00:40:03nsh:gmaxwell, have you look into https://github.com/EricssonResearch/bowser -- http://www.ericsson.com/research-blog/context-aware-communication/bowser-openwebrtc-released-open-source/
00:41:32nsh:or openwebrtc, rather
00:58:15gmaxwell:firefox and chrome use the same codebase for the low levels of the webrtc stack. The obvious thing to do is use the same code.. its just a rather large amount of code (several times bitcoin core in total)
01:14:00Burrito:Burrito has left #bitcoin-wizards
02:38:09kanzure:there should be a byzantine fault tolerance concept but for incentive faults
02:39:52amiller_:kanzure, Byzantine-Altruistic-Rational is probably pretty good.
02:40:09amiller_:but actually i still think it's missing something
02:40:22amiller_:because it's based on this style of assuming there are fixed minimum proportins
02:40:44amiller_:also i'm really starting to hate the words "rational" and "altruistic/honest" in these contexts
02:40:50kanzure:me too :)
02:40:55amiller_:because "honesty" and "altruism" are personality characteristics...
02:41:03amiller_:whereas in this context, they mean "unconditionally protocol-following"
02:41:19amiller_:even an "honest" person isn't going to blindly follow your stupid protocol if it has doomed incentives etc
02:41:24kanzure:i appreciate the general concept behind "alright let's just assume everyone is attacking everyone else constantly, and move forward from there"
02:41:29moa:welcome to economics
02:41:36amiller_:also rational is hella overloaded....
02:41:48amiller_:it really describes a awfully narrow set of decision principles
02:42:12amiller_:because it got there first and squatted on it, it is the *definition* of rationality, the word rationality used in economics *refers* to this model
02:42:16moa:"behavioral" economics
02:42:50amiller_:even though that kind of rationality is refuted as a descriptive model of human behavior in almost every setting...
02:43:17amiller_:and while it can still exist as a "prescriptive" notion of how an ideal person or computing process *should* decide on things, that's not a scientific thought, there's no justification for that
02:44:57moa:time to break out the Popper and re-examine your premises ... or beyond there lie the dragons of pseduo-science
02:45:25moa:and madness obviously
02:45:39amiller_:so now i can't use the word "rational" in the broader ordinary sense, meaning "reasonable" or "well thought out" or etc.
02:45:42amiller_:to mean anything else
02:46:30moa:well rational in mathematics is well-defined
02:46:40moa:4/5 is rational number, pi is not
02:46:45kanzure:ugh go away
02:48:27moa:you have a better definition?
02:48:31kanzure:amiller_: what about something like http://diyhpl.us/~bryan/papers2/incentives/Rational%20protocol%20design:%20Cryptography%20against%20incentive-driven%20adversaries.pdf
02:50:20amiller_:kanzure, i think something like that is really promising
02:50:39amiller_:i like that approach of modeling things in cryptography with the use of ideal functionalities rather than ad hoc properties because it leads to much better composition
02:51:06kanzure:some of their motivations for their proposal are a little suspicious ("game theoretic models are too secure"?) but..
02:51:07amiller_:the thing i dont' think i like about the particular examples in that paper are that you have to make really pretty precise assumptions about utility functions
02:51:24kanzure:"overly pessimistic" was the term they used for game thereotic models
02:51:28amiller_:yeah, i agree.
02:51:35amiller_:this is like one of those pervasive ear-worm mistakes
02:51:51amiller_:i can explain exactly what went wrong and what the narrative is....
02:52:10amiller_:modern crypto is pretty expensive, like snarks and MPC and stuff
02:52:55amiller_:there's also this thing where you have to add many extra layers to your crypto protocol in order to get the simulator-based proof to work out, even though some of those steps seem superfluous and intuitively don't add security (they seem to be there to satisfy quirks of the model and might not be necessary but don't know how to get proofs to work otherwise)
02:53:43amiller_:anyway, the idea of "rational cryptography" seems like a great productive direction because instead of defending against an arbitrary malicious byzantine attacker, you can just try to make it unprofitable for an attacker
02:53:52amiller_:therefore you might get away with a weaker and *cheaper* protocol....
02:54:00moa:approximability is where the rubber meets the road with this stuff
02:54:05amiller_:this isn't awful, but i think it's misled because:
02:54:29amiller_:a) the reason these things aren't used anywhere is because of *too strong PKI assumptions* and not just because they're not super fast enough
02:54:42amiller_:some of the effort of cryptographers is premature overoptimisation in this regard
02:55:26amiller_:hence in bitcoin by using simple stuff and doing away with the pki assumption something actually *interesting* has caught on and is starting some kind of revolution, and bitcoin may easily be the place where snarks and mpc are first widely used.
02:55:51amiller_:b) instead of using "rational" as an exucse to look at *weaker* assumptions.... in other words going from Byzantine-Altruistic to Rational-Altruistic....
02:56:11kanzure:in some cases playing by different rules (=~ possibly malicious behavior) ends up with a solution like "well, then it's not bitcoin anymore" which is not a usual mode of attack i'm familiar with seeing in literature heh
02:56:32kanzure:*usual solution i'm familiar with
02:56:39amiller_:what they should really look at is using rational to make *weaker* assumptions (i just realized i meant *strong* in the line above, weaker assumptions means more difficult model)... is Byzantine-Rational
02:56:55amiller_:meaning, even the "honest" people aren't going to participate in your protocol if it's not in their best interests to do so
02:59:47kanzure:heh the only paper that cites that one is about bitcoin too http://www.ieee-security.org/TC/SP2014/papers/SecureMultipartyComputationsonBitcoin.pdf
03:01:52amiller_:iiirc. they say something like "maybe in the future we'll try formalizing our shit using one of those rational cryptography papers"
03:14:29kanzure:here's something from the game theory angle (k-indistinguishability and k-stability) http://www.cs.utexas.edu/users/lorenzo/papers/Wong13What.pdf
03:17:21gmaxwell:more crazy perhaps is the notion that if you've entered a state outside of your protocols promises altruistic players may break protocol to make it 'work'
03:23:42kanzure:*theoretic (i knew there was something wrong with my spelling)
05:24:44amiller_:amiller_ is now known as amiller
08:05:13tepper.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
08:05:13tepper.freenode.net:Users on #bitcoin-wizards: andy-logbot cbeams justanotheruser grandmaster2 SDCDev melvster AaronvanW amtri aburan28 CoinMuncher damethos todaystomorrow Sangheili tromp_ phantomcircuit TheSeven eslbaer_ mortale wizkid057 tacotime moa Dr-G3 devrandom atgreen kumavis heath Krellan adam3us rfreeman_w lianj Graftec Adlai rdponticelli wiretapped OneFixt a5m0 andytoshi koshii bobke petertodd BigBitz waxwing pi07r nsh hashtag_ irc88 fanquake wumpus Luke-Jr zenojis espes__
08:05:13tepper.freenode.net:Users on #bitcoin-wizards: BrainOverfl0w myeagleflies ebfull emsid Starduster kaene Grishnakh Max_H3adr00m c0rw1n wizardofozzie dgenr8 digitalmagus spinza CodeShark epscy zwischenzug smooth BlueMatt altoz Graet warren HaltingState LarsLarsen [Derek] @gmaxwell go1111111 samson_ @gwillen sl01 napedia jgarzik copumpkin dansmith_btc Fistful_of_coins artifexd _2539 michagogo lnovy tromp bbrittain weex gribble nanotube EasyAt Transisto Kretchfoop Emcy jaekwon CryptOprah Muis
08:05:13tepper.freenode.net:Users on #bitcoin-wizards: Hunger-- nuke1989 Guest42039 jrayhawk_ jasx shesek firepacket arowser drawingthesun berndj [d__d] jcorgan yoleaux Iriez hollandais hguux livegnik Dyaheon MRL-Relay mappum jbenet zibbo_ kanzure optimator [\\\] K1773R Eliel HM amiller crescendo cfields btc_ kgk iddo comboy NikolaiToryzin coryfields LaptopZZ Meeh poggy_ UukGoblin danneu catcow TD-Linux [Tristan] helo otoburb ryan-c mmozeiko roasbeef pajarillo Keefe Gnosis ahmed_vegas Logicwax so
08:05:13tepper.freenode.net:Users on #bitcoin-wizards: starsoccer midnightmagic kinlo pigeons Apocalyptic mr_burdell fluffypony SomeoneWeird forrestv Anduck Taek42 sipa DoctorBTC harrow throughnothing Alanius abc56889 lechuga_ burcin phedny @ChanServ asoltys
08:35:33K1773R_:K1773R_ is now known as K1773R
09:14:52davidlatapie:davidlatapie has left #bitcoin-wizards
12:31:29davidlatapie:davidlatapie has left #bitcoin-wizards
13:12:12davidlatapie:davidlatapie has left #bitcoin-wizards
14:18:05cbeams_:cbeams_ is now known as cbeams
15:11:21Aquent:Aquent is now known as moon
15:11:51moon:moon is now known as Guest58505
15:12:06Guest58505:Guest58505 is now known as Aquent
17:47:43davidlatapie:davidlatapie has left #bitcoin-wizards
17:56:37zooko`:zooko` is now known as zooko
18:32:04davidlatapie:davidlatapie has left #bitcoin-wizards
18:45:00Guyver2:Guyver2 has left #bitcoin-wizards
19:29:32jcorgan:jcorgan has left #bitcoin-wizards
19:51:22lnovy:lnovy is now known as zz_lnovy
19:52:40justanotheruser:justanotheruser is now known as sempai
19:52:43sempai:sempai is now known as justanotheruser
19:53:54justanotheruser:justanotheruser is now known as theholyduck
19:53:57theholyduck:theholyduck is now known as justanotheruser
20:00:34justanotheruser:justanotheruser is now known as theholyduck
20:00:36theholyduck:theholyduck is now known as justanotheruser
20:06:18ahmed_vegas:ahmed_vegas is now known as ahmed_
21:58:49nsh:can you deterministically have a curve-point revealed only at the valid, mined spending of a (timelocked and/or multisig) input?
21:59:28gmaxwell:what exactly do you mean by 'mined' there?
21:59:50nsh:the input is spent in a valid block
22:00:02nsh:probably doens't matter if it's revealed by the valid transaction input without being mined
22:00:53nsh:(musing about fund-tying-incentivized curve-point secret-sharing timelock encryption handwaveyness)
22:02:04nsh:if you can have a point revealed by some transaction that it makes the most economic sense for people to collaboratively unlock at a particular block depth
22:02:23nsh:then you can encrypt input with something that point renders factorable or otherwise inferable
22:03:19nsh:then we can have fine-grained timelock modulo the escrow penalty of premature disclosure
23:00:45andytoshi:nsh: do you want the curve-point to be revealed or its DL?
23:00:51andytoshi:discrete log / secret key
23:03:12andytoshi:i have some vague ideas about the "collaborative reveal" part, nothing about incentivizing everyone to reveal at a certain point....though if you spend to a "reveal to spend" output with a timelocked tx in a demurring sidechain that might do it
23:06:51nsh:i guess the seckey for a point. then you can encrypt stuff or public the point/pubkey for other people to encrypt for the same reveal time
23:09:05nsh:i suspect you can set up locked fund transactions that allow punishment of anyone attempting to collaborate prematurely up until some window before the legitimate reveal time
23:10:40nsh:so if the legit transaction requires A, B, and C to all sign, then if A approaches B or C earlier and discloses their secret, then B or C can spend a transaction which punishes A
23:13:45kanzure:would that punishment just be a penalty
23:14:09nsh:forfeit of funds, aye
23:14:09kanzure:because the alternative seems a little useless (why punish them if they are legitimately meeting the transaction's requirements)
23:14:49nsh:right, if they all come together and send the correct transaction (that reveals the timelock key) then they get their funds back and whatever costs
23:16:07nsh:forfeit mechanism is to prevent (disincentivize) premature consolidation of the secrets