01:56:50justanotheruser:justanotheruser is now known as TheFakeMaru525
01:58:06TheFakeMaru525:TheFakeMaru525 is now known as jnyBot
02:00:33jnyBot:jnyBot is now known as justanotheruser
08:05:16wolfe.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
08:05:16wolfe.freenode.net:Users on #bitcoin-wizards: andy-logbot maaku p15 wiretapped pen RoboTedd_ cbeams Guyver2 Grishnakh x48_ jaekwon1 mortale waxwing tromp_ ericp4 rdponticelli Ress jgarzik coinheavy [7] Dr-G2 shesek warren puszl justanotheruser fanquake atgreen vdo DougieBot5000 irc88___ tacotime rfreeman_w pi07r Adohgg K1773R spinza melvster Graftec_ grandmaster2 todays_tomorrow nuke1989 xmj lnovy Hunger- Sangheili gribble mkarrer Eliel drawingthesun HM gmaxwell amiller_ artifexd
08:05:16wolfe.freenode.net:Users on #bitcoin-wizards: digitalmagus crescendo LarsLarsen cfields btc_ kgk SDCDev livegnik jchp kanzure bobke iddo samson_ MRL-Relay arowser comboy Happzz copumpkin EasyAt wumpus [d__d] StephanYanev emsid dgenr8 coryfields go1111111 michagogo hollandais _2539 altoz zenojis mappum jrayhawk jbenet LaptopZZ optimator_ Meeh poggy_ Luke-Jr Emcy_ UukGoblin danneu catcow TD-Linux Guest50253 helo smooth otoburb gwillen ryan-c nickler_ mmozeiko roasbeef pajarillo sl01 Keefe
08:05:17wolfe.freenode.net:Users on #bitcoin-wizards: Dyaheon rs0_ Gnosis ahmed_ Muis Logicwax nanotube espes__ andytoshi so zibbo dansmith_btc epscy OneFixt Fistful_of_coins BlueMatt tromp wizkid057 a5m0 starsoccer midnightmagic berndj Graet kinlo [Derek] pigeons BrainOverfl0w lianj Apocalyptic Iriez mr_burdell fluffypony bbrittain SomeoneWeird forrestv Anduck Nightwolf Krellan BigBitz [\\\] Taek42 asoltys @ChanServ phedny petertodd burcin lechuga_ abc56889 Alanius Guest47516 throughnothing
08:05:17wolfe.freenode.net:Users on #bitcoin-wizards: CodeShark harrow DoctorBTC phantomcircuit nsh- sipa
08:05:27maaku:maaku is now known as Guest94326
09:39:03StephanYanev:StephanYanev is now known as MarekTerlecki
10:12:17hearn:fincen is researching ring signatures: http://www.coindesk.com/fincen-director-jennifer-shasky-calvery-full-interview-bitcoin/
10:12:19hearn:fascinating
10:12:51Emcy_:because it scares them?
10:13:28hearn:i didn't get that impression. more like, because it's a new technology and they have to keep up with developments in the space of money and privacy
10:13:40hearn:things that have little usage can't be all that scary
10:14:10Emcy_:i think the little usage is the important bit
10:14:19fluffypony:ring signatures aren't new :)
10:14:27Emcy_:feds seem pretty rattled about ios8 encryption for ex
10:14:38Emcy_:i just read they want congress to legislate it away
10:15:23fluffypony:they're going to have to accept the reality, that people will eventually generally become au fait with technology that is private by default, transparent optional
10:16:52Emcy_:when have they ever just accepted a situation that isnt going their preferred way
10:17:14fluffypony:true that
10:18:22Emcy_:especially some authority entity that is facing being obsoleted due to a new development......fights back more viciously than a cornered fox
10:18:45xmj:technology being "private by default, transparent optional" seems wishful thinking, sad as it is
10:19:00fluffypony:xmj - see: Monero :-P
10:19:04xmj:especially in a world with centralized, semi-government-approved certificate authorities
10:19:15hearn:heh
10:19:52fluffypony:if only Tox wasn't such a turd at the moment, that's the sort of thing that will tilt the ball
10:20:05hearn:if by "semi government approved" you mean "not shut down" then i guess any group of people with a recognisable name is "government approved"
10:20:48xmj:hearn: i mean 'institutions' like Verisign which exist through, and cooperate a lot with, government interference
10:21:04xmj:not like they've never forged / given away cert keys to teh feds.
10:21:10hearn:do you have evidence for that statement?
10:21:40Emcy_:fluffypony whats wrong with tox
10:21:55Emcy_:except that they seem intensely relaxed about metadata
10:22:13fluffypony:Emcy_: it's temperamental - sometimes a contact shows as offline (when they're on)
10:22:17xmj:hearn: i'm spinning reasonably plausible conspiracy theories
10:22:25fluffypony:and leaving it for a couple of hours doesn't fix that
10:22:25xmj:fluffypony: what's wrong with encrypted XMPP ?
10:22:43fluffypony:xmj: not terribly workable for the layman
10:22:55xmj:hm, jitsi makes that particularly easy
10:23:09fluffypony:xmj: you underestimate how incapable the layman is ;)
10:23:17Emcy_:fluffypony thats to be expected with p2p + onion routing the DHT table.....skype was like that before MS took over and started running it thru their datacenter to please the nsa
10:23:40hearn:xmj: there are enough problems that have evidence to worry about problems that don't, imo.
10:24:01fluffypony:Emcy_: yeah, which is why I said it's a turd at the moment, but it'll get there (hopefully) ;)
10:24:45Emcy_:well i hope they nut up about the metadata......they make out atm that just providing payload encryption is some revolutionary thing theyre doing
10:25:24fluffypony:wasn't there some dude with a couple of commits that threw a tantrum about that and stormed off, and then they basically said "errthingz ok, all his stuff was theoretical, and we'll fix it one day (tm)"
10:25:29Emcy_:they seemed to think that onion routing at the very least IMs wasnt feasible, which seems patently not true
10:26:24Emcy_:dunno there was some drama which is understandable seeing as it started on 4chan
10:26:55fluffypony:lol
10:27:04fluffypony:kids nowadayz
10:27:54xmj:fluffypony: commits...guy...what?
10:28:12fluffypony:xmj: no clue, I read about it briefly somewhere and then got bored and moved on with my life
10:31:47xmj:ok
10:32:17xmj:http://www.pcworld.com/article/239497/hackers_forge_certificates_to_break_into_spy_agencies.html
10:32:57Emcy_:gosh almighty i cant stand long quotations/interviews of people given verbatim........if you write exactly like how most people talk everyone sounds like a glib moron
10:33:04Emcy_:even this fincen guy
10:33:21xmj:that's because most people talk like the morons they are
10:33:23xmj:ahum.
10:33:35hearn:um, the head of fincen is a woman
10:33:54xmj:you're not disproving my point by bringing in their gender
10:33:58xmj:s/gender/sex/
10:34:12hearn:xmj: re: certs, that's not what you asserted, that's "company gets hacked" which is very different.
10:34:13nsh:(the gendered or otherwise usage of 'guy' is probably off-topic here)
10:34:46xmj:yeah
10:35:17xmj:hearn: if i had the snowden dox on my computer and a competent fulltextsearch tool and/or minion, i'm sure i could find what i was looking for :-)
10:36:02nsh:shortage in the competent fulltextsearch minion market atm :/
10:36:10hearn:well i assumed that too when the docs first leaked last year. i kept waiting for the slide shows about the compromised CA's.
10:36:24hearn:apparently either they don't exist or the journalists who were able to report on so much else somehow missed it
10:36:56hearn:it's rather surprising and counter-intuitive but it appears that (for now) the system is working as designed. or if there are compromises, they're so rare that they aren't worthy of mention in the NSA docs.
10:36:58nsh:it's not reasonable to assume snowden gained access to a representative sample of capabilities-implying documents, despite the breadth evinced
10:37:15Emcy_:the snowden stories are still ongoing
10:37:17nsh:a lot of what we now know is the result of fortuitious compartmentalization failures
10:37:21hearn:in the end it's not really surprising though. breaking SSL at the CA level is risky and noisy. hacking an endpoint is much better, and QUANTUM lets them do exactly that
10:37:30nsh:* nsh nods
10:37:33xmj:hearn: ok, i'll give you that
10:37:36hearn:the path of least resistance is browser exploits, not CA exploits.
10:37:58hearn:this may change in future if chrome continues to get harder to exploit, which seems likely. but it's hard to say.
10:38:41Emcy_:thats for targetted ops though
10:38:51Emcy_:doesnt help them break on mass
10:39:01Emcy_:en
10:39:16hearn:no, but neither would a CA breach. people would notice widespread use of forged certs almost immediately and at that point it's basically the same as saying "SSL is illegal"
10:39:18fluffypony:I think it's masse as well?
10:39:30fluffypony:yes - "en masse"
10:40:06Emcy_:fucking frenchy loan words....
10:40:10hearn:besides it wouldn't make much sense to break SSL that way, given how their infrastructure works. if they don't care about getting caught it'd be much better to just legally mandate back doored RNGs or similar.
10:42:18fluffypony:meh, plus it bleeds into "Bitcoin is vulnerable to quantum computing!" territory
10:42:41Emcy_:but they can just compell valid certs out of any CA within the Us aegis
10:44:47Emcy_:so it doesnt necessarily have to be noticed
10:44:57hearn:yes, but only at high risk and cost. if the cert was discovered, the CA would be forced to provide an explanation by the browser makers, the intelligence target would find out, and if the CA couldn't give a good explanation a revocation plan would be put in place, ultimately ending that business.
10:45:10Emcy_:shit even cloudflare is in the sanctioned ssl MITM game now.....
10:45:12hearn:cert transparency is all about increasing the chance of discovering the certs
10:45:52Emcy_:youre right its high stakes
10:46:23Emcy_:and that swedish CA played the game and lost and died.....
10:46:37fluffypony:same as the crowd that moaned about Apple including .mil certs in iOS 8
10:46:54fluffypony:"they'll use it to MITM!" (like nobody would notice...)
10:47:29hearn:well that's the fun thing about decentralisation. if you're serious about it, you don't get to pick who takes part. i always find it entertaining that people simultaneously argue the PKI is centralised, yet there are too many CAs.
10:47:38Emcy_:also hearn whats to stop them sending red letters to the browser makers?
10:47:49hearn:"we need a decentralised system to stop the US government from issuing certs!", hmm that's not how decentralisation works :)
10:48:03hearn:ultimately nothing stops the USG and other governments simply banning strong crypto and they nearly did that in the 90s.
10:48:26hearn:but the chances of that happening can be significantly reduced by ensuring that the benefits to society strongly outweigh the costs, and by winning those arguments
10:48:37hearn:(at least in democracies, in theory, lots of handwaving etc)
10:48:39Emcy_:yes, they didnt but not because they realised it would be wrong to do so, they just changed tact
10:49:06hearn:well they realised that for all the hype strong crypto was not widely used and wasn't going to be anytime soon, so yes, the path of least resistance stopped being legislative change.
10:49:17Emcy_:yes
10:49:43hearn:in some star trek future where everyone is using bitcoin and tor and pgp for everything all the time, that balance would tip again of course and things like the clipper chip would come up again
10:50:13Emcy_:and now the kerfuffle about ios8.........played the paedo card almost immediately. Mumblings about congress taking care of it........
10:50:48Emcy_:if good crypto becomes the norm and the path of least resistance goes back to just banning the lot......
10:50:57hearn:it's a tightrope walk isn't it
10:51:17Emcy_:freedom usually is
10:52:04hearn:this is why i am interested in exploring these issues and the related tradeoffs. e.g. do we really want bitcoin to be as anonymous and private as possible? many say yes, but don't think through the potential consequences of that. sometimes there are interesting middle paths worth exploring too.
10:53:27Emcy_:do they really have the capability to ban bitcoin
10:53:30Emcy_:what would that look like
10:53:58hearn:look at china
10:55:45Emcy_:its funny because im reading a book right now that deals with the consequences of a ridiculosuly disruptive technology being released into the public domain (schematics for a personal unit that allows access to alternate realities of the many-worlds interpretation type), and how the US tries to maintain control in face of that.
10:56:54cbeams:Emcy_: what's the book?
10:56:57Emcy_:tldr they make a rule saying every chunk of land analagous to the borders of the US on every alternate earth out to infinity belongs to them
10:57:03Emcy_:its hilariously believable
10:57:39hearn:there's another fascinating book written by ( i think? ) arthur c clarke, about a world in which someone invents a machine that can do wide-area jamming of guns
10:57:55Emcy_:cbeams the long war, baxter and pratchett collab. Its good
10:58:22hearn:it's set in the USA and it's about the impact that has on american society, how the people who develop the tech end up being put in danger by the gun rights wing who try to kill them. sort of a sci-fi thriller.
10:58:28hearn:at least i think that's the summary :) i read it years ago
10:59:16Emcy_:i love how clarkes stuff doesnt really seem all that scifi anymore lol
10:59:40Emcy_:well some of it
10:59:40hearn:ah, "the trigger"
10:59:42nsh-:i prefer 'speculative-fiction' for clarke's. it was very good speculation :)
11:00:27hearn:ah yes. i forgot a key detail. the trigger doesn't jam guns, it makes them explode :)
11:00:50Emcy_:a book about glocks?
11:03:22Emcy_:hearn re: finding a balance for bitcoin to avoid getting ganked by the govt
11:04:11Emcy_:the flipside of that is avoiding implementing disruptive stuff in order to try nd avoid some fuzzy line int he sand with them
11:04:20Emcy_:a form of self-censorship
11:04:25Emcy_:not ideal either
11:04:30nsh-:(it's quite hard to draw non-fuzzy lines in the sand)
11:04:47nsh-:(unless you use some kind of welding apparatus)
11:05:45hearn:Emcy_: well these things are ultimately explorations. nobody knows the future or what the exact tradeoffs will be for any new technology. nuclear power / manhatten project was a good example of that.
11:06:14hearn:different societies reached different conclusions about nuclear power. but it's good to know how to do it, even if ultimately some people decide not to allow it/use it
11:06:42hearn:i don't think we should avoid researching ways to make bitcoin's privacy better, far from it. we should always push forward the boundaries of knowledge.
11:07:11hearn:but that doesn't mean such things should always be deployed just because they exist. the tradeoffs have to be considered. they'll be different in different places.
11:07:15Emcy_:nuke power is a good example of a technology that never reached anywhere close to its breathtaking potential due to vague threats of certain doom and often outright fud
11:07:59hearn:well, different countries took different paths there. e.g. France has lots of nuclear power plants. germany *did* and then merkel panicked and shut them down.
11:08:13Emcy_:it might still reach it yet, but centuries behind schedule due to people being dumb, what a shame.........and what a shame for bitcoin if the same happens
11:08:18hearn:the UK did its usual middling sort of noncommital thing and now buys lots of power from the french :)
11:08:56Emcy_:yes
11:09:10nsh-:and lets the French build new power stations which the French (government) will profit from
11:09:18Emcy_:france is doing pretty well out of it right, and not swimming in nuclear doom.
11:09:22hearn:i don't think you can write off all anti-nuclear positions as just dumbness. i happen to support nuclear power too but it's unarguable that there are commercial downsides, e.g. often not feasible without government subsidies, sometimes plants have to shut down in summer because there's not enough cold water, all kinds of things.
11:09:35hearn:cleanup is a big fat question mark, still
11:10:10hearn:anyway that's kind of OT for here. suffice it to say, lots of places considered these tradeoffs and struck the balance in different places. it'll be the same for bitcoin and cryptocurrencies in general
11:10:25hearn:some countries have more tolerance for financial privacy than others, e.g. compare switzerland vs usa
11:10:49hearn:or usa vs china :)
11:10:54Emcy_:not directly comparable since bitcoin is a singular global instance of the technology
11:11:28Emcy_:so yes refusing bitcoin would look a lot like how china refuses lots of internet services
11:13:02Emcy_:theres also the aspect that if bitcoin wont do certain things pehaps it gets supplanted by coins that will
11:13:21hearn:bitcoin has a lot of momentum at this point, but in the long run, maybe yes
11:14:40hearn:again i suspect it'll be somewhat regional. it's sort of unfashionable to say that because we like to think the internet makes everything global, but different parts of the world still manage to differ in how they use technology
11:14:53Emcy_:dunno about momentum to that extent......i dont think 2014 has been the breakout year everyone thought it would be...
11:14:58hearn:so maybe some alt coins are better adapted to local needs and take over from bitcoin there, in other places, bitcoin would stick around
11:15:22hearn:no well bitcoin is likely to end up in a "year of the linux desktop" type loop unless we find ways to make it dramatically more compelling for people
11:15:31Emcy_:haha yes
11:19:30xmj:hrm
11:19:40xmj:what's a good place to get actual bitcoin/USD rates?
11:19:44xmj:(these days)
11:27:29nsh-:they stream in #bitcoin-market from several exchanges
11:28:49Emcy_:ey probably stupid question......but assuming there are lots of programming sitting on your ass for long periods types in here, are there any recommendations for good ergonomic computer chairs
11:29:31Emcy_:especially if there exists s type with a long cutout for the spine, so that there is zero pressure on your spine whatsoever (pressure on my spine seems to cause migraine)
11:30:02Emcy_:sort of like the captains chair in STTNG
11:44:44Dr-G2:Dr-G2 is now known as Dr-G
12:03:01sl01:hearn: i remember a talk where moxie said a middle eastern state essentially admitted to him they could forge certs
12:06:15hearn:could be! i'm not saying "no government has ever court ordered a CA to provide a cert", that'd be surprising if true. just that snowden provided no evidence that this behaviour is widespread inside the NSA or GCHQ. for other governments all bets are off.
12:06:34hearn:e.g. the French government CA was name constrained to .fr by Chrome due to some rule violations by it, i think
12:07:01hearn:cert transparency will probably be interesting for flushing this stuff out, but it will take years
12:07:28Emcy_:what exactly is that
12:07:31Emcy_:is it pinning
12:07:43hearn:no. it's a google initiative to force CA's to publish all certs they issue.
12:07:57hearn:has a neat blockchain-like technology at its core. certificates have to come with a short proof that they were entered into a log.
12:08:07Emcy_:o rly
12:08:13hearn:eventually the plan is that browsers (chrome at least) will start refusing or ignoring certs that don't contain such a proof.
12:08:29hearn:then the logs can be monitored or mined to detect mis-issuance
12:08:58hearn:e.g. if we see a cert for bitcoin.org appear issued by a CA is Saudi Arabia, some automated scripts can go "bzz warning, check this out" and an investigation can take place.
12:09:06hearn:CA *in* Saudi Arabia.
12:09:15hearn:it can also be used to detect certs issued for phishing sites.
12:09:29Emcy_:sounds a bit like pinning but better
12:09:44hearn:it's not pinning. you can still switch CA's at will.
12:09:57Emcy_:in terms of outcome i mean
12:10:00hearn:it's basically a way to improve the auditing of CA's to ensure they're following the rules.
12:10:10hearn:well sure, the outcome should be a better, more trustworthy ecosystem
12:10:12Emcy_:is there further reading for the "blockchain like" bit
12:11:55hearn:http://www.certificate-transparency.org/
12:11:59hearn:ironically, does not support SSL
12:12:15hearn:(the website i mean. obviously ct does)
12:13:48Emcy_:google coming out with things like this throws a spanner in my view of their intentions
12:14:05Emcy_:and that end to end thing (if it works)
13:29:29lenovo:hi
13:40:52lenovo:hi
13:53:02lenovo:lenovo has left #bitcoin-wizards
13:56:05x48_:x48_ is now known as x48
14:11:34tromp:in ECC it's assumed to be infeasible to compute scalar d given points G and P where P=dG
14:11:44tromp:is it also infeasible to compute G given d and P?
14:12:25tromp:i.e. taking d-th roots
14:16:48Happzz:what is this channel about?
14:20:26tromp:bitcoin related crypto research
14:21:09MRL-Relay:[sarang] Are you assuming that G is no longer public?
14:21:19MRL-Relay:[sarang] In existing currencies, G is fixed and public
14:23:13zooko:Hi, tromp.
14:23:30tromp:hi zooko
14:24:09tromp:in my question G is obviously not public
14:27:03justanotheruser:justanotheruser is now known as bakaseki
14:27:13bakaseki:bakaseki is now known as justanotheruser
14:30:11MRL-Relay:[sarang] To my knowledge, that has not been well-studied for crypto purposes
14:30:56MRL-Relay:[shen] tromp, you compute the inverse of d in the finite field
14:31:13MRL-Relay:[shen] multiply times dG
14:31:16MRL-Relay:[shen] get G
14:31:32MRL-Relay:[shen] but yeah as sarang said, not really crypto purposes
14:33:20tromp:ah yes; thanks, MRL-Relay
14:34:25MRL-Relay:[sarang] should maybe be added that the inverse computation is not only possible, it's _trivial_
14:48:50Taek42:what's with the [different names]? Is MRL a team of people? A tulpamancer?
14:51:05andytoshi:MRL is "monero labs"
14:51:53fluffypony:Taek42: Monero Research Lab - on a separate network, hence the relay, so the [name] after the relay is the person who's actually talking on that side
14:52:00ielo:ielo has left #bitcoin-wizards
14:52:17Taek42:oh that's pretty cool
14:52:21Taek42:thanks
14:54:29MRL-Relay:andytoshi joined.
15:25:19amiller_:ok thinking out loud again
15:25:51amiller_:privacy is an ecological concern, it's unfortunately the case that individual users don't feel much motivation to do the things that safeguard their own privacy
15:26:10amiller_:and that makes it harder for anyone who *does* want their privacy to do so
15:27:00amiller_:techniques like zerocoin and coinshuffle etc don't actually do any good if everyone just lets coinbase hold all their coins
15:28:26amiller_:so i'm motivated to find ways to actually *disincentivize* users from handing their keys to other (centralized) parties (or in general failing to obscure their transactions)
15:29:28amiller_:my approach is going to be similar to the kind of reasoning that leads to the nonoutsourceable puzzle design.
15:29:52andytoshi:hard to disincentivize past "coinbase has your keys and can physically take your money at any time and you have no ability to prevent this"
15:30:12amiller_:andytoshi, no not at all
15:31:17andytoshi:oh?
15:31:21amiller_:okay well yeah it's a little complicated because i don't think coinbase provides nearly as much as they *could* in the way of assurance
15:32:06amiller_:if coinbase just said your account was 1btc lower one day, it would be hard to prove you *didn't* make a valid request to change it
15:32:12amiller_:but, if you're paying attention, you'd know
15:32:25tacotime:amiller_: making privacy your default network protocol is usually a good way to go.
15:32:38amiller_:tacotime, agreed, but i'm hoping i can do better than that
15:33:02amiller_:andytoshi, i maintain it's possible to achieve something better..... namely that you wouldn't even *know* if coinbase took the money from you
15:33:14andytoshi:ooh ok
15:33:15zooko:amiller_: what if the units of the world are not humans, many of whom are delegating their powers to coinbase, but are entities like coinbase, circle, blockchain.info, etc.
15:33:24tacotime:one big problem with bitcoin too is that it's probably going to get pricy to maintain privacy with fees becoming more competitive. transacting on btc mainnet is getting a little costly.
15:33:27zooko:Let there be a world in which there are no humans, only a number of such companies/orgs/websites.
15:33:45jgarzik_:http://www.coindesk.com/fincen-director-villainize-bitcoin/
15:33:46zooko:Then, I argue that zerocoin makes privacy+fungibility for transactions between those entities.
15:33:47jgarzik_:"Calvery indicated that FinCEN is currently researching ring signatures, a cryptographic signature in which an action is attributed only to a group, and tumblers, a type of mixing service meant to hide where transactions originate."
15:33:47zooko::-)
15:34:06jgarzik_:Interesting that FinCEN is looking at ring signatures (== possibly evil)
15:34:09tacotime:jgarzik: yeah, i saw that this morning and groaned.
15:34:14amiller_:zooko, what's the difference between calling them humans vs companies, is your point that there are fewer of them, or that they're intrinsically different?
15:35:02fluffypony:tacotime: ring sign ALL of the things!
15:35:04tacotime:monero/the rest of cryptonote coins have fairly weak privacy right now, i'd hate to have to jump ship because of gov't whoevers declaring it evil because it's too much like cash.
15:35:23tacotime:it's only in the infancy of its development.
15:35:43zooko:amiller_: *tries to explain the point*
15:36:20amiller_:anyway my hope was that the motivation i laid out was at clear, regardless of whether everyone agrees with it.... i wanted to talk about my technical approach next, just to be clear the goal is to *incentivize* people to store their coins themselves and not use coinbase
15:36:40zooko:My point is this:
15:37:23zooko:1. There's a world of little circles. Each little circle is a human. This is World 1. Zooko says "We're going to make zerocoin so that the currency flowing between the circles has privacy and fungibility.
15:37:27amiller_:if someone has your keys, they can spend your coins, but if you know the public key, you can tell *when* it's spent and in many cases have an easy time proving it.
15:37:39amiller_:so whati'd like instead is if there's a way that someone who knows your key can *take* your coins without you even knowing
15:37:48tacotime:anyway, it's still possible to backport ring signatures onto bitcoin with some new op_codes too, and i don't think that in the future there's going to be any way to prevent people from adding privacy to bitcoin. it'll be a battle of pgp all over again, with the gov't eventually stubbornly realizing that their laws are second to the laws of mathematics.
15:38:10zooko:2. amiller_ says "No, almost all the little circles are delegating all of their secrets, vulnerability, etc. to a small number of orgs, so zerocoin won't have that effect."
15:38:17amiller_:there's a sort of inherent "what you don't know can't hurt you" problem, where if you are actually losing your coins, then either you have no idea how many coins you have generally (which would suck for a payment system) or it didn't affect you
15:38:36amiller_:so i think the solution i'm working towards is a lottery
15:39:15zooko:3. zooko says, okay, zoom out and draw a big circle around every set of little circles who've delegated their secrets to the same org as each other. Now there's World 2, where there are a smaller number of circles (now they are big circles, named coinbase, circle (aha!), blockchain.info, etc.), but my argument from step 1 applies to world 2 -- that zerocoin will make for privacy and fungibility of transactions between the circles.
15:39:20zooko:Am I making sense yet?
15:39:24amiller_:think of this as the proof-of-stake equivalent to the nonoutsourceable proof-of-work puzzle.... this doesn't have anything to do necessarily with using proof-of-stake to vote on block chains, but it does involve having a lottery whereby everyone with a coin is automatically entered into a lotter yand they might win a reward just for being there
15:40:44amiller_:so, every so often there would be a lottery drawing, and one unit of 'coin' would win.... and only if you *know* the private key associated with that coin would you even be able to *tell* which coin wins
15:42:03andytoshi:tacotime: if we get sidechains, there will be a sidechain that supports ringsigs (and output blinding a la me and gmaxwell's idea)
15:42:22andytoshi:amiller_: is this lottery creating coins or is it some kind of mix?
15:42:37tacotime:andytoshi: ah, okay, neat. we're trying to backport 2-way peg into monero too.
15:42:38amiller_:andytoshi, it's not a mix, so lets just say it's creating coins
15:43:01amiller_:the idea is that if you are delegating your coins to someone else and you don't know the key
15:43:22amiller_:then you might win the lottery and not even be able to tell, but the person you're delegating the key to would be able to tell and could take the lottery winning for themselves
15:44:03Taek42:zooko I follow
15:44:28andytoshi:amiller_: ok, understood...how do normal transactions work?
15:44:50amiller_:andytoshi, normal transactions would presumably work same as in zerocoin
15:44:59andytoshi:ah, gotcha
15:45:15Taek42:zooko the problem is that the little circles don't know if the big circles are actually participating in full anonymity, and it's healthier for the little circles to have anonymity
15:45:38Taek42:but the little circles are lazy so they just accept a reduced overall health
15:45:44zooko:Yeah, the little circles are definitely giving up their privacy to the big circle of their choice.
15:46:15amiller_:zooko, i don't think we have a clear definition of fungibility here though, i think what you're saying is similar to letting people who use any large bank get 3% off when they use their rewards card, but everyone with cash has to pay a cash penalty
15:46:33amiller_:so it's fungible as long as you are a member of one of the big circles, but everyone who wishes to be outside a circle is punished
15:46:51amiller_:so i wouldn't call that fungibility
15:46:57zooko:You don't seem to be embracing my redefinition of the world to world 2 in which there are no humans.
15:47:23amiller_:hm, maybe not
15:47:29zooko:I'm arguing that fungibility does exist between the big circles in world 2, if that world uses zerocoin.
15:47:31Happzz:what is this channel about?
15:47:32amiller_:a human is just a tiny corporation though
15:47:44zooko:And I'm agreeing that it doesn't exist between the small circles in world 2, even if that world uses zerocoin.
15:47:59amiller_:zooko, are you assuming that all of the big circles use the protocol correctly and don't share information between themselves
15:48:08amiller_:like 4 of the 5 circles don't bully the 5th?
15:48:09amiller_:brb
15:48:15zooko:amiller_: yeah! There are a few of those small circles who choose to go it alone and connect straight to the zerocoin backbone instead of delegating to coinbase.
15:48:32Taek42:amiller_ what motivation would my grandma have for using a coin that she must take care of? Why wouldn't she just prefer to use Bitcoin+Coinbase, which is easier?
15:48:40zooko:Sorry, I have to go. :-( Hope to do this again with you soon.
15:52:04Taek42:I think that fundamentally, people would much rather store their own coins than give their coins to a bank, all else equal. But the bank gives you interest, gives you insurance, and overall the bank knows how to handle money better than you do.
15:52:12Taek42:So people choose the bank.
15:53:08Taek42:I don't think any sort of coin is going to stand a chance with the general public unless it's easier to use and more rewarding to use and less risky to use than the current situation
15:53:45Taek42:lol. The "null" monetary system.
16:01:45amiller_:zooko, right so in this world you described, my concern is that the big circles will deviate from the zerocoin protocol, and for all of their transactions they will *deanonymize* themselves to prove that their transactions have stayed only between themselves
16:02:30amiller_:that 5th circle who uses the zerocoin backbone directly will be unable to participate in that deanonymization scheme, and it (or its users/members/constituents) will suffer a penalty
16:13:15Taek42:amiller_ what penalty do they suffer from by being apart from the deanonymization scheme?
16:36:30berndj-blackout:berndj-blackout is now known as berndj
17:20:27EasyAt_:EasyAt_ is now known as EasyAt
17:30:17Eliel:Taek42: whatever penalty the others choose to impose I'd guess.
17:31:29zooko:zooko has left #bitcoin-wizards
19:42:32Starduster_:Starduster_ is now known as Starduster
20:02:36fluffypony:t
20:33:29rdponticelli:*Qué
22:08:35dgenr8:amiller_: for your lottery would you just select unspent scriptpubkeys randomly and pay to them? proportional to utxo value?
22:09:13amiller_:dgenr8, yes i think so
22:09:24dgenr8:amiller_: i had the lottery idea while trying to think of a way for investors to incent others to allocate wealth to bitcoin.
22:09:29dgenr8:amiller_: it didn't occur to me that it would also incent them to hold the keys themselves.
22:09:44dgenr8:amiller_: are you actually doing it? becuase this is one of those eminently doable ideas. the worst that could happen is nobody pitches in any funds.
22:10:00amiller_:well that on its own wouldn't solve the problem at all
22:10:08amiller_:this is simlar to the whole nonoutsourceable reasonning
22:10:25amiller_:because someone who holds your coins for you like coinbase can still just promise to give you the reward if you win
22:11:30amiller_:and if it's clear which pubkey receives the reward, then it would be really easy for BitcoinBank to prove that you'd be able to sue them if the coins they're claiming to hold ofr you win and they took them
22:12:15dgenr8:amiller: the bigger it got, the more you would start to expect a given dividend level and think something was amiss if you didn't
22:12:39amiller_:dgenr8, right well that's assumng the lottery is pretty frequent
22:12:51amiller_:dgenr8, if the lottery were very high variance
22:13:21amiller_:if BitcoinBank passes on the risk to its customers, then it wouldn't be albe to prove it isn't skimming off the top and getting lucky
22:13:37amiller_:on the other hand if it promises to absorb all the risk, then if it has a dry spell it could be really ulucky
22:16:18dgenr8:amiller_: i don't follow why it would be easy for me to know BitcoinBank's winnings
22:17:56amiller_:you deposit 10 btc in BitcoinBank. BitcoinBank signs a message saying that it is holding your 10btc in an addres with public key K1.
22:18:02amiller_:if public key K1 wins, then that winning is yours
22:18:31dgenr8:amiller_: ok, that's not what you wrote. you meant something more like a wall st firm "promising" to have a chinese wall between analysts and advisors
22:18:34amiller_:they have the key, they can spend it, but they won't do so unless they have like, password logs or whatever else i dunno they can use to cover-their-ass if you try to complain that they spent it unauthorized
22:19:32amiller_:part of what makes "promises" like that credible is that there would be a lot of paper trail if they tried to *actually* steal the winnings, so my design goal is to make it so that there would be no paper trail and they'd have an easier time getting away with it
22:20:53dgenr8:there's a lot of effort going into that kind of thing and i'm not encouraged by ETFs etc. propensity to prove reserves. so that works in your favor
22:28:22kanzure_:kanzure_ is now known as kanzure