00:27:07kanzure:are there as many bittorrent forks and variations as there are bitcoin derivatives?
00:27:20kanzure:protocol-level i mean
00:41:28nsh:not even remotely...
00:41:54nsh:(because bittorrent is more magically associated with wealth from nowhere)
00:41:58nsh:*is not
01:32:28linelevel:linelevel has left #bitcoin-wizards
02:20:58bosma_:bosma_ is now known as bosma
02:51:55rusty:rusty has left #bitcoin-wizards
02:52:44maaku:kanzure: maybe? theres probably more meaningful changes
03:13:56everettForth:has anyone looked at altcoins that have implemented zk-snarks?
03:14:53nsh:are there any?
03:19:30everettForth:nsh: I have seen at least one that claims to
03:20:46gmaxwell:I don't believe there is.
03:21:14amiller:everettForth, which?
03:21:18everettForth:gmaxwell: shadowcash claims to
03:21:46kanzure:.g shadowcash
03:23:23nsh:claims 'traceable' ring signature with no trusted setup
03:23:43nsh:.g ext:pdf shadowcase-anon
03:24:54everettForth:nsh: I think this ring structure may be outdated
03:25:10everettForth:they have been making changes and left some old pieces in there
03:25:27gmaxwell:I see no evidence of anything zk-snark in it. (fetched the source)
03:25:55nsh:the, ehm, white paper is a bit dubious. a lot more effort was put into the marketing copy in the bitcointalk thread
03:26:04nsh:which is generally a bad sign
03:27:11instagibbs:99% sure that paper was posted here before
03:27:38gmaxwell:there is some amusing cryptographic code in it thats quite concerning.
03:27:49gmaxwell:but nothing interesting.
03:30:02gmaxwell:They're also MIT licens violators (no shock)
03:31:11everettForth:ok, so no zk-snarks yet I guess, I must have read something on bitcointalk
03:31:22everettForth:gmaxwell: how are they violating the license?
03:31:59gmaxwell:Stripped out all attribution, which is the only thing the license requires they not do.
03:33:16everettForth:isn't this attribution: https://github.com/SDCDev/shadowcoin/blob/master/COPYING ?
03:34:18gmaxwell:everettForth: they stripped it out of the source files elsewhere (with a search and replace which falsely claims authorship even of files they didn't touch). No on really cares, I just mentioned it in passing.
03:38:13gmaxwell:pretty sophicated BRS implementation in it.
03:39:02everettForth:what's BRS?
03:39:12gmaxwell:the bytecoin thing.
03:40:22everettForth:I wonder how does shadowcash's stealth address work if it's not zk-snarks?
03:40:52gmaxwell:same way stealth addresses work in Bitcoin.
03:42:17everettForth:ah I see, thanks gmaxwell
03:42:40greenismypepper:greenismypepper has left #bitcoin-wizards
03:43:10everettForth:you guys are pretty smart here, this was so much better than trying to read bitcointalk
03:44:22instagibbs:http://bitcoin.stackexchange.com/questions/20701/what-is-a-stealth-address for more info everettForth
03:44:46everettForth:thanks instagibbs I'm reading that now :)
03:44:53gmaxwell:Translation: we're too helpful, to the point that wasting our time is eaiser than a moment of research on your own? :)
03:46:00instagibbs:google is still in beta, pretty sure
03:46:22everettForth:Well, i tried to research it, but I got stuck, so I appreciate the moment of clarity from this crowd
03:46:47everettForth:there is a lot of noise even with google helping me
04:25:25adam3us:like http://lmgtfy.com/?q=bitcoin+stealth+address
04:26:19adam3us:aka why are you asking, its the first hit on google search! with a fun slow moving cursor and simulated typing of the search term :)
04:26:49sipa:adam3us: one should never post a non-tinyurl'd lmgtfy link
04:27:21gmaxwell:I dunno, makes the most sense to me.
04:57:24instagibbs:adam3us: people can't know my secret
04:57:56instagibbs:stop spoiling
06:00:32bramc:Hey everybody. I'm still digesting from the meeting today. Have some thoughts but want to give them a chance to stabilize a bit more before discussing.
07:20:35fluffypony:[06:26:49] adam3us: one should never post a non-tinyurl'd lmgtfy link <- agreed, you've got to trick them into clicking the link, otherwise your trolling is incomplete
07:49:43sipa:partial troll is worst troll
09:05:14leguin.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
09:05:14leguin.freenode.net:Users on #bitcoin-wizards: andy-logbot ielo Logicwax TheSeven lechuga_ [d__d] cornus_ammonis orik CoinMuncher jaekwon irc88 shesek zwischenzug hktud0 null_radix bramc oujh justanotheruser instagibbs GreenIsMyPepper moa coiner adam3us HaltingState Dr-G koshii hashtag bosma antgreen Emcy_ ebfull delll_ waxwing PaulCapestany torsthaldo elevatio1 nubbins` starsoccer GAit grandmaster ryanxcharles grubles binaryatrocity jgarzik dignork afk11 prodatalab p15 Krellan Starduster_
09:05:14leguin.freenode.net:Users on #bitcoin-wizards: orperelman flower erasmospunk btcdrak kinlo PRab copumpkin Cory fanquake Adlai droark nuke1989 jessepollak ahmed_ Luke-Jr luny Graet ryan-c s1w Eliel veox amiller warptangent indolering huseby tromp K1773R TD-Linux LarsLarsen go1111111 airbreather iddo Pan0ram1x midnightmagic leakypat maaku mariorz CryptOprah sdaftuar_ Apocalyptic tromp_ coryfields Xzibit17 platinuum artifexd epscy_ Muis kumavis dasource guruvan c0rw1n cluckj spinza Anduck
09:05:14leguin.freenode.net:Users on #bitcoin-wizards: bedeho brad__ gmaxwell burcin dansmith_btc paperbot dc17523be3 sipa melvster fenn espes__ dgenr8 jbenet Oizopower mappum harrow Visheate a5m0 hollandais SubCreative Zouppen comboy yoleaux forrestv MoALTz lnovy deego d9b4bef9 weex_ nanotube nsh DoctorBTC bliljerk101 mr_burdell tripleslash NeatBasis Hunger- davout wiz Alanius michagogo cursive PFate yrashk BlueMatt brand0 @ChanServ Adrian_G throughnothing andytoshi helo NikolaiToryzin catcow
09:05:14leguin.freenode.net:Users on #bitcoin-wizards: btc___ HM2 berndj azariah MRL-Relay morcos cryptowest gavinandresen gnusha_ Meeh qwopqwop lclc_bnc otoburb hguux__ wizkid057 so phedny stonecoldpat roasbeef gwillen isis BrainOverfl0w wumpus nickler Iriez phantomcircuit sl01 bobke_ fluffypony dardasaba warren gribble optimator jcorgan Fistful_of_Coins jaromil cfields Keefe bbrittain petertodd BananaLotus smooth ajweiss sneak crescendo Taek eric livegnik asoltys_ pigeons catlasshrugged kanzure
09:05:14leguin.freenode.net:Users on #bitcoin-wizards: heath JonTitor
11:09:47lclc_bnc:lclc_bnc is now known as lclc
11:21:50lclc:lclc is now known as lclc_bnc
12:15:29justanotheruser:justanotheruser is now known as justanot1eruser
12:16:11justanot1eruser:justanot1eruser is now known as lebronxjames
12:16:16lebronxjames:lebronxjames is now known as justanotheruser
12:16:39justanotheruser:justanotheruser is now known as lebronxjames
12:16:40lebronxjames:lebronxjames is now known as Guest8560
12:16:49Guest8560:Guest8560 is now known as justanotheruser
14:13:10lclc_bnc:lclc_bnc is now known as lclc
15:22:22Guyver2:Guyver2 has left #bitcoin-wizards
15:46:12fanquake_:fanquake_ is now known as fanquake
15:47:48waxwing__:waxwing__ is now known as waxwing
16:06:16lclc:lclc is now known as lclc_bnc
17:24:02arubi_:arubi_ is now known as arubi
18:15:48mariorz:why do you think some people are so viscerally against bitcoin?
18:19:38mariorz:they usually rationalize it with pseudo-economic arguments, but even that does not explain such a vehement stand
18:20:18kanzure:wrong channel i think
18:49:01zooko`:* zooko` joins #bitcoin-politics
18:49:40zooko`:Oh, and I thought I was joking, but there actually is such a channel.
18:49:55zooko`:zooko` is now known as zooko
20:51:00bramc:Hey everybody
20:52:15tromp_:hi Bram
20:52:39bramc:Some preliminary thoughts from meatspace discussions yesterday:
20:53:38bramc:nonoutsourcability is totally fixable using amiller's construction but doesn't address the main attack. Using strongly single use signatures is probably a really good idea though (I can explain what those are, there's no literature on them)
20:54:48amiller:meatspace where (just curious)?
20:54:55amiller:what do you mean doesn't address the main attac
20:55:19tromp_:aren't ecdsa sigs with fixed k single use?
20:57:00bramc:The problem of pooling incentives can be strongly mitigated by using the nth worst signature for some small n and requiring the others to support it. It's very important that only the nth worst appear on the trunk (new idea as of this morning, before I thought this allowed an attacker to try too many different permutations) and there's a lot of subtle details about how the cooperation works out and it makes everything a
20:57:01bramc:bit weaker against a fast spow server.
20:57:19bramc:tromp_, Could be, I need nonoutsourcability too though
20:58:03bramc:amiller, meatspace in my offices
20:59:14amiller:i havne't clicked in and figured out what you're talking about yet :)
20:59:17bramc:With secure hash based signatures there's a simple trick for making them single use: Signatures require revealing most of the preimages
20:59:22tromp_:by n-th worst you mean n-th closest to the target from spow?
21:00:03bramc:Now I need to figure out how to start approaching this for someone who wasn't at the meeting yesterday
21:00:58tromp_:how many ppl at this meeting?
21:02:30bramc:The short of it is that I'm working on a form of mining where the proof of work doesn't involve any CPU (think I've explained that before) There's an inherent problem with it in that because it doesn't cost anything to mine it doesn't cost anything to mine inferior forks, and your chances of an inferior fork catching up go up as the size of your pool gets bigger. This isn't a large effect, but it's one which it would be
21:02:30bramc:a very good idea to mitigate.
21:02:48bramc:tromp_, six or seven not including me.
21:03:15bramc:gmaxwell, Luke-Jr, sipa, and a few others whose handles I don't remember
21:04:20bramc:Oh that reminds me, I'm now convinced that it's a good idea to not do the halving, and given how slowly the implicit inflation goes down I think it's best to just leave it at that. That also has the advantage of being braindead simple.
21:04:34bramc:This is re: the general discussion of demurrage
21:04:39tromp_:so you want single-use sigs to prevent ppl signing off on multiple forks?
21:05:38bramc:tromp_, Uh... basically yes, I'm not exactly sure attacks I'd like to guard against because they depend on the subtle details of how cooperation between the n best sigs works but something like that.
21:06:44tromp_:your not-halving comment is about the reward as function of time?
21:07:04bramc:tromp_, Yes, mining rewards are fixed
21:09:42kanzure:meatspace as in "don't stream it or else kanzure might type it"
21:09:44zooko:* zooko reads with interest
21:10:32tromp_:so if the coin-loss rate is 2%, it takes over 50 years to reach the soft-cap of 50*yearly reward
21:11:08bramc:kanzure, Oh sorry, I didn't think to stream it, now that you mention it, I think you asked for that and I forgot
21:11:41bramc:my bad
21:11:41kanzure:that's okay, the version that happened in my head is probably accurate
21:12:35bramc:There wasn't much tomato flinging, I'd worked out answers to the problems which had been pointed out in earlier discussions. In some cases not super great answers, but at least answers.
21:12:58kanzure:nah i don't mean food fighting. i think i know a few of you well enough to predict various arguments.
21:13:31bramc:tromp_, I'm thinking no coin-loss rate, so *eventually* the rate is 'too low', and it happens as inflation instead of direct loss, but, you know, close enough.
21:17:37bramc:There was a bunch of general bitcoin discussion as well, including things like discussing transaction fees at the rate limit and shitting on zeroconf
21:18:07fluffypony:zeroconf ALL of the things!
21:18:11fluffypony:zooko: zero confirmation transactions
21:18:20kanzure:"speed of light constraints don't exist, proof of work is wasteful, and bitcoin devs are evil"
21:18:34fluffypony:because you should be using Bitcoin to buy your coffee in the morning, amirite?
21:18:45bramc:As in, zero blocks have been minted including the transaction yet
21:19:10kanzure:i think that you will find that the vast majority of all devs aren't actually evil
21:19:36kanzure:also, i don't know what sort of complaints you have about zero confirmation transactions, but technically all transactions begin with zero confirmations, so i don't see the problem
21:20:06bramc:fluffypony, That's the goal, although of course zeroconf proper isn't a good solution. Some things came up which I need to read up on, including micropayment channels
21:20:41fluffypony:bramc: except that I'm not sure the main Bitcoin blockchain is the best place to have millions upon millions of coffee purchases...a
21:20:42bramc:So I'm going to hold off on giving an opinion on the best way to do a zeroconf-like thing until I've read through micropayment channels stuff
21:21:06kanzure:bramc: http://sourceforge.net/p/bitcoin/mailman/message/33405247/
21:21:10bramc:fluffypony, Yes that's another problem.
21:22:08bramc:kanzure, The whole meeting felt very positive and a lot of fun, nobody was accusing anybody else of being evil
21:22:25kanzure:i was taking some creative license, hehe
21:22:36kanzure:i don't actually think that you think everyone is evil, you know
21:22:48bramc:There also seems to be a general belief that... how to put this... bitcoin zealotry is not actually helpful for the technology
21:23:01fluffypony:except kanzure, he's pretty evil with his dodgy anti-captcha libraries and stuff
21:23:24kanzure:fluffypony: honestly you're the first person that has brought that up to me, which is a little weird-- everyone else seems to be sleeping on the job
21:23:55fluffypony:you should complain to management
21:24:59bramc:Obviously I'm not arguing against speed of light limitations: I'm probably the world's leading expert in that having spent several years banging my head against live streaming. The argument about whether it's possible to get rid of mining wastage is a real one though, and the whole point of what I'm doing.
21:25:26kanzure:have you read pos.pdf yet
21:25:30kanzure:or alts.pdf for that matter
21:26:23bramc:kanzure, I'm doing proof of storage, not proof of stake. Trying to keep the very central concept in bitcoin that all you need to validate the best blockchain is a cpu and a clock
21:26:49kanzure:hopefully i have never accused you of doing proof of stake, but the reasons why proof of stake doesn't quite work are quite interesting and worth studying
21:27:10bramc:Fair enough, I'll put it on my reading list, which apparently is a bit long again
21:27:17kanzure:also, supose you have a civilization on earth within a light sphere of say uh.. a few minutes at most.. that had a few trillion transactions per second. i don't think it's reasonable to store all of those transactions in a blockchain that gets synced around to everyone.
21:27:36kanzure:bramc: https://download.wpsoftware.net/bitcoin/alts.pdf
21:27:40moa:".... the vast majority of all devs aren't actually evil" ... can't be evil
21:27:41kanzure:bramc: https://download.wpsoftware.net/bitcoin/pos.pdf
21:28:02bramc:kanzure, Absolutely, I don't have a good answer to scaling though, so I'm not pretending to work on it
21:28:05kanzure:moa: developers (including myself) can make poor implementation decisions
21:28:27bramc:kanzure, thanks for the links, but I'd already found them :-)
21:28:45kanzure:bramc: btw i've been meaning to ask you, why are there not so many forks of bittorrent? obv. there's no crazy financial incentive, but uh.. still.. i'd expect at least more than i've seen. which is not many.
21:29:28kanzure:bramc: one idea ih ave is that the reason may be that there's no single bittorrent client that performs all of the necessary functions, so forking and protocol-derivatives are more costly.
21:29:30bramc:kanzure, Basically nobody's come up with a compelling feature for a new alternative. And there's tremendous networking effects with a literal installed base.
21:29:43moa:bramc : (micro)payment channels material links https://github.com/utxo/wheels/wiki
21:29:48bramc:Yes getting installs on client machines is a massive hurdle.
21:30:16kanzure:right right, typical adoption problems, but i assume also infrastructure problems (server, client, trackers, whatever the protocol changes call for)
21:30:26kanzure:whoops s/server/tracker
21:30:44bramc:Yeah there's a lot of momentum on the DHT. Less for individual trackers though
21:31:20kanzure:i think that bitcoinj's micropayment channel documentation is the most practically-approachable and had minimal moon math
21:35:05hashtagg_:hashtagg_ is now known as hashtag
21:36:08bramc:Doing everything based on proofs of storage appears to not work but I'm trying to do the very subtle engineering necessary to make it happen. One of the first times I came in this channel I got into an argument with gmaxwell about the entry in the bitcoin ninja faq talking about that. This argument is of course still ongoing. There's a not-so-slippery slope in what I've come up with, which raises the question of how not
21:36:08bramc:-slippery it can be made and whether that works in practice.
21:36:33bramc:gmaxwell also made the interesting and ironic point that attacking my thing is a lot more fun than attacking something which is truly busted
21:37:00moa:a worthy adversary
21:37:53bramc:moa, Yeah that's the problem
21:38:45kanzure:i think you should consider working from the opposite direction (why does decentralized consensus seem to work at all, and then what properties of it can you change without totally breaking it)
21:38:52kanzure:((rather than building from the opposite direction))
21:38:57moa:interesting comment about keeping it simple to proving you have a cpu and a clock
21:39:01moa:proof of clock?
21:40:05moa:what is work done but the increase in entropy
21:40:18bramc:moa, There's a lot of proof of time in thing, aka sequential proof of work or spow
21:41:16bramc:kanzure, Well I sort of am in that I'm working based fairly directly off of bitcoin, there's a clear notion of having blocks and probabilistic minting of them
21:42:59zooko:* zooko reads with interest.
21:43:34kanzure:right.. but blocks aren't why it works.
21:43:38kanzure:or seems to work
21:43:42stonecoldpat:* stonecoldpat reads with interest as well.
21:44:07bramc:moa, There's a basic but very obfuscated point in bitcoin that when you're deciding whether to accept a chain you look at the clock and only accept the chain if the amount of mining rewards it claims are within what should have been awarded by the current time. That's heavily obfuscated for technical reasons, but it's the essence of what's going on.
21:46:12moa:the time warp attack ... hardly call it obfuscated
21:46:16bramc:kanzure, It's based a little bit more fundamentally on proofs of work, but the noisiness seems very fundamental to achieving convergence, at least nobody's suggested anything else which seems to work for that.
21:46:35bramc:moa, the time warp attack is much less effective if you don't have that damn bug.
21:50:05moa:well the distributed (consensus) timestamp server is the key discovery behind the much ballyhooed "blockchain techology"
21:50:12moa:and it appears to work, thus far
21:54:04bramc:There are a number of things in bitcoin which just barely work and are heavily interdependent, as this loophole in the limits of k-agreement. I assume the thing on proofs of stake goes into much more technical detail on this, but I haven't read it yet.
21:55:34bramc:Is there a good link for p2sh squared?
21:56:24kanzure:there are good links for p2sh things, but what is squared about p2sh squared?
21:57:53bramc:kanzure, It's double hashed so there's a need to demonstrate that things in the block chain are actual hashes. People were talking about it yesterday.
21:58:23bramc:Also, is there a good explanation of what 'scorched earth' is in reference to? I can find it being used but nothing which explains what's meant by it.
21:59:43bramc:Also came up in discussion: There's a very important use case for having dependent transactions get included in the same block, in having the receiver pay transaction fees.
22:06:26moa:proof of clock ==> proof of entropy increase (arrow of time) http://en.wikipedia.org/wiki/Entropy_%28arrow_of_time%29
22:09:23bramc:moa, there's a difference between something which demonstrates a parallelizable vs. non-parallelizable operation.
22:11:10bramc:lamport signatures are of course all single use, but they aren't strongly single use, in that maybe you can get away with signing, like, two things. I'd like to fix that down so that if you sign two things you are well and truly screwed.
22:11:19moa:are all h/ware clocks crystal oscillators?
22:12:01bramc:Regardless of exactly how the underlying hardware works, there are some operations which just can't be parallelized effectively for cryptographic reasons.
22:14:24bramc:I keep forgetting that I installed a plug-in to improve the web and wondering why pages are talking about the 'douchiness committee' and the like (it's auto-substituting from 'leadership')
22:17:22moa:that's abstracting the double-spend problem out to the smaller set of parallelizable processes solutions
22:18:28moa:an incorruptible timestamp is the wider solution set
22:20:46bramc:moa, With a carefully designed block chain there can be a mix of proofs of time and proofs of storage which don't allow for an attacker to try an unlimited number of alternatives in parallel.
22:21:08bramc:Emphasis on the 'carefully designed'
22:21:39smooth:bramc: http://sourceforge.net/p/bitcoin/mailman/message/30705609/
22:22:20bramc:smooth, thanks!
22:25:10moa:oh I thought you were investigating ASIC-resistant approaches
22:32:11bramc:moa, This goes beyond asic resistance into asics being completely irrelevant. Well, not for the proof of time part, but there's no direct incentive for that bit and only a few of them run at once.
22:37:30nsh:* nsh muses
22:48:53tromp_:bramc: if we could demonstrate practical limits on th parallellizability of cuckoo cycle, then that could make a simple posw
22:49:33tromp_:(i prefer the term proof of seq work over seq proof of work)
22:50:56bramc:tromp_, I need the proofs of storage to be fast and use no power at all, so I'm using the much more expedient trick of having the proof of storage be a public key whose hash is numerically as close as possible to the hash of the last spow
22:51:23bramc:I'm indifferent about the vernacular. People here seem to like saying spow, I don't know if that's a term of art or something gmaxwell made up.
22:51:39tromp_:it's the work that is sequential, not the proof
22:51:40instagibbs:I look forward to some form of write-up. I'm a little hazy on some of the acronyms you're throwing around
22:52:58tromp_:anyway, you seem to misinterpret my comment; i was talking about the proof -of-time phas
22:58:40bramc:tromp_, Oh the proof of time part needs to be absolutely canonical and nailed down. I'm doing it by it being a braindead repeated hashing operation with intermediary values given so that it can be spot checked and checked in parallel.
23:02:18tromp_:i agree that's much simpler. but for k iterations you need k*32 bytes of proof
23:03:34tromp_:and you wanted k in the thousands?
23:04:19bramc:Yeah they're a bit big unfortunately but still well under the transaction size limits
23:04:48tromp_:cuckoo is orders of magnitude shorter
23:05:06tromp_:and instantly checkable
23:05:11bramc:It's 64 bits per k, on the assumption that nobody can have 2^64 parallel processors
23:05:24bramc:cuckoo can't be verified to be canonical. That's a very important property.
23:07:44bramc:As in, necessary for the security of my system
23:07:59tromp_:ok, then we can forget about cuckoo....
23:08:30bramc:Yeah that requirement makes things very difficult
23:44:25zooko:Hm, can't it be verified as canonical?
23:44:46zooko:It might require more work than the verification of (possibly non-canonical) work.
23:44:52zooko:Oh, bramc disappeared.
23:45:10zooko:Good, because I instantly regretted contributing a thought without first inquiring if he was patenting his ideas. ;-)
23:49:46moa:irc logs, the original creative commons