01:41:05devrando1:devrando1 is now known as devrandom
07:04:54SomeoneWeird:SomeoneWeird is now known as Guest58903
08:05:16orwell.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
08:05:16orwell.freenode.net:Users on #bitcoin-wizards: andy-logbot pen devrandom Guest58903 Graftec CoinMuncher Meeh AaronvanW dgenr8 x48_ CoinHeavy qualiabyte RoboTeddy mortale TheSeven tacotime forrestv koshii OneFixt_ shesek justanotheruser K1773R fanquake livegnik jchp_ HaltingState mkarrer oujh wiretapped Anduck a5m0 nuke1989 go1111111 michagogo skinnkavaj atgreen gernika SDCDev epscy GAit amiller_ Nightwolf altoz Aquent spinza wallet42 rfreeman|afk Keefe roconnor wizkid057 Krellan BigBitz
08:05:16orwell.freenode.net:Users on #bitcoin-wizards: Starduster artifexd [\\\] dansmith_btc berndj-blackout kmels grandmaster2 Taek42 melvster1 mr_burdell samson_ nanotube jaromil bbrittain BlueMatt jaekwon nsh warren asoltys Hunger- LarsLarsen waxwing Iriez [Derek] CryptOprah_ mappum zlinn_ btc_ jbenet Emcy tromp_ EasyAt tucenaber Logicwax Transisto iddo tromp Muis Grishnakh sl01 comboy_ Luke-Jr digitalmagus7 drawingthesun emsid Graet UukGoblin espes__ sipa coryfields licnep [d__d] midnightmagic
08:05:16orwell.freenode.net:Users on #bitcoin-wizards: bobke postpre nsh- copumpkin Adohgg zenojis pajarillo crescendo jgarzik HM maaku phantomcircuit azariah4 zibbo gmaxwell Fistful_of_coins DoctorBTC poggy harrow rs0 Dyaheon roasbeef andytoshi mmozeiko Eliel CodeShark throughnothing Guest47516 Alanius nickler_ Starsoccer pi07r ryan-c kanzure gwillen BrainOverfl0w otoburb smooth pigeons helo Guest50253 weex abc56889 lechuga_ TD-Linux catcow danneu LaptopZZ_ burcin optimator_ jcorgan petertodd
08:05:16orwell.freenode.net:Users on #bitcoin-wizards: kinlo so @ChanServ Apocalyptic lianj wumpus nkuttler gribble phedny
08:19:11Meeh:Meeh is now known as mikalv
08:57:21Guest58903:Guest58903 is now known as SomeoneWeird
10:37:50rfreeman|afk:rfreeman|afk is now known as rfreeman
10:41:19amiller_:amiller_ is now known as amiller
11:15:03wallet42:wallet42 is now known as Guest89619
11:15:04wallet421:wallet421 is now known as wallet42
13:48:17x48_:x48_ is now known as x48
14:10:29bbrittain_:bbrittain_ is now known as bbrittain
14:46:49SDC:SDC is now known as SDCDev
14:48:45samson2:samson2 is now known as samson_
14:49:02michagogo_:michagogo_ is now known as michagogo
14:49:48artifexd_:artifexd_ is now known as artifexd
15:06:10fluffypony:oh well, there we go, may as well throw in the towel
15:06:11fluffypony:https://www.darkcoin.io/downloads/InstantTX.pdf
15:06:13fluffypony::-P
15:17:21vfor:vfor has left #bitcoin-wizards
15:33:09licnep_:licnep_ is now known as licnep
15:34:22brisque:to save anybody the time, here's a tl;dr on the "instant transaction" system the DarkCoin developers have excreted and are pumping with.
15:36:15brisque:their system of "masternodes" (fixed nodes with listening IP addresses, locked funds) is used to generate an authoritative signed message. one node form the pool of 1000 (currently) signs the transaction.
15:36:37nkuttler:nkuttler is now known as Guest49485
15:39:35brisque:their idea is that sybil attacks are nullified by "locking" outputs of a certain value, rendering them unspendable for a certain period. it's fairly flimsy even just to the point that the "masternodes" can be denial of service attacked by design.
15:39:43Quanttek_:Quanttek_ is now known as Quanttek
15:40:09fluffypony:brisque: a fact that gets ignored every time I raise it
15:40:23fluffypony:because apparently they "fixed the DDoS issue"
15:41:05fluffypony:which is amazing, not only have they created instant transactions, but they have somehow managed to create a system that can null-route upstream traffic automagically :-P
15:41:28brisque:fluffypony: do you know why they require them to be listening, or even how the network gets an idea of the total number of masternodes? seems you could do very basic partitioning on somebody to become the "only" masternode.
15:42:12fluffypony:brisque: no clue, maybe they advertise themselves as masternodes? or maybe it's hardcoded IPs?
15:43:02brisque:last time I looked into it it was all binary releases with no source and no technical detail. I got the impression that the system relied on being able to directly connect to some central controller.
15:44:49HobGoblin:HobGoblin is now known as Guest58606
15:45:46fluffypony:well the commits don't really help in grokking it: https://github.com/darkcoinproject/darkcoin/commits/master-rc5
15:45:51brisque:looks like it still is, there's people complaining that their nodes crash with the function RegisterAsMasterNode which doesn't exist anywhere in the source.
15:46:07Guest58606:Guest58606 is now known as UukGoblin
15:46:07fluffypony:"version bump" is the description on most commits
15:46:18fluffypony:and it's literally a version bump
15:46:19fluffypony:lol
15:46:40brisque:looks like mastercoin node data is part of the version message?
15:49:10brisque:yeah. I
15:49:17brisque:ve no idea how this works. at all.
15:49:45brisque:if nodes are meant to pass the masternode addresses around, that's easy partitioning
15:50:14brisque:they won't be in blocks because a masternode isn't going to be a miner
15:50:55nkuttler_:nkuttler_ is now known as Guest36691
15:51:19fluffypony:well it looks like everything is in main.cpp
15:51:23fluffypony:because who needs abstraction
15:53:09Quanttek:Didn't he said that the publishing of the source had to get delayed multiple times because of "code refactoring & cleaning"?
15:53:13brisque:I'm not sure that includes the stuff you need to *be* a mastercoin node, I can't find that register function anywhere.
15:53:25brisque:er masternode.
15:54:10brisque:Quanttek: GetCurrentMasterNodeConsessus() not very refactored, not even spelt right.
15:55:08Quanttek:yup. I think there is a reason, that he doesn't work for Microsoft anymore
15:55:46fluffypony:"masternode genkey" is the command you're supposed to run
15:55:56fluffypony:but "genkey" doesn't exist in master or in master-rc5
15:56:00fluffypony:so I'm guessing that's closed-source
15:56:07brisque:let me see if it's in the binary
15:56:58brisque:fluffypony: yeah. that's in the binary from their website. not in the source.
15:57:48fluffypony:such trust.
15:57:49fluffypony:"here, run this unknown binary...and you have to put 1000 DRK in it...nothing bad will happen, we promise"
16:02:59brisque:haven't they been promising the source for like, a year?
16:03:15fluffypony:I lost track
16:06:02brisque:nice voting ring on reddit pushing their nonsense to the top
16:47:24drawingthesun:does viacoin pose any threat to bitcoin? I hear they have peter todd and he will make viacoin have side trees,
16:49:02brisque:drawingthesun: read andytoshi's paper on why PoS is a PoS.
16:49:18drawingthesun:link?
16:49:38brisque:http://bitcoin.ninja under "proof of stake"
16:50:38drawingthesun:brisque, thanks, any comment about why a respected core developer would be giving light to these other projects?
16:50:45fluffypony:point of sale is a PoS? :-P
16:50:51sipa:viacoin is not proof-of-stake, is it?
16:51:19brisque:yeah
16:51:41brisque:it's the one that got nuked by somebody stealing all the coins from an exchange, and the developers used the checkpoints to unsteal all of them again.
16:51:50fluffypony:brisque: no that's Vericoin
16:52:06brisque:serious;ly?
16:52:08fluffypony:Viacoin is this crowd: http://www.reddit.com/r/Bitcoin/comments/2c9700/peter_todd_hired_by_viacoin_to_work_on_tree_chains/
16:52:21brisque:there's too many shitcoins, I swear. I can't even keep track of the names now.
16:52:36brisque:sorry sipa, it's an scrypt one.
16:53:03drawingthesun:ok, so viacon is not not PoS, and it now has peter todd, what do we make of this?
16:53:18fluffypony:drawingthesun: he's paid to consult to them, just like he consults to us
16:53:27drawingthesun:I see
16:53:30fluffypony:the difference is we didn't call him our "chief scientist" and put out a press release
16:53:36drawingthesun:Ah
16:54:43brisque:fluffypony: you would if you bought Andreas though
16:54:53fluffypony:I mean, drawingthesun, this is the telling bit - http://www.reddit.com/r/Bitcoin/comments/2c9700/peter_todd_hired_by_viacoin_to_work_on_tree_chains/cjde4vt
16:54:58fluffypony:"Frankly I don't know much about Viacoin, so I can't comment yet. They simply asked me to do research on treechains and were willing to pay for it. My contract with them is such that all work will remain free of patents and be opensourced."
16:55:09fluffypony:brisque: doubtful
16:55:19drawingthesun:fluffypony, thanks, this makes more sense now. Cheers.
16:55:21brisque:fluffypony: deep sarcasm :)
16:55:39fluffypony:brisque:-P
16:56:51fluffypony:the only person we'd allow to be Monero's chief scientist would be someone who's literally willing to wear a lab coat and horn-rimmed glasses every day and speak with a German accent
16:56:55fluffypony:basically a real life Gag Halfrunt
16:57:24brisque:force todd to do it
16:57:26fluffypony:"vell, Monero's just zis coin, you know"
16:57:29fluffypony:hah hah
16:57:40brisque:sneak it into a contract
16:57:54fluffypony:good deal
17:03:35andytoshi:drawingthesun: peter todd isn't a "core developer" in the sense that he doesn't have push access to the bitcoind repo
17:04:05andytoshi:drawingthesun: he's contributed a lot to bitcoind, but so have many others, and it doesn't tie him to the project (or ties his projects to bitcoind)
17:04:18drawingthesun:andytoshi, I see,
17:05:43amiller:also they don't "have" petertodd just because they hire him as consultant
17:06:10brisque:amiller: makes for good promotion juice though
17:06:14amiller:he's pretty consistent about staying independent / not an employee, you might even just think of it as them sponsoring his research
17:08:24fluffypony:brisque: how else are you supposed to pump the price and justify spending your premined funds (sorry, "presale")
17:25:49gmaxwell:brisque: The kind of locking for instant payments has been proposed and deployed in bitcoin for some time. green-address (the wallet)'s instant transaction service does that. As you note it has some dos exposure.
17:27:19fluffypony:but how can it work without masternodes?! it is a miracle of modern computer science!
17:30:23andytoshi:guys, let's try to keep a high SNR here, busy people read all the scrollback, etc, etc
17:30:52fluffypony:aight
17:31:11fluffypony:in that event, can somebody sanity check this for me please - we pushed it out today
17:31:15fluffypony:http://openalias.org
17:35:55grubles:grubles is now known as Guest75935
17:38:17pigeons:pigeons is now known as Guest51572
17:46:51Guest51572:Guest51572 is now known as pigeons
17:49:24brisque:just another point of note
17:49:52brisque:why the hell did somebody write yet another ruby bitcoin full node?
17:50:01sipa:because ruby
17:50:16brisque:oh wait, it's coinbases again! that explains it.
17:50:30brisque:( https://github.com/coinbase/toshi )
17:51:12brisque:you'd think they would have learnt their lesson the first time.
17:51:22brisque:> PostgreSQL (300gb+ disk space required to sync mainnet)
17:51:35brisque:oh boy.
17:51:42pigeons:EventMachine too
17:53:48brisque:I don't understand at all. why are the blocks being stored in postgres?
17:54:15sipa:because SQL
17:54:23sipa:because webscale
17:57:25fluffypony:needs more JS + CouchDB
18:01:59x48_:x48_ is now known as x48
18:08:11brisque:fluffypony: hahahahahahahaha. I found out why the masternodes need a public IP address!
18:08:40brisque:every single darkcoin client connects to the "masternode"!
18:08:46brisque:every single damn one.
18:09:34fluffypony:O.o
18:10:08sipa:to all, or to a random one?
18:10:50brisque:it's not clear, I'm going to fire up a VM and find out. the comment I found suggests they connect to every one, but that's 800 sockets per client on the network which seems a bit extreme. only one way to find out.
18:13:11brisque:even if it was just the "selected" one for that round, you'd end up pretty much just causing a DOS on that particular node.
18:19:07brisque:"By using this software, you acknowledge and understand that Darkcoin is not intended for use in any illegal activity, and that no person or entity associated with the creation, development, marketing, or furtherance of Darkcoin shall be held responsible for use by any individual, group, or entity that is against the law in their respective jurisdiction."
18:29:15grubles_:grubles_ is now known as grubles
18:36:41gmaxwell:cargo cult contracts.
18:37:05lechuga_:brisque: u can construct interesting queries with the blockchain in SQL
18:37:09gwillen:gmaxwell: "No copyright infringement intended!"
18:37:13gwillen:(cargo cult disclaimers)
18:39:41brisque:fluffypony, sipa: well. I don't know. I can't get their annoying client to actually "enable" the darksend stuff. you can sometimes get it to be "enabled", but it does a variety of non-responses to the RPC commands. best answer is that it tries to connect to all of them.
18:40:04brisque:how it finds them is another question I can't answer.
18:49:55brisque:alright. so the "masternodes" are connected to by every single client.
18:50:15brisque:masternodes are found by passing addr-like messages around.
18:51:17justanot1eruser:my intuition says masternodes have the generals problem
18:51:34justanot1eruser:no way of a miner knowing if they're actually doing their work
18:53:12brisque:more to the point there's nothing stopping you from just being partitioned.
18:53:51brisque:if I only pass you the masternodes I own, how would you know?
18:54:23gmaxwell:http://bitzuma.com/posts/blockchain-info-paper-backup-stores-private-keys-in-the-browser-history/
18:56:05brisque:gmaxwell: bit strong to call them "paper wallets" if they're being made by blockchain.info's RNG.
18:56:28brisque:gmaxwell: did you catch the quote about what they'll do about it?
18:56:56brisque:> indicated that a fix would be considered
18:59:50gmaxwell:hah
19:00:02gmaxwell:"okay, we considered something. problem issue closed."
19:00:32brisque:looks like they have bigger problems today. they've nuked their database worse than usual.
19:30:15bsm1175321:So I'm concerned about "dark hashpower" as a future problem for Bitcoin.
19:30:21bsm1175321:bsm1175321 is now known as bsm117532
19:30:35bsm117532:That is, as BTC price drops, miners will choose to turn off their mining equipment.
19:31:09bsm117532:This creates a situation where, should they choose to attack the network, they could turn it all on for a short period of time and double the hash power of the network, successfully executing 51% attacks.
19:31:48bsm117532:Here's a potential solution: make the target difficulty be a function of time.
19:32:02brisque:.. no.
19:32:10bsm117532:At precisely the block time, the target difficulty will be the expected one.
19:32:27brisque:that just means you can partition a person, wait until their difficulty drops, and send them low difficulty blocks.
19:32:30bsm117532:At shorter times, the target difficulty is much higher, at later times it drops.
19:32:45bsm117532:What does "partition a person" mean?
19:32:51brisque:eh I answered something you didn't suggest, but whatever.
19:33:10lechuga_:it seems very improbable large enough defunct mining operators would suddenly instantly decide to turn all of their equipment back on again
19:33:13lechuga_:to attack the network
19:33:16brisque:part of bitcoin is overcoming the problem that you could be isolated from the network and be fed bad information.
19:33:20lechuga_:and very likely cause no real gain for themselves
19:34:04lechuga_:this is also predicated on the hashrate dropping due to mining reward halving
19:34:13lechuga_:its not clear if that will mean a net loss in their revenue
19:34:15bsm117532:lechuga_: Imagine the price of BTC drops to the point that the price of running miners is 1/4 of the electricity cost now.
19:34:18lechuga_:when bitcoin is at that stage
19:35:02bsm117532:Or rather just push BTC price down arbitrarily until people are turning off machines, and then keep pushing it down. What happens on the large scale then?
19:35:40lechuga_:u think mining operators would attempt to push the exchange rate with fiat down in an attempt to control more hashing power?
19:35:43lechuga_:is that the argument?
19:35:59bsm117532:No, let's assume the exchange rate is independent, and becomes low for some reason.
19:36:00lechuga_:/ concern
19:36:09bsm117532:(any reason)
19:36:14bsm117532:What's a miner to do?
19:37:20lechuga_:i suppose they would turn off their equipment in an extreme prolonged case
19:37:33bsm117532:Then what happens?
19:37:46lechuga_:bitcoin is likely already experiencing trouble at this point
19:37:51lechuga_:(major)
19:38:05bsm117532:I think so too. I'm very surprised the difficulty hasn't dropped yet.
19:38:19lechuga_:i mean in your hypotehtical
19:38:23lechuga_:i dont actually believe it is
19:38:25bsm117532:This event will be detectable by seeing a change in the difficulty curve.
19:39:28lechuga_:so why would they turn it all back on at once
19:40:54lechuga_:have u ever tried to get 3 toddlers into a car at the same time
19:41:48bsm117532:Hahaa. I'm just saying the technical capacity to dump hashing power for a short time will be available to someone.
19:42:06bsm117532:Already happens with alt-coins...
19:43:07lechuga_:i see your point and it would be interesting to model
19:43:27lechuga_:im not going to lose sleep over it
19:45:33bsm117532:Ok so the point of this was to present a solution ;-)
19:46:33bsm117532:Create a target difficulty that is a function of time. Specifically a function of (t-bt) where bt is the block time (10 min).
19:46:54bsm117532:By using a sigmoid function, the target difficulty can be made exponentially larger at short times and exponentially lower at late times.
19:47:25bsm117532:This has the effect of keeping the block time closer to the target block time, regardless of changes in hashing power.
19:48:01bsm117532:Furthermore rather than retargeting every 2016 blocks, one really should use some kind of moving average for the target difficulty.
19:50:32gmaxwell:bsm117532: I thought you groked the non-synchronous network stuff? Making difficulty change without blocks allows huge attacks and even attack-free failure modes.
19:51:03bsm117532:Mmmm okay, what don't I understand?
19:52:08bsm117532:So given that the network is non-synchronous, (t-bt) is not agreed upon by all nodes.
19:52:14andytoshi:bsm117532: by "time" you mean you look at the diff between last two timestamps, and have the difficulty be a direct function of that?
19:52:30andytoshi:bsm117532: so, by forging timestamps you can change the difficulty (within whatever limits you set)
19:52:37gmaxwell:bsm117532: maybe I don't understand what you're saying. It sounded to me like you're saying that the nodes local clocks ... which isn't agreed on. Also, if difficulty will change rapidly (generally) an attacker can isolate a node then simulate a plausable public network.
19:52:48bsm117532:So at some time, a node forms a block based on its evaluation of (t-bt). Other nodes will accept that block (or not) based on *their* evaluation of (t-bt) and whether it is of sufficient difficulty.
19:53:15andytoshi:bsm117532: what do you mean by "their evaluation"? are you using local clocks?
19:53:21bsm117532:Yes.
19:53:39sipa:that's a forking risk for starters...
19:53:49andytoshi:there's no consensus on that, and it's not clear how it would work for initial block download/historical blocks..
19:53:53bsm117532:A node could create a block of too-low difficulty and submit it, but others would reject it until a later time, if they do not have a higher difficulty block.
19:54:10bsm117532:sipa: yes it would create more 1-block forks.
19:54:34lechuga_:bsm117532: the proposal is to adjust diffiulty after every block based on an ewma?
19:54:59bsm117532:That's one of two proposals I wrote above. The other is that the target difficulty is a function of local time.
19:55:37bsm117532:sipa: Do you think the existence of more 1-block forks would be a problem?
19:56:01gmaxwell:bsm117532: who says they're 1 block forks?
19:56:45bsm117532:No one of course. But everyone would accept the highest difficulty block, even if more were created. So why would any of them persist to the next block?
19:57:41gmaxwell:because your clocks disagree and the correct difficulty is some other value.
19:57:57andytoshi:bsm117532: can you explain how this protects against 51% attacks?
19:58:23bsm117532:gmaxwell: Who cares if clocks disagree, if the network accepts the highest-difficulty solution?
19:58:35sipa:if you decrease the difficulty according to some formula, you need to change the amount of work those blocks are counted as too (or you give an advantage to people changing their clock)
19:58:47andytoshi:bsm117532: so, suppose that you had no timestamps at all, just "highest block wins"
19:59:03andytoshi:bsm117532: well, 1/N of the time you will find a block N times the expected difficulty..
19:59:11gmaxwell:bsm117532: Because you just stipluated a new rule above. If it isn't a rule then there are other points to make there.
19:59:23sipa:so if your effective difficulty decreases over time, you're actually losing work for that block
19:59:32sipa:a 51% attacker does not have that loss
19:59:40sipa:so you're giving an attacker an advantag
19:59:50bsm117532:This formula would govern when a node decides to create a block and broadcast it to the network, not what other nodes will accept.
19:59:57gmaxwell:I'm not sure if you understand how the difficulty of a block is determined. It's a committed value in the block. If it's apparent and not commited the relationship is different (it's double, in the limit of the expectation.. and has huge variance)
20:00:27bsm117532:Nodes would accept the highest work block (always) and use local time to adjust their (internal) target difficulty.
20:00:34sipa:how is your work defined?
20:00:41gmaxwell:Okay fine. So you let people pick their own difficulty and jackasses can always add +1 and reorg out earlier blocks, creating a pressure against consensus (better stand in place an reorg out the latest block)
20:00:44bsm117532:sipa: smallest PoW hash.
20:00:47sipa:bsm117532: die
20:00:51bsm117532:hahahaa
20:01:05gmaxwell:thats not a sound definition.
20:01:20sipa:that would pretty much instantly break, even in bitcoin
20:01:32sipa:1 time in 100, a block would reorganize 100 blocks before it
20:01:43bsm117532:Ok what don't I understand then?
20:01:46gmaxwell:bsm117532: highest "work block" meaning if I make a block 2 with a lucky low roll I replace the chain? ... presumably this isn't what you mean.
20:01:58sipa:work is how much work was expected for that block
20:02:26sipa:it's 2^256 / (highest acceptable block hash)
20:02:31brisque:if you went by lowest block, a miner could grind block 1 and randomly get a block that reorged the entire network down to one.
20:02:33sipa:not 2^256 / (actual block hash)
20:02:42gmaxwell:bsm117532: several things. The lowess of the block doesn't tell you the expected work. Rather, hashcash works by commiting to a target in advance and meeting it. If you use the 'apparent' work you end up with something that has huge variance and a mean 2x larger than reality.
20:02:55gmaxwell:lowest*
20:03:33gmaxwell:Then if you really did just mean the highest block, then you get what brisque said.. and otherwise you get the sand in place race of potentially forever +1 ing the prior block.
20:04:55bsm117532:I see what you're saying. This creates a reorg problem.
20:05:12bsm117532:The rule of taking the highest work block creates a reorg problem.
20:05:28sipa:you *could* commit to a difficulty, and have that difficulty be dependent on the time difference with the previous block
20:06:03sipa:but that would mean giving an attacker an advantage, as the amount of work for a block that you could would go down over time
20:06:11sipa:which means 'wasted' power
20:08:56bsm117532:So by "committing" to a difficulty, the network agrees to accept the first block matching that target. So forks only happen due to network communication latency when two solutions overlap. (no?)
20:09:12sipa:yes
20:09:16bsm117532:sipa: I think using the last 2 blocks is a better idea
20:09:23sipa:same thing
20:09:29sipa:just a bit harder
20:09:59woah:will energy consumption from mining on a network tend to increase in proportion to the price of the coin?
20:09:59jtimon:bsm117532 if price drops, hashrate drops and difficulty adjusts, I don't see what's the problem
20:10:53jtimon:if changes are too extreme you may want to hardfork to a different diff filter (at that point you can even hardcode a new current diff)
20:11:12bsm117532:jtimon: the concern is fast changes in hashrate.
20:11:20bsm117532:faster than difficulty adjustments.
20:11:33jtimon:you would change the diff filter
20:11:41gmaxwell:bsm117532: In bitcoin the first, valid, most sum difficulty (and difficulty is a commited value in the blocks) chain is the authoritative one from your nodes perspective. (just in case there was any lack of clarity in what bitcoin does)
20:12:03gmaxwell:bsm117532: any change to make the system adapt faster creates isolation vulnerabilties. (perhaps small ones)
20:12:32sipa:every valid chain is valid; if there are multiple valid chains, the one with the highest sum difficulty is chosen; if there are multiple valid ones with the same highest sum difficulty are chosen, the first _seen_ is chosen
20:12:44sipa:the first seen tip block, actually
20:12:58bsm117532:But difficulty is only adjusted every 2016 blocks, so increases in hash power result in shorter block times that last 2000 blocks long. No?
20:13:06sipa:yes
20:13:24jtimon:woah in perfect competition profits tend to zero, that means that the costs (energy and others) that miners are willing to incurr tend to equal the reward (subisdy + tx fees)
20:13:43sipa:bsm117532: there's always some deviation between the difficulty and the difficulty optimal for the actual hashrate
20:13:47gmaxwell:bsm117532: sure, and also means that an attacker must produce some multiple of 2016 blocks to create a bogus low diff chain to trick an isolated node.
20:13:58sipa:the problem is that the actual hashrate cannot be measured, only estimated with limited accuracy
20:14:07gmaxwell:blocks being a bit faster or slower is harmless (one reason why the target is 10 minutes)
20:14:33bsm117532:Do you know of any analysis for bitcoin's block time? Why not shorter/longer?
20:15:08sipa:it needs to be significantly longer than the time needed for a block to propagate through the network
20:15:14bsm117532:* bsm117532 kind of wants to create a 5s block time chain and make tons of forks, just to see what goes wrong and if it can be managed sensibly.
20:15:55sipa:that's just giving a massive advantage to a 51% attacker (who does not suffer for forks)
20:15:58gmaxwell:bsm117532: it was called liquid coin, and it broken into a thousand seperate networks which couldn't reach a consensus but just kept reorging forever.
20:15:59sipa:*from
20:16:03jtimon:and "the time needed for a block to propagate through the network" depends on the conectivity on the nodes you don't want to exclude from the network
20:16:07sipa:at best
20:16:11sipa:at worst, what gmaxwell says
20:17:00bsm117532:I wonder if block time itself could be dynamically adjusted based on the appearance of forks.
20:17:24brisque:no. you can't assume every client has even seen a side chain.
20:17:34nejucomo:sipa: Why does that give advantage to a 51% attacker? Shouldn't a recipient base their acceptance of a transaction on the total cost behind verifying a transaction (which is independent of block time, barring fork/join overhead)?
20:17:47brisque:how can you prove to me that the consensus rule is now altered based on information I can't verify?
20:18:08bsm117532:brisque: Is different nodes having different block times a problem?
20:19:04nejucomo:My threshold for acceptance should be "1 hour of Bitcoin mining hashpower" rather than "N blocks" thereof, right?
20:19:16nejucomo:-or some product of time and difficulty.
20:19:36nejucomo:Blocks are easy to count, I suppose.
20:19:46sipa:and hashrate is hard to meaure
20:21:23Adohgg:Adohgg is now known as twobltbot
20:21:34twobltbot:twobltbot is now known as Adohgg
20:23:31gmaxwell:bsm117532: it's possible to do closed loop control of time base on forks but it likely has very very bad incentives.
20:23:45gmaxwell:(amiller originally proposed this back in 2011 or 2012 I think)
20:24:10bsm117532:Let me put this another way: the hash distribution probability is uniform. I want to filter this probability distribution through a sigmoid function for the purpose of (a) rapidly adjusting to changes in hash rate and (b) centralizing the sigmoid about the desired block time, to achieve more consistent block time.
20:24:25gmaxwell:the problem is, then, of course the optimal strategy is for most of the miners to colocate in a single data center and no one more than a few milisconds distance from them can mine at all. :)
20:24:48bsm117532:gmaxwell: I see
20:25:09bsm117532:Perhaps there's a better way to implement what I want here.
20:25:39gmaxwell:bsm117532: This doesn't sound useful... no one cares if the time is that consistent, and to the extent that consistency is important... thats a controls systems question,-- which is its own area of engineering, which I promise almost never involves sticking a hoking infinitely non-linear function in the middle. :)
20:26:37bsm117532:Well I care...waiting an hour for confirmation is painful and I'd like it to push it as short as possible, in the long run... ;-)
20:27:46tromp:then you'll be happy to use Ethereum with its 12s block interval
20:28:13bsm117532:Maybe. If they can keep that.
20:28:52dgenr8:bsm117532: see nimblecoin. 5s blocktime simulation amongst others
20:30:24bsm117532:dgenr8: thanks!!!
20:30:36gmaxwell:bsm117532: so, you can trivially have 100ms confirmation, just use a centeralized signer. Done.
20:30:43tromp:surprisingly no coin has ever picked a block interval larger than 10min?!
20:31:29brisque:because that doesn't sell well.
20:31:31bsm117532:tromp: have you ever developed a system and had to wait hours to see if your code worked? My eyeballs don't need any more forks in them.
20:31:34tromp:for many uses, a one day wait for 6 confirmations would be ok
20:31:42gmaxwell:Don't defraud people by building a design that will natrually become the same trust model as the centeralized signer (because physics prevent you from mining more than a short distance from a single place in the universe), but obfsucate the trust model with a lot of overhead and inefficiency.
20:32:23tromp:bsm117532: testing can easily be done on accelerated time
20:32:43gmaxwell:tromp: 95% of the people working on altcoins don't have any clue what the time between blocks for is for at all. Some totally idiotic attempts have just replaced the timing with a fixed N minute timer.
20:32:52bsm117532:tromp: attacks only happen on non-accelerated time.
20:33:07bsm117532:gmaxwell: I've been wondering about that...
20:33:10jtimon:actually some systems do care more about block times than others, like freicoin where the demurrage depends on block counts (or another system using the same mechanism for itnerests)
20:34:35jtimon:but IMO "fastcoins" are stupid, they are "the coins that produces orphan blocks faster!!"
20:34:43tromp:a 4 hour block interval would allow for some seriously memory hard pow
20:34:46gmaxwell:bsm117532: there are completely seperate mechenisms that can be used for very fast confirmations which don't present these tradeoffs.
20:35:13bsm117532:gmaxwell: Yes, I need to read more about them.
20:35:30lmatteis:hello. i know this is a rather biased question given this is a bitcoin channel, but i was wondering what is the most interesting alt-coin to study/follow purely based on technical/innovative perspective
20:35:32bsm117532:gmaxwell: Also still waiting for sidechain implementations to appear from the vapor...
20:35:40dgenr8:gmaxwell: quite agreed
20:35:42gmaxwell:tromp: yes, longer times could be justified. Though it's actually good for the network as a whole to have some progress, so that an attacker actually has to race. (progress just has to be so limited so that single large miners don't enjoy an advantage mining selfishly)
20:35:58brisque:tromp: doesn't all this get into issues with not being progress-free?
20:36:06gmaxwell:brisque: opposite!
20:36:08brisque:er gmaxwell beat me to it.
20:36:12brisque:and I got it wrong.
20:37:13gmaxwell:haha.. four hour progress free blocks are fine, but they potentially have less security than .. say.. 10 minute blocks. Because the network making some progress also works against the attacker. (e.g. the network has the 'progress' gain)
20:37:24tromp:well, you have to view progess freeness as relative to those 4 hours, and consider a 5 min proof attempt to still be "fast" enough
20:37:30gmaxwell:er less security than waiting for 24 10 minute blocks.
20:37:53gmaxwell:ah, I see the point you're making is that you can make attempts slower but still effectively progress free.
20:38:29jtimon:bs117532 aren't 0 confirmation txs better than fast confirmations? here's an explanation (not my idea) http://sourceforge.net/p/bitcoin/mailman/message/32263765/
20:38:37tromp:the point is that the block interval should allow a few dozen proof attempts
20:38:43gmaxwell:I agree. (#include )
20:39:19dgenr8:gmaxwell: do you have a reference making a case for not-progress-free?
20:39:32brisque:isn't the problem with not being progress-free that the fastest clocked has a significant advantage?
20:39:48jtimon:Imatteis I'm biased but IMO freicoin is by far the most intersting altcoin ;)
20:40:02tromp:i like the idea of a pow requiring > 8GB as making it essentially botnet and GPU esistant
20:40:26brisque:today.
20:40:38brisque:today GPUs have 4GB of memory, what about next year?
20:40:41tromp:but that defininitely requires a very large block interval time
20:41:17tromp:the pow can scale in size over time, just like difficulty is scaled now
20:42:07brisque:that doesn't sound smart, doesn't that mean that with enough hardware you could push most of the other miners out of being able to complete the PoW at all?
20:42:58tromp:no more easily than with current bitcoin pow
20:43:00bsm117532:Let me go back a page or two. Is there any problem with using the EWMA of recent PoW hashes to set the target difficulty, rather than recalculating every 2016 blocks? Is there any reason such a thing would be better (or worse)?
20:43:55nejucomo:bsm117532: Lowering the block time does not lower confirmation time for a given level of desired assurance.
20:43:59tromp:what's EWMA?
20:44:14brisque:tromp: no, today increasing the speed never means that an old miner can't mine. if increasing the speed increases the memory requirements, you get to the point where portions of the network can't mine at all anymore.
20:44:16bsm117532:EWMA = Exponentially Weighted Moving Average. Intended to respond to fast changes in hashrate.
20:44:26nejucomo:I suppose it does allow lower than 10-network-minute levels of assurance.
20:44:31brisque:oh god this is going into an altcoin now.
20:45:06jtimon:bsm117532 again, you need to focus on what problem you're trying to solve, is it accept transactions fast? is it high hashrate variance?
20:45:20bsm117532:jtimon: hashrate variance.
20:45:34tromp:brisque: that's right, portions like majority of botnets wont be able to mine at all
20:45:38bsm117532:Forget about fast block time for the moment.
20:45:49jtimon:then what's the problem with 10 min blocks?
20:45:51nejucomo:bsm117532: Imagine bitcoin had 1ms block times, the same mining infrastructure as today, and magical instantaneous block propagation. Now, what's the difference between waiting for "10 seconds of confirmation" versus just assuming the other party is not malicious?
20:45:59jtimon:ok
20:46:26nejucomo:The difference is 10 seconds worth of confirmation. How much is that worth?
20:46:45bsm117532:nejucomo: I give up, what's the difference?
20:46:53brisque:tromp: I don't see why that's of a concern. they can't mine today either.
20:47:15dgenr8:jtimon: yes, 0-conf is a rich area for exploration. satoshi called it a "version 2 problem" that "can be solved fairly
20:47:15dgenr8:satisfactorily for most applications"
20:47:40nejucomo:Let me try to ask another way: Suppose there are 10 second blocks and no forking issues. In what cases would you prefer a single 10 second block confirmation over 0 confirmations?
20:48:05bsm117532:nejucomo: Oh you're going after 0-conf (which is always better).
20:48:08nejucomo:(This is an honest question about use cases, not a rhetorical question.)
20:48:21bsm117532:If you can do 0-conf.
20:48:35nejucomo:I'm not familiar with 0-conf.
20:48:41bsm117532:Ok then you've lost me.
20:48:59tromp:brisque: so miners may have to add memory to their rig from time to time
20:49:01helo:nejucomo: the actual security you get from 10 seconds of hashing isn't very high
20:49:36nejucomo:I meant merely accepting the risk that the payer is double spending and waiting 0 seconds for confirmation, versus waiting 10 seconds for a single "fast block" confirmation.
20:49:41helo:so the risk of accepting a 1-conf is much higher
20:49:48nejucomo:In what use cases is each preferable?
20:50:21helo:10 seconds means people will (ab)use it for all kinds of little piddly stuff, and the blockchain will get bloated
20:50:49helo:think it is suitable to use for buying 3 meals each day etc
20:51:17nejucomo:helo: That's my intuition. My intuition is that for every case where a 10 second confirmation would be used, the risk of 0 seconds of trusting the sender is a worthwhile trade-off for much less technical complexity.
20:54:01nejucomo:The decision about how much verification to require before accepting a payment actually should consider all other transactions in the given block and recent previous blocks, actually, since those other transactions may represent a different amount of risk of rollbacks...
20:54:44nejucomo:ie: If I am receiving 1 bitcoin, but there's also a 1 million btc transfer in the same block, then the incentive to rollback that entire block is much different than if my transaction is alone in a block.
21:22:22bsm117532:I've been bouncing around an idea of securing a blockchain by transactions instead... half baked at this point, but I think there might be a way.
21:22:36bsm117532:Because on most markets the transaction volume is much greater than the assets of any participant.
21:23:08brisque:markets have nothing to do with the block chain
21:23:22brisque:and indeed the block chain has no WAY of knowing markets even exist.
21:23:55sipa:and the purpose of the chain is linearizing transactions
21:24:14sipa:using transactions instead implies you need some external serialization mechanism
21:26:07bsm117532:External transactions.
21:26:27bsm117532:Internal transactions is PoS and largely doesn't work. PoW uses external incentives, and I think that's part of why it works.
21:27:33bsm117532:The required transaction has to be of the form that it forces nodes to commit external resources to one fork or another (to solve the "nothing at stake" problem).
21:27:55bsm117532:But "external resources" doesn't have to be computational work. There are other external resources...
21:33:10waxwing:interesting question whether there are really other resources than energy. time doesn't count because it doesn't really exist :) space maybe. true that certain materials are very difficult to get from energy (nuclear reactions are troublesome).
21:37:11bsm117532:waxwing: IBM stock. Gasoline futures. Government T-bills. If you're willing to commit something with external valuation, it might work to achieve consensus.
21:37:43lechuga_:waxwing: think just energy :)
21:37:47waxwing:contracts don't count as a limited resource.
21:38:47lechuga_:i wonder if ghash.io will ever build a dyson sphere
21:40:46lechuga_:i should make a kickstarter
21:40:54lechuga_:or better yet a lighthouse project
21:41:21waxwing:saw something recently explaining why dyson spheres are basically physically impossible. obvious in retrospect but disappointing anyway :)
21:41:29lechuga_::/
21:41:41lechuga_:they said bitcoin was impossible too :)
22:15:38nejucomo:To the dyson sphere!
23:06:15digitalmagus7:digitalmagus7 is now known as digitalmagus8
23:38:29a5m0_:a5m0_ is now known as a5m0