02:32:35Adohgg:Adohgg is now known as BITCORN
02:32:47BITCORN:BITCORN is now known as PROFBITCORN
02:32:53PROFBITCORN:PROFBITCORN is now known as FUBTOSHI
02:39:45crescend1:crescend1 is now known as crescendo
06:02:05FUBTOSHI:FUBTOSHI is now known as Adohgg
08:05:16holmes.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
08:05:16holmes.freenode.net:Users on #bitcoin-wizards: andy-logbot super4 skinnkavaj BigBitz Starduster_ jchp_ artifexd [\\\] dansmith_btc berndj-blackout mkarrer Dr-G2 spinza kmels damethos AaronvanW grandmaster2 austinhill Taek42 ericp4 pen TheSeven fanquake RoboTeddy melvster1 oujh devrandom mr_burdell justanotheruser bsm117532 hashtag samson_ atgreen grubles nanotube jaromil Graftec @ChanServ Apocalyptic lianj wumpus nkuttler gribble phedny so kinlo petertodd jcorgan optimator_ burcin LaptopZZ_
08:05:16holmes.freenode.net:Users on #bitcoin-wizards: danneu amiller catcow a5m0 TD-Linux lechuga_ abc56889 weex Guest50253 helo Anduck pigeons smooth otoburb BrainOverfl0w gwillen kanzure ryan-c pi07r Starsoccer nickler_ Alanius K1773R Guest47516 throughnothing CodeShark eAndrius Eliel mmozeiko Meeh andytoshi roasbeef Dyaheon rs0 harrow poggy DoctorBTC Fistful_of_coins gmaxwell zibbo azariah4 phantomcircuit Krellan maaku HM SomeoneWeird jgarzik crescendo pajarillo zenojis Adohgg copumpkin nsh-
08:05:16holmes.freenode.net:Users on #bitcoin-wizards: postpre bobke midnightmagic SDCDev [d__d] licnep coryfields sipa espes__ UukGoblin l_l_l_l_l Graet emsid tacotime drawingthesun digitalmagus7 epscy Luke-Jr comboy_ sl01 shesek nuke1989 Grishnakh Muis tromp iddo Transisto Logicwax tucenaber EasyAt wiretapp1d tromp_ Emcy roconnor__ GAit mortale jbenet btc_ zlinn_ mappum CryptOprah_ HaltingState gavinandresen [Derek] Iriez waxwing LarsLarsen dgenr8 Hunger- asoltys warren nsh jaekwon BlueMatt
08:05:16holmes.freenode.net:Users on #bitcoin-wizards: bbrittain OneFixt michagogo
11:15:36wallet421:wallet421 is now known as wallet42
12:38:46Starduster_:Starduster_ is now known as Starduster
12:51:25Meeh:Meeh is now known as mikalv
14:08:19hearn_:hearn_ is now known as hearn
14:55:29altoz_:altoz_ is now known as altoz
15:02:59lmatteis:hello! is there a good technical description as to how proof-of-stake type of system works for reaching consensus? the peercoin paper (which uses proof-of-stake) says that consensus is based on "The block chain with highest total consumed coin age is chosen as main chain"
15:03:55gavinandresen:lmatteis: https://download.wpsoftware.net/bitcoin/pos.pdf is a good technical description of why we think proof-of-stake systems are doomed. Probably. Maybe.
15:06:10lmatteis:thanks!
15:12:58lmatteis:i need a more introductory version perhaps. it doesn't explain the concept of coin age which seems at the heart of proof of stake systems
15:18:56lmatteis:first off, what is the incentive for people to create blocks. and can only rich people do it?
15:25:30tromp:same incentive as in PoW: get coinbase and/or tx fees
15:26:36tromp:rich ppl have more chances than poor
15:30:13lmatteis:tromp: so imagine you create a block because you have lots of coins (that's the gist of it i hope). do you give up those coins that you've "proved" in that block?
15:30:22lmatteis:or can you just continue creating blocks
15:33:12tromp:those coins lose their "coin-age"
15:34:06tromp:since their age is reset in the act of block creation
15:34:39lmatteis:tromp: ah
15:35:11lmatteis:tromp: so how is distribution achieved?
15:35:37tromp:by some IPO or prior PoW phase
15:36:22tromp:or by using a PoW/PoS hybrid
15:37:29lmatteis:so the fact that coins are unspent makes it so that the main chain can be chosen and agreed upon by everyone
15:38:45lmatteis:so i have a transaction with a certain coin age, and i try creating a block with it and i broadcast it right? who decides my block (with that coin age) is the one that wins compared to others with larger coin age
15:38:49gavinandresen:lmatteis: … everyone who is online and has been participating, assuming that everyone can communicate with everyone else. The notion of “everyone” is very slippery in a distributed consensus system that allows participants to come and go.
15:40:53lmatteis:gavinandresen: right but in a PoW system you know the block is good because you see it was solved. with this coin age system (PoS) it seems likely that you may receive multiple winning solutions. or perhaps you see a block that could be added to the chain, but then you receive another one with a slightly larger coin age.
15:41:53gavinandresen:lmatteis: the idea with the PoS systems I’ve looked at is a distributed vote happens, where number of coins you own determines your chance of winning a “random” vote
15:41:57lmatteis:i guess this is the same as a having 2 blocks being found at similar times in PoW systems.
15:42:33gavinandresen:… where transaction hashes are XOR’ed with the last block’s hash (or last eleven) to determine the winner
15:42:46gavinandresen:… or some more complicated scheme (I don’t pay a lot of attention)
15:42:49gmaxwell:lmatteis: PoS doesn't appear to be workable for consenus under the same assumptions bitcoin makes. It sounds like it is workable under dramatically weaker assumptions (or less useful, e.g. that you already have some other global consensus). Perhaps someone clever will find yet another set of assumptions which it works under which are useful, but so far it seems to not be happening. You should really read the paper linked above and ...
15:42:56gmaxwell:... think about it a bit.
15:44:23gmaxwell:consensus
15:44:25gmaxwell:There are a lot of very complicated schemes proposed (and in use) and they do not appear to address the fundimentals, but mostly just shift around the attacks. It's very costly to review these things, especially since most don't even state their assumptions upfront... so it's certantly possible I/we have missed something interesting.
15:45:01lmatteis:hrm ok
15:46:42tromp:there is huge variation among PoS implementations. e.g. go read the peercoin whitepaer for a PoW-like mechanism
15:47:13tromp:in NXT like systems, your coinage determines a delay in seconds, after which you can announce the next block
15:47:18lmatteis:also, imagine i wait long enough so that i collect multiple address with a good amounts of coins. so i have multiple addresses that have a large coin age. this would allow me double spend and publish several blocks after another no? since the coins are on different addresses
15:48:58tromp:only if you can persist the fork across as many blocks as the required #confirmations
15:49:28tromp:similar to PoW
15:49:50gavinandresen:gmaxwell: if a PoS coin comes out with a whitepaper that references academic literature on distributed consensus algorithms (e.g. Paxos) that might be one worth paying a little attention to
15:50:13sipa:distributed consensus with paxos works perfectly
15:50:28gavinandresen:… as long as nobody cheats....
15:50:42sipa:but it doesn't apply to a system with unknown (and variable) participants
15:51:09lmatteis:so it's not a currency?
15:51:13zooko:Here are some papers that I haven't read that might be more useful by stating their assumptions more clearly, etc.: http://eprint.iacr.org/2014/452 http://www.cs.technion.ac.il/~idddo/CoA.pdf
15:51:19zooko:About Proof-of-Stake, I mean.
15:51:41sipa:lmatteis: it may be a currency between a group of 15 banks that all know eachother in advance
15:51:56zooko:I haven't yet read them because for now I, too, am giving up on trying to figure out how to make proof-of-stake work.
15:52:19gmaxwell:If you fix the signers up front for all time everything works lovely. (well, perhaps with quadratic communication costs between the signers in the worst case, but, meh)
15:52:29gavinandresen:RE: Paxos: interesting paper I read yesterday on “Paxos for mere mortals” : https://ramcloud.atlassian.net/wiki/download/attachments/6586375/raft.pdf
15:52:44gavinandresen:(well, NOT paxos…)
15:53:06lmatteis:is it old? not referencing bitcoin
15:53:16hearn:sipa: technically, you could have some mechanism (pow based or not) where people can enter and leave the consensus at fixed, well-agreed points
15:53:28hearn:of course this turns the consensus problem from "what are we agreeing on" to "whom is agreeing"
15:56:24zooko:hearn: +1
15:56:30sipa:right, indeed
15:57:20gmaxwell:hearn: you can but only if the admissions system is an external consensus.
15:58:00gmaxwell:(otherwise the admitted parties (or someone who's stolen their keys) at any point in the past can go and create an alternative history where they admitted different people; and a newcomer cannot distinguish these histories)
16:00:53hearn:i suspect the most interesting alt consensus mechanisms will in future simply play with the centralised/decentralised tradeoff. e.g. there are lots of timestamping servers on the net that will timestamp arbitrary hashes of things against atomic clocks, they can't see what they're timestamping. the simplest possible block chain is "just pick some of them and require blocks to have n-of-m signing by them". and if a threshold of
16:00:53hearn:the TSA's turn bad simultaneously for some reason, OK, everyone has to temporarily stop the system, pick some new servers and restart it.
16:01:08hearn:such a system is not as decentralised as bitcoin but might be good enough in practice
16:01:37hearn:or at least it's not as decentralised in theory. with the state of mining as it is, it'd actually be better, as timestamp servers can't see what they're timestamping whereas miners can
16:02:01lmatteis:to me the main difference between a PoW and PoS seems that with PoW i get a piece of information (the block) that contains a mathematical proof that its solution was worked on by several people (perhaps several thousand). this is important for consensus i think. with PoS it seems as though i get a back a proof that simply states something (such as the size
16:02:02lmatteis:of the coin age) but doesn't directly prove that several thousand people have worked on finding
16:03:25hearn:( i mean timestamps per transaction here .... double spends resolved by whichever was timestamped first and it's assumed the timestamps are of sufficiently high resolution that one can always be picked )
16:03:28lmatteis:not sure if that means anything for the consensus though :)
16:03:31hearn:pretty half baked idea
16:03:44hearn:lmatteis: pow says nothing about "people"
16:03:49zooko:I think that people should proceed to set up notaries right away that publish signatures of the blockchain.
16:04:31lmatteis:hearn: sure but the idea is that the size of difficulty implies distributed work - no single machine can do that type of work
16:17:17skinnkavaj:Can someone explain without any hate towards LTC, why are not LTC and BTC securing each other in some way? So you would have to 51% attack both LTC and BTC to gain control? Wouldn't it be really good for decentralization when LTC hardware is totally different and probably not placed in all the same hosting centers?
16:24:14Dr-G:Dr-G is now known as _420blazeitfeggi
16:40:46gmaxwell:"If it makes a difference, it makes an attack"
16:43:07jtimon:timestampers and two-phase commit work great for user issued assets (not p2p currency), if you need more p2pness at a given time, you can use a public blockchain as timestamper
16:43:42jtimon:that was the approach in the old ripple distributed protocol (and part of freimarkets)
16:45:08jtimon:then of course r.com choice was a "variable" membership paxos-like approach, with its known problems...
16:47:17woah:anyone seen this bitnation thing?
16:47:33woah:shiny site, link to the whitepaper is dead lol
17:05:35gavinandresen:hearn: RE: getting random servers to timestamp idea: I had the same half-baked thought.
17:06:42hearn:skinnkavaj: ltc started out by saying "we're different because our consensus mechanism is gpu resistant". so the separation is fundamental.
17:56:39skinnkavaj:hearn: Yes, but doesn't having another ASIC network with different hardware and different placed around the world make BTC more secure?
17:57:52Quanttek_:Quanttek_ is now known as Quanttek
18:00:05tromp:skinnkavaj: scrypt is not all that different from sha256^2; both are very computation intensive
18:00:30tromp:sha256 is just a lot simpler
18:01:49Taek42:it would make Bitcoin more secure given that it's extra hardware, but the miners could have just spent the money on Bitcoin hardware in the first place. Also, the total volume of litecoin mining hardware is not very much compared to the total volume of bitcoin mining hardware, wouldn't make much of a dent even today
18:02:14skinnkavaj:tromp: My point is that it's probably not all the same people in control of LTC as BTC. LTC probably have different pool owners and is placed in different data centers.
18:02:17tromp:the big bitcoin mining factories could easily add dozens of scrypt mining rigs
18:02:45tromp:they alrd have secured the cheapest power
18:04:01tromp:replace dozens by thousands
18:04:03skinnkavaj:tromp: The power would be more distributed nontheless, we could even add a third network to secure BTC. Hopefully one with completley different hardware
18:20:24gmaxwell:skinnkavaj: Meditate on my "if it makes a different it makes an attack" comment
18:22:36Taek42:* Taek42 meditates on the meaning of such phrase
18:24:58jtimon:bitcoin adding scrypt? that sounds like a terrible idea, what did I missed?
18:25:10gmaxwell:er. "difference" :)
18:25:24sipa:jtimon: not everything suggested here is a good idea :)
18:25:36jtimon:if we needed to change bitcoin's pow I would suggest something with similar properties as sha256d, not scrypt
18:26:04sipa:"Meh."
18:26:37jtimon:any quality that makes scrypt better than a sha256d "equivalent"?
18:26:55Taek42:can someone provide a commentary on this paper: http://arxiv.org/abs/1311.0243 "Majority is not enough: Bitcoin mining is vulnerable". Is this a legitimate problem?
18:39:41gmaxwell:Taek42: it's been commented on many times by many people on bitcoin talk. Perhaps someone can provide a link.
18:41:13Taek42:I'm currently reading a thread of the same title on bitcoin talk, which has many responses by people here. Was a formal response ever thrown together or is the thread about it?
18:41:28sipa:"formal" ?
18:45:24Taek42:like a single analysis that got vetted by multiple people and published somewhere relevant
18:54:56gmaxwell:maaku: https://en.bitcoin.it/wiki/User:Gmaxwell/covenant_busting
18:57:52lmatteis:Taek42: also search for selfish mining
18:58:14Taek42:will do, thanks
18:59:42iddo:Taek42: try page 7 of this pdf: http://arxiv.org/abs/1402.1718
19:03:31Taek42:iddo thanks, this is pretty close to what I was looking for
19:05:12justanotheruser:gmaxwell: is it normal if I don't understand that the first time reading it?
19:09:01lmatteis:depends :) should be simple for people in the same field
19:10:29justanotheruser:heh
19:11:52justanotheruser:I'm just not sure why it's more useful than just requiring your signature
19:18:01justanotheruser:I am confused about what this accomplishes. It allows you to have the control to remove the covenant, but they can spend it anyways with the covenant that you are able to remove your covenant?
19:18:12justanotheruser:can someone tell me how badly I'm misunderstanding this?
19:36:36_420blazeitfeggi:_420blazeitfeggi is now known as Dr-G
19:45:16hearn:hearn has left #bitcoin-wizards
20:05:10amiller_:i've just looked at the covenant busting thing three times and don't get it at all
20:06:20justanotheruser:thank you, it's not just me
20:40:14gmaxwell:it was out of context.
20:40:25gmaxwell:"I dont understand" is not helpful though!
20:40:54gmaxwell:justanotheruser: you're failing to understand what a covenant is, read some of the linked thread.
20:47:24justanotheruser:gmaxwell: read that and we have discussed it
20:47:54justanotheruser:just not sure why that covenant in particular is useful (not implying it's not though)
20:52:45nuke_:nuke_ is now known as nuke1989
21:52:39Taek42:does anyone know where I can get help with a probability problem?
22:02:47tromp:try ##math ?!
22:03:16Taek42:worth a shot