| 00:40:03 | nsh: | gmaxwell, have you look into https://github.com/EricssonResearch/bowser -- http://www.ericsson.com/research-blog/context-aware-communication/bowser-openwebrtc-released-open-source/ |
| 00:40:06 | nsh: | ? |
| 00:41:32 | nsh: | or openwebrtc, rather |
| 00:58:15 | gmaxwell: | firefox and chrome use the same codebase for the low levels of the webrtc stack. The obvious thing to do is use the same code.. its just a rather large amount of code (several times bitcoin core in total) |
| 01:14:00 | Burrito: | Burrito has left #bitcoin-wizards |
| 02:38:09 | kanzure: | there should be a byzantine fault tolerance concept but for incentive faults |
| 02:39:52 | amiller_: | kanzure, Byzantine-Altruistic-Rational is probably pretty good. |
| 02:40:09 | amiller_: | but actually i still think it's missing something |
| 02:40:22 | amiller_: | because it's based on this style of assuming there are fixed minimum proportins |
| 02:40:44 | amiller_: | also i'm really starting to hate the words "rational" and "altruistic/honest" in these contexts |
| 02:40:50 | kanzure: | me too :) |
| 02:40:55 | amiller_: | because "honesty" and "altruism" are personality characteristics... |
| 02:41:03 | amiller_: | whereas in this context, they mean "unconditionally protocol-following" |
| 02:41:19 | amiller_: | even an "honest" person isn't going to blindly follow your stupid protocol if it has doomed incentives etc |
| 02:41:24 | kanzure: | i appreciate the general concept behind "alright let's just assume everyone is attacking everyone else constantly, and move forward from there" |
| 02:41:29 | moa: | welcome to economics |
| 02:41:36 | amiller_: | also rational is hella overloaded.... |
| 02:41:48 | amiller_: | it really describes a awfully narrow set of decision principles |
| 02:42:12 | amiller_: | because it got there first and squatted on it, it is the *definition* of rationality, the word rationality used in economics *refers* to this model |
| 02:42:16 | moa: | "behavioral" economics |
| 02:42:50 | amiller_: | even though that kind of rationality is refuted as a descriptive model of human behavior in almost every setting... |
| 02:43:17 | amiller_: | and while it can still exist as a "prescriptive" notion of how an ideal person or computing process *should* decide on things, that's not a scientific thought, there's no justification for that |
| 02:44:57 | moa: | time to break out the Popper and re-examine your premises ... or beyond there lie the dragons of pseduo-science |
| 02:45:25 | moa: | and madness obviously |
| 02:45:39 | amiller_: | so now i can't use the word "rational" in the broader ordinary sense, meaning "reasonable" or "well thought out" or etc. |
| 02:45:42 | amiller_: | to mean anything else |
| 02:46:30 | moa: | well rational in mathematics is well-defined |
| 02:46:40 | moa: | 4/5 is rational number, pi is not |
| 02:46:45 | kanzure: | ugh go away |
| 02:48:27 | moa: | you have a better definition? |
| 02:48:31 | kanzure: | amiller_: what about something like http://diyhpl.us/~bryan/papers2/incentives/Rational%20protocol%20design:%20Cryptography%20against%20incentive-driven%20adversaries.pdf |
| 02:50:20 | amiller_: | kanzure, i think something like that is really promising |
| 02:50:39 | amiller_: | i like that approach of modeling things in cryptography with the use of ideal functionalities rather than ad hoc properties because it leads to much better composition |
| 02:51:06 | kanzure: | some of their motivations for their proposal are a little suspicious ("game theoretic models are too secure"?) but.. |
| 02:51:07 | amiller_: | the thing i dont' think i like about the particular examples in that paper are that you have to make really pretty precise assumptions about utility functions |
| 02:51:24 | kanzure: | "overly pessimistic" was the term they used for game thereotic models |
| 02:51:28 | amiller_: | yeah, i agree. |
| 02:51:35 | amiller_: | this is like one of those pervasive ear-worm mistakes |
| 02:51:51 | amiller_: | i can explain exactly what went wrong and what the narrative is.... |
| 02:52:10 | amiller_: | modern crypto is pretty expensive, like snarks and MPC and stuff |
| 02:52:55 | amiller_: | there's also this thing where you have to add many extra layers to your crypto protocol in order to get the simulator-based proof to work out, even though some of those steps seem superfluous and intuitively don't add security (they seem to be there to satisfy quirks of the model and might not be necessary but don't know how to get proofs to work otherwise) |
| 02:53:43 | amiller_: | anyway, the idea of "rational cryptography" seems like a great productive direction because instead of defending against an arbitrary malicious byzantine attacker, you can just try to make it unprofitable for an attacker |
| 02:53:52 | amiller_: | therefore you might get away with a weaker and *cheaper* protocol.... |
| 02:54:00 | moa: | approximability is where the rubber meets the road with this stuff |
| 02:54:05 | amiller_: | this isn't awful, but i think it's misled because: |
| 02:54:29 | amiller_: | a) the reason these things aren't used anywhere is because of *too strong PKI assumptions* and not just because they're not super fast enough |
| 02:54:42 | amiller_: | some of the effort of cryptographers is premature overoptimisation in this regard |
| 02:55:26 | amiller_: | hence in bitcoin by using simple stuff and doing away with the pki assumption something actually *interesting* has caught on and is starting some kind of revolution, and bitcoin may easily be the place where snarks and mpc are first widely used. |
| 02:55:51 | amiller_: | b) instead of using "rational" as an exucse to look at *weaker* assumptions.... in other words going from Byzantine-Altruistic to Rational-Altruistic.... |
| 02:56:11 | kanzure: | in some cases playing by different rules (=~ possibly malicious behavior) ends up with a solution like "well, then it's not bitcoin anymore" which is not a usual mode of attack i'm familiar with seeing in literature heh |
| 02:56:32 | kanzure: | *usual solution i'm familiar with |
| 02:56:39 | amiller_: | what they should really look at is using rational to make *weaker* assumptions (i just realized i meant *strong* in the line above, weaker assumptions means more difficult model)... is Byzantine-Rational |
| 02:56:55 | amiller_: | meaning, even the "honest" people aren't going to participate in your protocol if it's not in their best interests to do so |
| 02:59:47 | kanzure: | heh the only paper that cites that one is about bitcoin too http://www.ieee-security.org/TC/SP2014/papers/SecureMultipartyComputationsonBitcoin.pdf |
| 03:01:52 | amiller_: | iiirc. they say something like "maybe in the future we'll try formalizing our shit using one of those rational cryptography papers" |
| 03:14:29 | kanzure: | here's something from the game theory angle (k-indistinguishability and k-stability) http://www.cs.utexas.edu/users/lorenzo/papers/Wong13What.pdf |
| 03:17:21 | gmaxwell: | more crazy perhaps is the notion that if you've entered a state outside of your protocols promises altruistic players may break protocol to make it 'work' |
| 03:23:42 | kanzure: | *theoretic (i knew there was something wrong with my spelling) |
| 05:24:44 | amiller_: | amiller_ is now known as amiller |
| 08:05:13 | tepper.freenode.net: | topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja |
| 08:05:13 | tepper.freenode.net: | Users on #bitcoin-wizards: andy-logbot cbeams justanotheruser grandmaster2 SDCDev melvster AaronvanW amtri aburan28 CoinMuncher damethos todaystomorrow Sangheili tromp_ phantomcircuit TheSeven eslbaer_ mortale wizkid057 tacotime moa Dr-G3 devrandom atgreen kumavis heath Krellan adam3us rfreeman_w lianj Graftec Adlai rdponticelli wiretapped OneFixt a5m0 andytoshi koshii bobke petertodd BigBitz waxwing pi07r nsh hashtag_ irc88 fanquake wumpus Luke-Jr zenojis espes__ |
| 08:05:13 | tepper.freenode.net: | Users on #bitcoin-wizards: BrainOverfl0w myeagleflies ebfull emsid Starduster kaene Grishnakh Max_H3adr00m c0rw1n wizardofozzie dgenr8 digitalmagus spinza CodeShark epscy zwischenzug smooth BlueMatt altoz Graet warren HaltingState LarsLarsen [Derek] @gmaxwell go1111111 samson_ @gwillen sl01 napedia jgarzik copumpkin dansmith_btc Fistful_of_coins artifexd _2539 michagogo lnovy tromp bbrittain weex gribble nanotube EasyAt Transisto Kretchfoop Emcy jaekwon CryptOprah Muis |
| 08:05:13 | tepper.freenode.net: | Users on #bitcoin-wizards: Hunger-- nuke1989 Guest42039 jrayhawk_ jasx shesek firepacket arowser drawingthesun berndj [d__d] jcorgan yoleaux Iriez hollandais hguux livegnik Dyaheon MRL-Relay mappum jbenet zibbo_ kanzure optimator [\\\] K1773R Eliel HM amiller crescendo cfields btc_ kgk iddo comboy NikolaiToryzin coryfields LaptopZZ Meeh poggy_ UukGoblin danneu catcow TD-Linux [Tristan] helo otoburb ryan-c mmozeiko roasbeef pajarillo Keefe Gnosis ahmed_vegas Logicwax so |
| 08:05:13 | tepper.freenode.net: | Users on #bitcoin-wizards: starsoccer midnightmagic kinlo pigeons Apocalyptic mr_burdell fluffypony SomeoneWeird forrestv Anduck Taek42 sipa DoctorBTC harrow throughnothing Alanius abc56889 lechuga_ burcin phedny @ChanServ asoltys |
| 08:35:33 | K1773R_: | K1773R_ is now known as K1773R |
| 09:14:52 | davidlatapie: | davidlatapie has left #bitcoin-wizards |
| 12:31:29 | davidlatapie: | davidlatapie has left #bitcoin-wizards |
| 13:12:12 | davidlatapie: | davidlatapie has left #bitcoin-wizards |
| 14:18:05 | cbeams_: | cbeams_ is now known as cbeams |
| 15:11:21 | Aquent: | Aquent is now known as moon |
| 15:11:51 | moon: | moon is now known as Guest58505 |
| 15:12:06 | Guest58505: | Guest58505 is now known as Aquent |
| 17:47:43 | davidlatapie: | davidlatapie has left #bitcoin-wizards |
| 17:56:37 | zooko`: | zooko` is now known as zooko |
| 18:32:04 | davidlatapie: | davidlatapie has left #bitcoin-wizards |
| 18:45:00 | Guyver2: | Guyver2 has left #bitcoin-wizards |
| 19:29:32 | jcorgan: | jcorgan has left #bitcoin-wizards |
| 19:51:22 | lnovy: | lnovy is now known as zz_lnovy |
| 19:52:40 | justanotheruser: | justanotheruser is now known as sempai |
| 19:52:43 | sempai: | sempai is now known as justanotheruser |
| 19:53:54 | justanotheruser: | justanotheruser is now known as theholyduck |
| 19:53:57 | theholyduck: | theholyduck is now known as justanotheruser |
| 20:00:34 | justanotheruser: | justanotheruser is now known as theholyduck |
| 20:00:36 | theholyduck: | theholyduck is now known as justanotheruser |
| 20:06:18 | ahmed_vegas: | ahmed_vegas is now known as ahmed_ |
| 21:58:49 | nsh: | can you deterministically have a curve-point revealed only at the valid, mined spending of a (timelocked and/or multisig) input? |
| 21:59:28 | gmaxwell: | what exactly do you mean by 'mined' there? |
| 21:59:50 | nsh: | the input is spent in a valid block |
| 22:00:02 | nsh: | probably doens't matter if it's revealed by the valid transaction input without being mined |
| 22:00:53 | nsh: | (musing about fund-tying-incentivized curve-point secret-sharing timelock encryption handwaveyness) |
| 22:02:04 | nsh: | if you can have a point revealed by some transaction that it makes the most economic sense for people to collaboratively unlock at a particular block depth |
| 22:02:23 | nsh: | then you can encrypt input with something that point renders factorable or otherwise inferable |
| 22:03:19 | nsh: | then we can have fine-grained timelock modulo the escrow penalty of premature disclosure |
| 23:00:45 | andytoshi: | nsh: do you want the curve-point to be revealed or its DL? |
| 23:00:51 | andytoshi: | discrete log / secret key |
| 23:03:12 | andytoshi: | i have some vague ideas about the "collaborative reveal" part, nothing about incentivizing everyone to reveal at a certain point....though if you spend to a "reveal to spend" output with a timelocked tx in a demurring sidechain that might do it |
| 23:06:51 | nsh: | i guess the seckey for a point. then you can encrypt stuff or public the point/pubkey for other people to encrypt for the same reveal time |
| 23:09:05 | nsh: | i suspect you can set up locked fund transactions that allow punishment of anyone attempting to collaborate prematurely up until some window before the legitimate reveal time |
| 23:10:40 | nsh: | so if the legit transaction requires A, B, and C to all sign, then if A approaches B or C earlier and discloses their secret, then B or C can spend a transaction which punishes A |
| 23:13:45 | kanzure: | would that punishment just be a penalty |
| 23:14:09 | nsh: | forfeit of funds, aye |
| 23:14:09 | kanzure: | because the alternative seems a little useless (why punish them if they are legitimately meeting the transaction's requirements) |
| 23:14:49 | nsh: | right, if they all come together and send the correct transaction (that reveals the timelock key) then they get their funds back and whatever costs |
| 23:14:56 | nsh: | *spend |
| 23:16:07 | nsh: | forfeit mechanism is to prevent (disincentivize) premature consolidation of the secrets |