Krellan phantomcircuit sl01 asoltys Sangheili
08:05:16kornbluth.freenode.net:Users on #bitcoin-wizards: azariah4 espes___ zibbo gmaxwell OneFixt samson2 Keefe Fistful_of_coins DoctorBTC grubles poggy harrow kmels spinza Hunger- Grishnakh Muis tromp [\\\] CryptOprah_ digitalmagus7 rs0 warren michagogo iddo btc_ licnep artifexd Dyaheon Taek42 cfields sipa Luke-Jr roasbeef berndj-blackout andytoshi Meeh mmozeiko Eliel eAndrius CodeShark throughnothing tacotime Guest47516 BigBitz Transisto K1773R Alanius_ nickler_ nanotube midnightmagic Logicwax
08:05:16kornbluth.freenode.net:Users on #bitcoin-wizards: mkarrer Starsoccer nsh tucenaber tromp__ LarsLarsen comboy jaromil pi07r ryan-c kanzure EasyAt gwillen BrainOverfl0w otoburb smooth pigeons bobke Anduck helo Guest50253 weex abc56889 lechuga_ TD-Linux a5m0 catcow amiller dansmith_btc danneu LaptopZZ_ burcin optimator_ jcorgan petertodd UukGoblin wizkid057 kinlo so phedny gribble nkuttler wumpus lianj Apocalyptic @ChanServ
08:06:17Jason:Jason has left #bitcoin-wizards
11:10:53amiller:https://ripple.com/forum/viewtopic.php?f=2&t=7801#p56432 let me know if anyone wants to join me in critiquing the ripple whitepaper...
11:11:14amiller:the main thing i posted is a counterexample to their 'theorem'
11:11:36amiller:the idea is that they describe a minimum condition for "overlap" among nodes UNL lists of nodes on the ripple network
11:12:04amiller:the condition is that among any two nodes, their UNLs must contain X nodes in common, where X = 1/5 (the maximum size of *any* nodes UNL list)
11:12:50amiller:the theorem (to the best I can recover it, it's not stated explicitly) is that if this condition holds for the network, then there are no forks
11:13:48amiller:the problem is that since different nodes can have different size UNLs, and "A is on B's UNL" doesn't mean "B is on A's UNL", it's easy to make a network topology that satisfies that requirement, yet there would clearly be a fork
11:15:25amiller:i have two other avenues of criticism
11:16:19amiller:1. i'm not sure how their approach can be fixable. For example, suppose I add a new node to the network that has 100000 nodes on it's UNL list.
11:16:33amiller:that would throw off any heuristic based on the maximum overlap of the network etc
11:17:23amiller:it would also throw off the plausibility of the fault tolerance, since now 99% of "the network" could be malicious
11:17:44amiller:maybe the thing to say is that the theorem should apply to *any subnetwork* that satisfies the heuristic
11:21:30amiller:2. there are known lower bound results for synchronous networks and digital signatures are available and where nodes have to "finally agree" after some fixed finite time, which I think is close enough to Ripple's setting to be applicable.... in particular the amount of time to reach agreement is proportional to the *absolute number* of nodes that can fail http://www.cs.toronto.edu/~samvas/teaching/2221/handouts/t+1lowerbound.pdf
13:30:00samson2:samson2 is now known as samson_
14:59:42andytoshi:does anyone remember an altcoin that got wrecked by bad diffchange algorithms?
15:04:21mr_burdell:didn't dogecoin change their algorithm because of something like that?
15:05:09mr_burdell:btw, if you're writing something about bad algorithms, KGW is pretty bad for light clients
15:05:38andytoshi:oh? can you link me to something about KGW, i have avoided it thus far
15:05:45tacotime:terracoin heh
15:05:49andytoshi:but i am writing the diffchange section of alts.pdf now since there was a q on #bitcoin last night
15:06:14andytoshi:thx tacotime
15:06:19mr_burdell:i ported electrum to vertcoin and it takes forever to just verify the header chain
15:06:47mr_burdell:because it has to do the KGW calculation for every block, which looks back a semi random number of blocks
15:06:47andytoshi:weird, i thought it just changed the discretization to something smoother
15:06:53andytoshi:oh, weird
15:07:57tacotime:and that thread https://bitcointalk.org/index.php?topic=261986.0
15:08:10tacotime:TRC was kind of lulzy
15:24:19andytoshi:sigh, wtf is even going on with KGW
15:26:32mr_burdell:here's my attempt at SPV with KGW: https://github.com/paybee/electrum-vert/blob/master/lib/blockchain.py#L298
15:26:52mr_burdell:I don't think anyone has looked at it to verify if it works... I just know it claims to verify the chain
15:28:24mr_burdell:basically, each block is given a mass, and the mass is used to weight that block with respect to its deviation from current difficulty
15:28:33mr_burdell:and the mass of blocks trails off as they get older
15:29:25andytoshi:ok, cool
15:38:36andytoshi:tacotime: mr_burdell: would you mind glancing at section 6.3 of https://download.wpsoftware.net/bitcoin/alts.pdf ?
15:43:44davispuhh:davispuhh is now known as davispuh
15:51:21mr_burdell:andytoshi: i haven't read all of it yet, but I have another thing you can add: coins with multiple proof of work algorithms (myriadcoin) have an issue of how to compare work from different algorithms
15:51:54mr_burdell:some scaling factor is needed to decide how much work is in a chain consisting of blocks with different pow algos
15:52:15andytoshi:oh, good idea
16:17:01Eliel:scaling factor that modifies the scaling based on how many blocks were found with each algo, trying to balance them out sounds reasonable on first glance.
16:19:26mr_burdell:you mean an extra factor for the difficulty or just to change the scaling factor? The difficulty adjustment is supposed to keep the blocks spaced correctly
16:19:55Eliel:scaling factor adjustment.
16:19:57mr_burdell:the scaling factor is only for deciding between two blocks at the same height
16:21:49mr_burdell:lets say sha256 is getting more blocks because it has "more work"... but if you change the scaling factor so the other algos will be considered more work, then won't the difficulty for sha256 actually drop?
16:26:42andytoshi:i added a note saying that you've got a lot of extra complexity to handle, i think that's all that needs to be said
16:27:31andytoshi:there is an overarching theme to the whole paper that adding complexity for no reason at all is idiotic, and it links to asic-faq.pdf which argues that SHA256 is optimal anyway
16:46:14Eliel:mr_burdell: there's no way to have a single difficulty that applies to several hash algos. any scaling factor is necessarily a scaling factor on the difficulty.
16:50:49gmaxwell:amiller: did you see my comments in the backlog here about the paper? I was completely perplexed by the topology constraint saying that it didn't matter if the linking hosts were malicious or not.
16:55:52amiller:gmaxwell, hm i see that now
16:55:54amiller:gmaxwell, i think that constraint was just mentioned as an aside
16:55:56amiller:paraphrased "it's interesting to note that no assumption is made on whether the overlapping nodes are malicious or not"
17:03:58Guest10131:Guest10131 is now known as maaku
17:05:23gmaxwell:Yea, I think thats nuts though. A malicious node might as well not bee there. Imagine you have the two clique network like they show there in the 'good' topology. But one end of each of the two links in the min-cut is malicious. In that case they can simulate varrious degress of complete disconnection or false consensus. And malicious out of the total count there is supposted to be an amount they can handle.
17:11:57Alanius_:Alanius_ is now known as Alanius
17:28:45amiller:hi gmaxwell\
17:28:57amiller:i ;liokvw h";b
17:45:58sipa:amiller's cat, is that you?
18:02:00Brizo_:Brizo_ has left #bitcoin-wizards
18:09:22gmaxwell:Where I gave up thinking about the necessary and sufficient topology criteria was to imagine considering all possible mixtures of malicious nodes, and then querying every node and checking that no more than a threshold of their peers were malicious. ... and then I realized that test wasn't sufficient because you could meet it while still having a pair of nodes who were partitioned by malicious nodes. At that I threw my hands up, I ...
18:09:28gmaxwell:... saw no obvious way to solve it or even know what your security was without very artificial topology constraints... then I posted the two clique example in the ripple thread and I still think they've done nothing to answer it.
18:11:15gmaxwell:And maybe they shouldn't have. It's sufficient (but not necessary) to have the trust fully meshed. This is a reasonable requirement in a centerally administered system, and given an apparent lack of guidance on setting up trust relationships at all, that must be what they have.
18:12:57gmaxwell:(well I mean, it's sufficient for security if the trust is fully meshed to simply meet the threshold of honest nodes required by the consensus algorithim)
18:23:08jgarzik:Meanwhile, on a completely different subject, I'm confounded by the problem of trying to replace IRC without having trusted users run servers/routers of some sort, just to communicate with one's own circle of trusted peeps.
18:23:41jgarzik:Need to find some incentive to get people to exchange IRC-like messages in a network
18:23:42sipa:you mean twitter? :p
18:23:55sipa:you mean real life?
18:24:33jgarzik:sipa, More concretely, I would like a secure IRC replacement that doesn't require me to change all my IRC habits ;p
18:25:09jgarzik:sipa, I already wrote & tested the IRC proxy part, just need to find something useful to connect it. https://github.com/jgarzik/dirc
18:25:33kanzure:i'm not sure if i should bother reading this http://cdn.anonymousbitcoinbook.com/darkcoin/darksend-paper/Atlas_Darksend-Analysis-v001.pdf
18:26:14jgarzik:For "decentralized IRC", I think you would have digitally signed administrative domains (== IRC network). Within that domain, you have channels/users.
18:26:48Dr-G:what about SILC?
18:26:50jgarzik:Then people can agree to route certain domains (networks), for bitcoin
18:27:27lechuga_:i dont think silc addresses decentralized routing
18:28:12jgarzik:Indeed. For robustness, deniability and other attributes, it is useful to decouple users & routers if possible
18:31:26jgarzik:owel. I guess I can work out router incentives later... Just creating a router that will route digitally-signed messages for , each with a bandwidth limit, should get things going.
18:32:48jgarzik:Another fun problem: establishing a session with (logging into) a decentralized service. getting some sort of temporary, secure session token.
18:33:31kanzure:is a temporary token necessary if you have pubkey signing anyway?
18:35:19jgarzik:a fair question. I guess... the administrative domain digitally authenticates a list of pubkeys (users). from there, you can prove a user is allowed to use the network. and you can prove a user has certain rights on publicly acknowledged channels.
18:35:54jgarzik:but some channel management seemed to need more active user acknowledgement and monitoring
18:36:27kanzure:was there anything interesting in jabber's federation-based architecture, or was it more holey than swiss cheese?
18:37:23jgarzik:Nobody ever tried to create a fully enclosed system (from digital authentication perspective) AFAIK
18:39:04jgarzik:the dataset feels chain-esque. no need for proof-of-work, just proof you are within the digital envelope, and have certain rights to manage namespace, user or channel state
18:39:36jgarzik:I don't mean putting messages in a chain, just the metadata about the admin domain
18:42:31kanzure:someone wrote a proposal involving namespace registration using a bitcoin address scheme (and i was asked not to distribute the proposal)
18:42:49kanzure:(but then it turned out that he got criticism and backed down, so i don't know how that changes whether or not i should be sharing the link)
18:43:36Taek42:jgarzik if decentralized file storage ever becomes a thing you could just have each irc channel be a different file, people make comments by appending to the file. You could register usernames against public keys on some other file that everyone checks, and use signed messages to verify that a message came from a trusted handle
18:43:50kanzure:it was something like, storing data inside of an address that gets paid, and the latest address sent to is the one that gets used for the most recent data (like an ip address)
18:44:47gmaxwell:kanzure: I've seen the proposal, it was a pretty nasty spam the blockchain proposal; as has been suggested many times before (though this time in IETF draft form)
18:45:37kanzure:my description is lacking but yeah that's the one
18:45:54gmaxwell:I don't think namespacing is really the interesting problem in this sort of thing. If nothing else "pubkey is the name" is workable if ugly.
18:46:36Dr-G:Dr-G is now known as Shlomogolddoge
18:49:29Aquent:have you guys read this tweet: https://twitter.com/NickSzabo4/status/510207346807959552
18:49:40Aquent:is he talkng about using the blockchain to secure nicknames?
18:49:42grubles:grubles is now known as Guest987
18:50:27jgarzik:namespace itself isn't an interesting problem at all. People like readable names. An administrative domain provides a single namespace (a la IRC). You can implement IRC-like channel creation policies within a digital secure envelope.
18:50:35jgarzik:No need to restore to unreadable names.
18:51:30kanzure:if you can't figure out how to get people routing irc messages in an incentive-compatible manner, maybe just the ability to shift channels around to different central nodes would be an improvement from the current situation (but also a little more boring)
18:52:06jgarzik:I think people would be willing to say "I'll donate X bandwidth to Y network"
18:52:24jgarzik:and software can take it from there, since messages are provably within a network
18:54:58gmaxwell:jgarzik: I'm just saying that if you had it all working with unreadable names then mapping one to the other "reduces to a previously solved (if poorly) problem"... it's not an issue unique to the IRC stuff.
18:58:40tacotime:andytoshi: will have a read through when i get a chance
19:04:31jgarzik:gmaxwell, indeed
19:05:17jgarzik:gmaxwell, it's a balance of philosophies at that point. I would ideally like a system where "#bitcoin-dev" is long lived and has clear channel owners
19:05:57jgarzik:one way to do that is with an admin db, another more-decentralized way is just pubkeys, no toplevel at all
19:07:13jgarzik:a decentralized freenode, in the former design, would devolve down to "staff" being the folks that hold keys and control top level policy via digitally signed message
19:08:26mist:[Global Notice] Reminder - This weekend freenode staff identified some compromised binaries present on a number of servers in the network. These servers have been taken offline. Since password-sniffing may have taken place, we advise all users to change their passwords. /msg nickserv set password newpasshere. More information will follow later in the week. http://blog.freenode.net/2014/09/server-issues-2/
19:08:42gmaxwell:Well, you can imagine a system where every channel has some descriptor stored in something like namecoin. The descriptor lists what hosts you should connect to as the meeting points for the channel. The operators of the channel can update the descriptors (and the list of operators). Meeting points would mostly be trusted to not drop messages.. with everything encrypted and authenticated the meetings points couldn't spy (beyond ...
19:08:48gmaxwell:... traffic analysis) or forge messages.
19:09:24gmaxwell:though that kind of design leads to namesquatting, e.g. where atlas registers #bitcoin-dev and there is no way to get it from it, leaving actual technical people to #bitcoin-dev-for-real
19:12:29mist:[Global Notice] Please note - this is not a new issue, just another notice of the same issue from the weekend. If you already changed your password following the previous announcement you do not need to change it again. Sorry for any confusion.
19:13:37Luke-Jr:IMO this kind of namespace issue can only realistically be resolved with UUID-type identifiers that people can assign aliases to.
19:26:26jgarzik:gmaxwell, Yes, that's the tradeoff
19:26:42jgarzik:gmaxwell, top-level control permits namespace conflict resolution
19:27:13jgarzik:And I think that's fine, in a universe of many networks. If you don't like a network, there are others.
19:28:15jgarzik:Someone can just as easily create an administrative domain with zero intervention, first-come-first-served, anything-goes policy.
19:29:12jgarzik:Nodes choose to route a list of networks, and can easily include or exclude the FreeNode, Garzik, or AnythingGoes networks.
19:30:32jgarzik:You could route a namecoin-secured domain, with proof taken from namecoin indeed
19:32:45Guest987:Guest987 is now known as grubles
19:34:01jgarzik:Ah, yes, now I remember why I wanted logins / sessions.
19:34:19jgarzik:Each router needs to prove that a message belongs to a certain network.
19:35:25jgarzik:The simplest way to do that is have a list of network pubkeys, ONE per network, and each message is verified against that. However, that requires $some entity other than a router wrap each user's message in a network envelope. Not workable.
19:35:51jgarzik:The alternative, as just discussed, is for the router to prove each user is permitted to send a message on the network.
19:36:34jgarzik:A third option is a compromise between the two, where you prove you're credentialed on the network for a little while, yet not exposing the full public key list to each router.
19:36:43jgarzik:full public key *user list
19:38:00jgarzik:routers see session granularity, but not user granularity. If a user rotates sessions on a regular basis, this is useful.
19:38:34jgarzik:Session tokens, like the network envelope, require a provider $somewhere
20:05:46Aquent:jgarzik how come we dont already have decentralized provable identity
20:06:44jgarzik:Aquent, we do. PGP and SIN are two examples.
20:07:25Aquent:I'm refering to this https://twitter.com/jgarzik/status/511226752690315265
20:13:22Aquent:or did you mean pgp will get bigger than bitcoin?
20:20:42jgarzik:Aquent, the base tech exists. just need to build it out.
20:24:26kanzure:i am surprised that freenode hasn't kicked all the altcoins (or even bitcoin) off entirely, given the huge potential for spam
20:24:43kanzure:i don't know if they made a public decision about this
20:31:09jgarzik:I would not be surprised if bitcoin/altcoins were the primary source of their headaches
20:34:09kanzure:on the other hand, it is endlessly amusing and useful to me that the entire cryptocurrency world gets routed through freenode/irc
20:45:27Aquent:a decentralized freenode with fully encrypted communication would be awsome
20:54:57nsh:unless it was awful
20:56:10Aquent:yes, I guess thats implied
21:13:31phantomcircuit: You could route a namecoin-secured domain, with proof taken from namecoin indeed
21:13:46phantomcircuit:except namecoin is constantly broken
21:24:46midnightmagic:ehh, sort of.
21:29:15jgarzik:phantomcircuit, ok namecoin-like chain
22:46:49Shlomogolddoge:Shlomogolddoge is now known as Dr-G
23:53:18Taek42:Would someone like to take a look at this for me?
23:53:32Taek42:It's about randomly assigning files to hosts in a byzantine environment