| 04:36:33 | wallet42: | wallet42 is now known as Guest150 |
| 04:36:33 | wallet421: | wallet421 is now known as wallet42 |
| 05:49:00 | fluffypony: | http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html?m=1 |
| 05:50:18 | fluffypony: | basically PHP and the crypt library's implementations of bcrypt and some other hashing functions terminate on a null byte |
| 05:50:35 | fluffypony: | which is fine, until you pre-hash something and the output contains a string with null-bytes |
| 05:50:59 | fluffypony: | "The underlying problem is that combining cryptographic operators that weren't designed to be combined can be disasterous. Is it possible to do so safely? Yes. Is it a good idea to do it? No. This particular case is just one example where combining operations can be exceedingly dangerous." |
| 05:51:40 | fluffypony: | I guess half of the altcoins didn't get that memo... |
| 05:51:47 | gmaxwell: | man that page tool a lot of space to say the implementation wasn't binary clear. |
| 05:52:07 | fluffypony: | gmaxwell: hence my tl;dr :-P |
| 05:52:36 | gmaxwell: | fortunately most idiots will likely save themselves by feeding it the _hex_ of some other hash. |
| 05:53:01 | gmaxwell: | but indeed the point you're making from it is a good one. |
| 05:53:18 | gmaxwell: | Though I wish most of the broken things I've seen were even that subtle. |
| 05:54:57 | fluffypony: | I wonder if it isn't an inability of most of the "devs" to understand decentralised / assume malice / blockchain principles and then design conceptually with those in mind |
| 06:18:09 | brisque: | fuffypony: ita a totally different mind state than lots of people are taught. you sprinkle on security afterwards rather than baking it in. |
| 06:20:54 | brisque: | I've seen people several times post on bitcointalk with examples where they interfaced with bitcoind by passing input to a shell with bitcoin-cli, for example. |
| 06:21:52 | fluffypony: | * fluffypony shudders |
| 06:23:04 | brisque: | not to pretend that json RPC itself hasn't had sanitation problems. |
| 06:37:06 | wallet42: | wallet42 is now known as Guest45717 |
| 06:37:06 | wallet421: | wallet421 is now known as wallet42 |
| 06:38:58 | wallet421: | wallet421 is now known as wallet42 |
| 08:05:15 | kornbluth.freenode.net: | topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja |
| 08:05:15 | kornbluth.freenode.net: | Users on #bitcoin-wizards: andy-logbot cbeams wallet42 binaryatrocity SDCDev oaavi CoinMuncher moa fanquake hktud0 Dr-G Mably RoboTeddy aburan28 dgenr8 coiner orik x98gvyn justanotheruser gonedrk Hybridsole molec dc17523be3 d1ggy crowleyman Tjopper hashtag prodatalab_ koshii Adlai PaulCapestany DougieBot5000 p15x_ NikolaiToryzin flower espes__ luny antgreen RastaRoyale zooko waxwing Emcy MoALTz shesek kyletorpey ahmed_ adam3us p15_ huseby face spinza sipa |
| 08:05:15 | kornbluth.freenode.net: | Users on #bitcoin-wizards: betarigs_admin melvster airbreather GAit nuke1989 go1111111 Visheate phedny dignork- s1w yorick amiller_ petertodd iddo_ kanzure LeMiner mkarrer_ arubi c0rw|away Iriez Luke-Jr hashtagg michagogo yrashk btcdrak catcow Muis cfields Zouppen sneak coryfields_ Starduster stevenroose tromp_ alferz gribble Cory LarsLarsen jcorgan cryptowest_ ajweiss berndj kinlo Logicwax midnightmagic Pan0ram1x devrandom crescendo wizkid057 bosma grandmaster harrow |
| 08:05:15 | kornbluth.freenode.net: | Users on #bitcoin-wizards: otoburb copumpkin wumpus jaekwon GreenIsMyPepper phantomcircuit BlueMatt jaromil Apocalyptic gwillen dasource bbrittain fenn amincd HM2 prepost tromp eordano nickler Alanius PRab BananaLotus guruvan ryan-c lnovy DoctorBTC ebfull cluckj brisque sdaftuar veorq helo Hunger- xabbix runeks null_radix bedeho gmaxwell SwedFTP epscy nanotube andytoshi bliljerk101 starsoccer comboy nsh Taek EasyAt maaku livegnik optimator fluffypony Meeh cursive |
| 08:05:15 | kornbluth.freenode.net: | Users on #bitcoin-wizards: yoleaux dansmith_btc [d__d] morcos Fistful_of_Coins dardasaba isis smooth Xzibit17 artifexd kumavis mariorz Krellan platinuum Oizopower Keefe catlasshrugged JonTitor eric mappum jbenet wiz heath gnusha warren AdrianG lechuga_ jessepollak Graet Eliel veox warptangent indolering K1773R TD-Linux leakypat CryptOprah Anduck a5m0 d9b4bef9 mr_burdell NeatBasis davout brand0 @ChanServ throughnothing btc___ azariah MRL-Relay hguux__ so roasbeef |
| 08:05:15 | kornbluth.freenode.net: | Users on #bitcoin-wizards: BrainOverfl0w |
| 09:06:55 | wallet421: | wallet421 is now known as wallet42 |
| 09:13:25 | wallet421: | wallet421 is now known as wallet42 |
| 09:31:16 | crowleyman: | crowleyman is now known as crwlymn |
| 09:32:29 | crwlymn: | crwlymn is now known as crowleyman |
| 10:14:05 | c0rw|away: | c0rw|away is now known as c0rw1n |
| 11:21:39 | oaavi: | interesting |
| 11:21:41 | oaavi: | http://www.reddit.com/r/Bitcoin/comments/2yvy6b/a_regulatory_compliance_service_is_sybil/ |
| 11:22:01 | brisque: | oaavi: probably more one for #bitcoin |
| 11:22:17 | oaavi: | kk |
| 11:22:24 | oaavi: | sry |
| 11:26:06 | crowleyman: | crowleyman is now known as crwlymn |
| 11:28:20 | Guyver2: | Guyver2 has left #bitcoin-wizards |
| 11:31:26 | crwlymn: | crwlymn is now known as crowleyman |
| 12:45:58 | fluffypony: | for anyone researching full node cost / capacity trade-offs (especially with larger blocks) this is good news: http://techreport.com/review/27909/the-ssd-endurance-experiment-theyre-all-dead |
| 12:47:46 | nubbins`: | 10/10 would waste money on |
| 13:08:24 | instagibbs: | still waiting for HP to deliver on their memristors. Then we can stop worrying about UTXO size |
| 13:31:01 | icallfone: | icallfone has left #bitcoin-wizards |
| 14:07:25 | dignork-: | dignork- is now known as dignork |
| 15:19:11 | luke-jr_: | luke-jr_ is now known as Luke-Jr |
| 15:22:30 | zooko: | "Maxwell, the bitcoin wizard" |
| 15:22:33 | zooko: | from http://insidebitcoins.com/news/someone-may-be-deanonymizing-your-bitcoin-transactions |
| 15:23:49 | sipa: | ha |
| 15:23:51 | fluffypony: | hah |
| 15:23:56 | brisque: | zooko: the quotes from Chainalysis really piss me off. it's just for a "blog post", never mind the fact that they say on the front of their website that they are selling access to an API that does deep deanonymisation. |
| 15:23:56 | heath: | the bitcoin workshop at Stanford mentioned at the MIT Bitcoin Expo: http://blockchainworkshops.org/ |
| 15:24:12 | brisque: | "Chainalysis customers get access to an API that allows them to determine which entity a transaction originates from, and whether the flow of funds originate from someone they would want to do business with." |
| 15:24:22 | brisque: | "He then went on to explain that the company is collecting data related to “bitcoin transfer activity between different countries.” They plan to share this data in an upcoming blog post." |
| 15:24:53 | zooko: | brisque: haven't read down to the quotes from Chainalysis yet. |
| 15:24:59 | zooko: | * zooko is slow. |
| 15:25:13 | amiller_: | zooko is live-casting his reading of the article :p |
| 15:25:48 | sipa: | amiller_: there should be an online service for that |
| 15:26:08 | sipa: | let's call it "Interactive Research Clarification" |
| 15:26:44 | zooko: | * zooko lol |
| 15:27:07 | fluffypony: | lol |
| 15:27:26 | amiller_: | i want to talk about a totally new idea today |
| 15:27:39 | amiller_: | this is in the category of, applications of absolutely outofthisworld moon math cryptography to bitcoin applications |
| 15:27:50 | zooko: | Whoo! |
| 15:27:56 | amiller_: | todays bonker's crypto is: witness encryption https://eprint.iacr.org/2014/273.pdf |
| 15:28:12 | fluffypony: | oh thank goodness, I thought it was going to be ethereum for a second |
| 15:28:28 | amiller_: | snarks are kind of dull and oldhat by now |
| 15:28:36 | sipa: | * sipa faints |
| 15:28:42 | zooko: | * zooko col |
| 15:28:48 | zooko: | "chuckles out loud" |
| 15:28:51 | amiller_: | witness encryption is different, roughly with witness encryption you can take an arbitrary NP statement (i.e., a circuit), and use it as a public encyrption key |
| 15:28:58 | zooko: | The people in this coffeeshop are starting to eye me. |
| 15:29:04 | sipa: | i never got to the point where i could say i could even explain why somethng like snarks might be possible |
| 15:29:11 | zooko: | sipa: me too. |
| 15:29:23 | sipa: | i'm not talking about explaining snarks |
| 15:29:24 | amiller_: | you can encrypt a message such that anyone with a witness for that statement (i.e., a satisfying assignment such that the circuit outputs "1") |
| 15:29:26 | zooko: | And now I'm about to have a new thing that I can't understand crowding into my brain. witness encryption. |
| 15:29:28 | amiller_: | can decrypt the message |
| 15:29:37 | zooko: | amiller_: that's pretty awesome. |
| 15:29:50 | amiller_: | witness encryption is one of those things that's implied by indistinguishability obfuscation |
| 15:30:36 | amiller_: | so it's generically possible given some crazy assumptions about lattices or other multilinear maps, but the generic constructions are totally totally impractical, way worse than snarks or even fully homomorphic encryption |
| 15:31:08 | amiller_: | of course it's possible that there will be more efficient generic constructions, or that there will be efficient constructions for some limited class of statements, etc. |
| 15:31:32 | realcr: | amiller_: What would you do with this kind of construction, if it worked? |
| 15:32:59 | amiller_: | realcr, great question, that's actually what i wanted to talk about! |
| 15:33:05 | andytoshi: | hooray :) i actually know about witness encryption |
| 15:33:28 | amiller_: | okay so, if W.E. exists, we could use it so that proofs of work can decrypt a ciphertext. |
| 15:33:36 | amiller_: | that's similar to timelock encryption |
| 15:33:57 | amiller_: | but actually timelock encryption in crypto is pretty awful, like even though it loweer bounds the amount of time it takes to decrypt a thing, |
| 15:34:32 | amiller_: | a) it's still expensive, someone has to dedicate like a whole core-year to it if the time limit is a year, b) it's not amortized, to decrypt n messages you need n cores |
| 15:35:07 | amiller_: | so with W.E. you could make it so that you put a ciphertext in the blockchain, and after a month's worth of bitcoin proof of work, the miners have basically automatically decrypted it |
| 15:35:25 | amiller_: | because the W.E. circuit is basically a circuit that SPV checks a month-long proof of work chain |
| 15:35:46 | zooko: | Hm. |
| 15:35:52 | zooko: | Wow. |
| 15:35:56 | amiller_: | this would a) be amortizable, b) it uses the work bitcoin miners are already doing, and even better c) it can be pipelined |
| 15:36:17 | amiller_: | that is, if ther's a transaction that starts at block B and takes 1 year, then at B+6 months i can add a new one of these transactinos |
| 15:36:29 | realcr: | amiller_: I might not fully understand how w.e. works, but don't you need to know the instance x before you encrypt? |
| 15:36:34 | amiller_: | and in the following 6 months, the miners are simnultaneously finishing off decrypting the first transaction, while also putting in the first 6 months of work decypritng the second |
| 15:36:34 | zooko: | So, to dumb it down even more, for my benefit, WE can make time-lock-crypto actually practical, where the time-lock is a sufficiently long, or sufficiently work-bearing blockchain. |
| 15:36:40 | andytoshi: | realcr: nope :) |
| 15:36:42 | amiller_: | realcr, no you do not |
| 15:36:45 | zooko: | Wow. |
| 15:36:50 | realcr: | Oh cool. |
| 15:36:53 | andytoshi: | realcr: you have a secret key which lets you bypass the requirement for having a witness |
| 15:37:00 | zooko: | Until this moment, I thought time-lock-crypto wasn't good enough for my purposes. |
| 15:37:03 | amiller_: | okay so i have 1 more clever twist ending. |
| 15:37:09 | amiller_: | here's one application to motivate the big twist |
| 15:37:17 | amiller_: | you know how there's that lottery game |
| 15:37:24 | zooko: | ☺ |
| 15:37:27 | fluffypony: | realcr: so it lets you, for instance, create text that can only be decrypted by proof of a mathematical solution that doesn't yet exist |
| 15:37:31 | amiller_: | but since someone could just leave without revealing their commitment, everyone has to put in like N^2 deposits in total? |
| 15:37:41 | andytoshi: | (which does mean that -somebody- can bypass the timelock, specifically the encrytor, unless i'm remembering wrong) |
| 15:38:10 | amiller_: | well, you could use timelock encryption to make it so that if you don't reveal your commitment, after some time the miners will reveal it themselves |
| 15:38:24 | amiller_: | now, for the twist. |
| 15:38:39 | realcr: | fluffypony: It says in the article: An encryptor will take in an instance |
| 15:38:42 | realcr: | x |
| 15:38:44 | realcr: | along with a message |
| 15:38:46 | realcr: | m |
| 15:38:48 | realcr: | and run the encryption algorithm to produce a ciphertext CT |
| 15:38:49 | amiller_: | suppose you want to make it so that if you don't reveal something, like make a transaction that pays somewhere before a deadline, you want your plaintext to be revealed, |
| 15:39:06 | amiller_: | but if you *do* satisfy a condition, like pay out before the deadline, then you would prefer that the miners don't keep trying to reveal your secret |
| 15:39:52 | amiller_: | well, you can basically make a W.E. circuit that says, this ciphertext can be decrypted given X amount of work on a blockchain, as long as that blockchain does *not* include a transaction that pays out before the deadline |
| 15:40:21 | zooko: | * zooko applauds |
| 15:40:23 | zooko: | Awesome. |
| 15:40:31 | zooko: | Two brain-breaking new things for me to digest. |
| 15:40:31 | amiller_: | so once miners start working on a blockchain that includes your transaction, they're no longer decrypting your message |
| 15:40:35 | realcr: | amiller_: It's really cool. I think I understand now. |
| 15:40:48 | zooko: | That latter thing is definitely one of those things that I thought was impossible. |
| 15:40:52 | fluffypony: | realcr: the trick is in the circuit, the circuit has to output a value, say 1, if x is the magical proof we expect, and 0 if it isn't |
| 15:40:57 | zooko: | Unfortunately, I need to go now. back in a bit. |
| 15:41:10 | tromp: | amiller: that cant be done SPV style though?! |
| 15:41:10 | amiller_: | ok thats all i got |
| 15:41:20 | amiller_: | tromp, i think that last part would require TXO commitments or something |
| 15:41:38 | amiller_: | well, utxo commitments |
| 15:41:45 | realcr: | fluffypony: And you just need to know ahead of time that x is actually inside the language L, and you do know that ahead of time. Cool. |
| 15:41:49 | andytoshi: | realcr: fluffypony: x is the instance of the problem; a witness w is the "proof" and you have some relation such that (x,w)=1 |
| 15:42:11 | fluffypony: | yup |
| 15:42:19 | tromp: | amiller: yes, those would suffice |
| 15:42:21 | realcr: | I see. I mixed the ideas of witness and instance, but now I get it. |
| 15:42:31 | realcr: | tromp: What does spv stand for? |
| 15:42:41 | tromp: | simple payment verification |
| 15:42:42 | sipa: | realcr: simplified payment verification |
| 15:42:47 | realcr: | sipa: Thanks. |
| 15:43:09 | sipa: | read section 8 of the bitcoin whitepaper |
| 15:43:27 | andytoshi: | realcr: also be aware that the security property is a little weird: it says that if your instance x is -not- in the language, the encryption should be indistinguishable from random. it says nothing about if x -is- in the language, so to build actual cryptosystems you need to introduce other primitives which somehow "disguise" whether or not x is in the language |
| 15:43:50 | andytoshi: | c.f. the original W.E. paper which has no proof of security but otoh is easier to read http://eprint.iacr.org/2013/258 |
| 15:44:27 | andytoshi: | there are a few pages of applications in there where they build public-key encryption, identity-based encryption, etc, from WE |
| 15:44:29 | fluffypony: | http://www.cs.berkeley.edu/~sanjamg/classes/cs276-fall14/scribe/lec18.pdf |
| 15:44:41 | fluffypony: | also a nice overview of W.E in general |
| 15:45:56 | realcr: | Do you think it is expected to be somewhat practical? |
| 15:46:05 | realcr: | I always fear that those things are just a far dream. |
| 15:46:24 | andytoshi: | realcr: one day, yes, but we are not close |
| 15:46:27 | realcr: | I mean practical by computation time etc. The math seems to be solid. |
| 15:46:33 | realcr: | I see. |
| 15:46:57 | amiller_: | realcr, the math is still questionable too tbh |
| 15:47:04 | realcr: | :) |
| 15:47:07 | sipa: | realcr: "the math seems to be solid", i doubt there are many people in the world who could reasonable make that statement |
| 15:47:18 | sipa: | *reasonably |
| 15:47:28 | andytoshi: | my feeling is we should totally scrap this graded-encoding paradigm (as well as multilinear maps for that matter, even if they exist they won't be quantum hard) and think about building arbitrary oblivious circuits from something simpler like lattices |
| 15:47:45 | amiller_: | the assumptions are kinda out there, the top theory people are basically still exploring whether there's attacks that break the whole thing down or better assumptoins that suffice |
| 15:47:47 | realcr: | I looked at a few pages at random, and the math consequences seemed to be valid :) That's how you probabilistically check proofs. |
| 15:47:59 | amiller_: | realcr, hahaha :D |
| 15:48:07 | andytoshi: | realcr: the problem is that there are no axioms at the bottom, just super sketchy "assumptions" |
| 15:48:18 | andytoshi: | also haha at PCP :) |
| 16:44:23 | instagibbs: | assume crypto assumptions are spherical |
| 18:36:52 | mrkent_: | What are major reasons why someone wouldn't use default port while running bitcoin node |
| 18:38:39 | gmaxwell: | Their local network blocks it. Otherwise? I have no suggestion. |
| 19:26:04 | maaku: | because they don't want incoming DNS seed connections? i don't know |
| 19:28:47 | gmaxwell: | s/DNS seed/ |
| 19:28:53 | phantomcircuit: | maaku, i dont think that would work |
| 19:28:58 | gmaxwell: | / |
| 19:29:05 | phantomcircuit: | if you make outgoing connections iirc you tell your peers about which port you're using |
| 19:29:11 | gmaxwell: | using a non-default port makes other nodes avoidconnecting to you. |
| 19:29:20 | maaku: | phantomcircuit: the DNS seed doesn't report non-standard port addresses |
| 19:29:24 | phantomcircuit: | non default ports are shunned? |
| 19:29:50 | phantomcircuit: | oh |
| 19:29:52 | phantomcircuit: | interesting |
| 19:29:54 | maaku: | why is non-default ports shunned by bitcoind? that's news to me |
| 19:34:21 | gmaxwell: | amiller_: how is witness encryption adifferent from attribute based encryption? |
| 19:38:40 | gmaxwell: | maaku: to prevent people from making the network into a big nussance of connecting to non-nodes. |
| 19:39:06 | gmaxwell: | maaku: they're only connected to as a last resort if you're unable to get connected for a while (e.g. if the port is blocked outbound for you) |
| 19:40:05 | maaku: | gmaxwell: because the presumption that non-nodes connect via different ports? |
| 19:40:35 | gmaxwell: | I'm not following. |
| 19:41:17 | maaku: | why does it matter what port a node uses? |
| 19:41:43 | gmaxwell: | Bitcoin Core will not connect out to anything except 8333 unless its unable to get connected. This prevents an attack where someone announces, say, bob's fizzle-bop server as a 'node' and then 100,000 bitcoin nodes irritate bob by connecting to him over and over again. |
| 19:41:58 | gmaxwell: | (and then Bob files abuse complaints against random Bitcoin users) |
| 19:45:01 | Taek: | they would connect over and over again? |
| 19:46:16 | fluffypony: | Bob would be like a masternode |
| 19:46:21 | fluffypony: | :-P |
| 19:50:54 | maaku: | gmaxwell: ok thanks that was my question |
| 19:58:04 | phantomcircuit: | Taek, no but it would be enough for lots of nodes to try to connect even periodically |
| 20:21:04 | adam3us: | amiller_: "way worse than fully homomorphic encryption" :( aka impractical, check back in a decade or so? |
| 20:21:29 | phantomcircuit: | horray i've loaded 635000 out of 62297829 transactions into my sql db |
| 20:21:37 | phantomcircuit: | only ~100% more to go |
| 20:21:57 | kanzure: | phantomcircuit: why are you taking so long? |
| 20:22:13 | phantomcircuit: | kanzure, dat bitcoind rpc yo |
| 20:22:15 | adam3us: | sipa: i think the brands credential scheme gives some indication of why snark-like things might work. a simplish generalisation/extension to schnorr signatures and then you can prove execution of a tiny/simple program (a small boolean circuit) |
| 20:25:06 | adam3us: | sipa: ftp://ftp.inf.ethz.ch/pub/crypto/publications/CamSta97b.pdf shows how to use brands respresentation problem and tree representations also brands semi-tech short paper http://cypherspace.org/credlib/brands-technical.pdf |
| 20:38:08 | maraoz: | phantomcircuit: try using the p2p protocol, it's much faster |
| 20:38:40 | maraoz: | (you need to run bitcoind with -txindex option) |
| 20:39:17 | phantomcircuit: | maraoz, uh thanks |
| 21:16:19 | phantomcircuit: | woo 3% |
| 21:18:38 | gmaxwell: | maraoz: uhhh txindex shouldn't change _anything_ about the p2p behavior. |
| 21:18:42 | gmaxwell: | if it does, thats a bug. |
| 21:22:07 | maraoz: | gmaxwell: my bad! I thought if a node received 'getdata' for an old tx it would not answer unless it had -txindex on |
| 21:23:08 | phantomcircuit: | it wont answer regardless |
| 21:23:55 | phantomcircuit: | and im using the rpc stuff so i can get bitcoind to decode the transactions for me |
| 21:24:44 | maraoz: | ah, got it. you could try getting blocks via p2p if you wanted ALL transactions. |
| 21:34:28 | MRL-Relay: | [othe] if you just want all stuff(tx, blocks) in a db format, why not use bitpays insight? |
| 21:40:01 | phantomcircuit: | mariorz, yes but then i have to decode them myself |
| 21:40:17 | phantomcircuit: | MRL-Relay, because ew |
| 21:41:00 | MRL-Relay: | [othe] theres a hystoric sync tool in js which reads the dat files and puts them in a leveldb (can easily modified to put it to whatever db) - just saying |
| 22:32:23 | kyletorpey: | kyletorpey has left #bitcoin-wizards |
| 23:16:20 | Guyver2: | Guyver2 has left #bitcoin-wizards |
| 23:58:40 | gmaxwell: | Does anyone know if ABISprotocol on bct happens to be a new identity of Anonymint? |
| 23:59:07 | hearn: | i think ABISprotocol has been posting to github and bct for a long time (years) |