--- Log opened Wed Jan 01 00:00:44 2014
01:15 < midnightmagic> fagmuffinz: man you have a terrible nickname
01:18 < gmaxwell> fagmuffinz: I'm not sure what you're trying to accomplish, I missed the history.
01:19 < justanotheruser> gmaxwell: It was the voting thing again.
01:35 < phantomcircuit> midnightmagic, maybe he likes his muffinz with fags
01:35 < phantomcircuit> although that sounds a bit gritty
14:38 < maaku> can Grover's algorithm be used for quantum mining?
14:39 < gmaxwell> sure, in theory, if there existed hardware that could run it.
14:40 < gmaxwell> it's only a sqrt speedup. It would unhinge the difficulty update somewhat. (though if it got far out of wack it would still have quadratic convergence)
14:44 < maaku> Some FUD on lesswrong about quantum computing leading to centralization
14:45 < warren> No tech breakthroughs are needed for human behavior to cause centralization.
14:46 < maaku> heh, yeah
14:49 < gmaxwell> I don't see where that conclusion comes from, unless it's just some assumption that only one party will have access to the faster miner.
14:50 < maaku> gmaxwell: yes, that's the (rediculous) assumption
14:50 < gmaxwell> Not only that— Its quite likely that should someone successfully use Grover it'll be _slower_ for some time. Simply because the quantum machine runs at 100khz or whatever.
14:50 < maaku> that someone will invent a quantum computer capable of doing more work than the entire bitcoin network
14:51 < Alanius> isn't the "quadratic speedup" irrelevant when considering sha 256?
14:52 < Alanius> it's quadratic only for large enough problems
14:52 < Alanius> but the problem size is fixed in this case
14:54 < andytoshi> maaku: lesswrong link? istm that any non-infinite speedup would be covered by the difficulty algo
14:54 < maaku> Sybil successfully Sybil-attacked psychiatrics: http://www.npr.org/2011/10/20/141514464/real-sybil-admits-multiple-personalities-were-fake
14:54 < sipa> Alanius: the quadratic speedup is about finding a preimage
14:55 < Alanius> ... isn't that what Grover's algorithm does?
14:55 < sipa> yes
14:57 < maaku> andytoshi: http://lesswrong.com/r/lesswrong/lw/je7/a_proposed_inefficiency_in_the_bitcoin_markets/a8xl
14:57 < sipa> Alanius: right, it's only quadratic if you see the size of the hash output as variable
14:58 < andytoshi> sipa: is it correct to think of mining that way,
14:59 < andytoshi> "find a SHA16 preimage of 00", then a SHA32 preimage of 0000, and so on
15:00 < Alanius> I guess you could devise a variant of Grover's algorithm that finds a partial collision instead of a full one, and you'd probably see that quadratic speedup with regards to the inverse of the target :)
15:02 < andytoshi> Alanius: yeah, that's what i'm trying to say
15:03 < sipa> right, it's grover on truncated double sha256, with variable truncation length
15:07 < gmaxwell> Alanius: If you're saying that you're going to find complete preimages (size at maximum) than the work factor is still 2^128, which is infeasable.
19:19 < phantomcircuit> ffs
19:19 < phantomcircuit> bought a cable modem
19:19 < phantomcircuit> no coax cable
21:59 < maaku> merged mining attack I hadn't considered : https://bitcointalk.org/index.php?topic=394388.0
22:01 < maaku> somone solo mining altcoin could double-count proof-of-work by merge mining the fraud chain against their solo blocks
22:06 < gmaxwell> maaku: namecoin ended up deploying a specific defense against this
22:06 < gmaxwell> that requires the namecoin chain to be at a particular position
22:09 < maaku> gmaxwell: i'm aware of that one - it protects against having multiple auxblock committments in the same coinbase
22:10 < maaku> but the twist here is namecoin merged mined against namecoin
22:10 < maaku> so the attacker has the choice of using the outer block or the inner block
22:11 < warren> maaku: wouldn't that only be an issue in practice if the value of NMC were much higher?
22:12 < maaku> warren: eh? it depends on the size of the double-spend you are trying to make
22:13 < Niko_B> Get some easy bitcoins all you need is a web browser  http://t.co/RFLekya7Hc
22:13 < maaku> the fact that you can build up he public chain, while double-counting work towards a secret attack violates some security assumptions
22:14  * maaku needs to learn how to use +o
22:14 < gmaxwell> maaku: oh I don't think you can mergemine namecoin against namecoin.
22:15 < maaku> gmaxwell: yeah i'm not certain if it'd actually work.. but this wasn't something I'd previously thought about
22:15 < gmaxwell> maaku: if you can thats dumb and should be fixed, but its a purely academic attack right now since you'd have to forgo substantial bitcoin income.
22:15 < maaku> and it would have worked in the system I was designing
22:15 < maaku> it's easily fixed though
22:15 < gmaxwell> should be trivial to fix if so— just don't accept non-mergedmined blocks.
22:16 < maaku> yeah
--- Log closed Thu Jan 02 00:00:47 2014