04:36:33wallet42:wallet42 is now known as Guest150
04:36:33wallet421:wallet421 is now known as wallet42
05:50:18fluffypony:basically PHP and the crypt library's implementations of bcrypt and some other hashing functions terminate on a null byte
05:50:35fluffypony:which is fine, until you pre-hash something and the output contains a string with null-bytes
05:50:59fluffypony:"The underlying problem is that combining cryptographic operators that weren't designed to be combined can be disasterous. Is it possible to do so safely? Yes. Is it a good idea to do it? No. This particular case is just one example where combining operations can be exceedingly dangerous."
05:51:40fluffypony:I guess half of the altcoins didn't get that memo...
05:51:47gmaxwell:man that page tool a lot of space to say the implementation wasn't binary clear.
05:52:07fluffypony:gmaxwell: hence my tl;dr :-P
05:52:36gmaxwell:fortunately most idiots will likely save themselves by feeding it the _hex_ of some other hash.
05:53:01gmaxwell:but indeed the point you're making from it is a good one.
05:53:18gmaxwell:Though I wish most of the broken things I've seen were even that subtle.
05:54:57fluffypony:I wonder if it isn't an inability of most of the "devs" to understand decentralised / assume malice / blockchain principles and then design conceptually with those in mind
06:18:09brisque:fuffypony: ita a totally different mind state than lots of people are taught. you sprinkle on security afterwards rather than baking it in.
06:20:54brisque:I've seen people several times post on bitcointalk with examples where they interfaced with bitcoind by passing input to a shell with bitcoin-cli, for example.
06:21:52fluffypony:* fluffypony shudders
06:23:04brisque:not to pretend that json RPC itself hasn't had sanitation problems.
06:37:06wallet42:wallet42 is now known as Guest45717
06:37:06wallet421:wallet421 is now known as wallet42
06:38:58wallet421:wallet421 is now known as wallet42
08:05:15kornbluth.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
08:05:15kornbluth.freenode.net:Users on #bitcoin-wizards: andy-logbot cbeams wallet42 binaryatrocity SDCDev oaavi CoinMuncher moa fanquake hktud0 Dr-G Mably RoboTeddy aburan28 dgenr8 coiner orik x98gvyn justanotheruser gonedrk Hybridsole molec dc17523be3 d1ggy crowleyman Tjopper hashtag prodatalab_ koshii Adlai PaulCapestany DougieBot5000 p15x_ NikolaiToryzin flower espes__ luny antgreen RastaRoyale zooko waxwing Emcy MoALTz shesek kyletorpey ahmed_ adam3us p15_ huseby face spinza sipa
08:05:15kornbluth.freenode.net:Users on #bitcoin-wizards: betarigs_admin melvster airbreather GAit nuke1989 go1111111 Visheate phedny dignork- s1w yorick amiller_ petertodd iddo_ kanzure LeMiner mkarrer_ arubi c0rw|away Iriez Luke-Jr hashtagg michagogo yrashk btcdrak catcow Muis cfields Zouppen sneak coryfields_ Starduster stevenroose tromp_ alferz gribble Cory LarsLarsen jcorgan cryptowest_ ajweiss berndj kinlo Logicwax midnightmagic Pan0ram1x devrandom crescendo wizkid057 bosma grandmaster harrow
08:05:15kornbluth.freenode.net:Users on #bitcoin-wizards: otoburb copumpkin wumpus jaekwon GreenIsMyPepper phantomcircuit BlueMatt jaromil Apocalyptic gwillen dasource bbrittain fenn amincd HM2 prepost tromp eordano nickler Alanius PRab BananaLotus guruvan ryan-c lnovy DoctorBTC ebfull cluckj brisque sdaftuar veorq helo Hunger- xabbix runeks null_radix bedeho gmaxwell SwedFTP epscy nanotube andytoshi bliljerk101 starsoccer comboy nsh Taek EasyAt maaku livegnik optimator fluffypony Meeh cursive
08:05:15kornbluth.freenode.net:Users on #bitcoin-wizards: yoleaux dansmith_btc [d__d] morcos Fistful_of_Coins dardasaba isis smooth Xzibit17 artifexd kumavis mariorz Krellan platinuum Oizopower Keefe catlasshrugged JonTitor eric mappum jbenet wiz heath gnusha warren AdrianG lechuga_ jessepollak Graet Eliel veox warptangent indolering K1773R TD-Linux leakypat CryptOprah Anduck a5m0 d9b4bef9 mr_burdell NeatBasis davout brand0 @ChanServ throughnothing btc___ azariah MRL-Relay hguux__ so roasbeef
08:05:15kornbluth.freenode.net:Users on #bitcoin-wizards: BrainOverfl0w
09:06:55wallet421:wallet421 is now known as wallet42
09:13:25wallet421:wallet421 is now known as wallet42
09:31:16crowleyman:crowleyman is now known as crwlymn
09:32:29crwlymn:crwlymn is now known as crowleyman
10:14:05c0rw|away:c0rw|away is now known as c0rw1n
11:22:01brisque:oaavi: probably more one for #bitcoin
11:26:06crowleyman:crowleyman is now known as crwlymn
11:28:20Guyver2:Guyver2 has left #bitcoin-wizards
11:31:26crwlymn:crwlymn is now known as crowleyman
12:45:58fluffypony:for anyone researching full node cost / capacity trade-offs (especially with larger blocks) this is good news: http://techreport.com/review/27909/the-ssd-endurance-experiment-theyre-all-dead
12:47:46nubbins`:10/10 would waste money on
13:08:24instagibbs:still waiting for HP to deliver on their memristors. Then we can stop worrying about UTXO size
13:31:01icallfone:icallfone has left #bitcoin-wizards
14:07:25dignork-:dignork- is now known as dignork
15:19:11luke-jr_:luke-jr_ is now known as Luke-Jr
15:22:30zooko:"Maxwell, the bitcoin wizard"
15:22:33zooko:from http://insidebitcoins.com/news/someone-may-be-deanonymizing-your-bitcoin-transactions
15:23:56brisque:zooko: the quotes from Chainalysis really piss me off. it's just for a "blog post", never mind the fact that they say on the front of their website that they are selling access to an API that does deep deanonymisation.
15:23:56heath:the bitcoin workshop at Stanford mentioned at the MIT Bitcoin Expo: http://blockchainworkshops.org/
15:24:12brisque:"Chainalysis customers get access to an API that allows them to determine which entity a transaction originates from, and whether the flow of funds originate from someone they would want to do business with."
15:24:22brisque:"He then went on to explain that the company is collecting data related to “bitcoin transfer activity between different countries.” They plan to share this data in an upcoming blog post."
15:24:53zooko:brisque: haven't read down to the quotes from Chainalysis yet.
15:24:59zooko:* zooko is slow.
15:25:13amiller_:zooko is live-casting his reading of the article :p
15:25:48sipa:amiller_: there should be an online service for that
15:26:08sipa:let's call it "Interactive Research Clarification"
15:26:44zooko:* zooko lol
15:27:26amiller_:i want to talk about a totally new idea today
15:27:39amiller_:this is in the category of, applications of absolutely outofthisworld moon math cryptography to bitcoin applications
15:27:56amiller_:todays bonker's crypto is: witness encryption https://eprint.iacr.org/2014/273.pdf
15:28:12fluffypony:oh thank goodness, I thought it was going to be ethereum for a second
15:28:28amiller_:snarks are kind of dull and oldhat by now
15:28:36sipa:* sipa faints
15:28:42zooko:* zooko col
15:28:48zooko:"chuckles out loud"
15:28:51amiller_:witness encryption is different, roughly with witness encryption you can take an arbitrary NP statement (i.e., a circuit), and use it as a public encyrption key
15:28:58zooko:The people in this coffeeshop are starting to eye me.
15:29:04sipa:i never got to the point where i could say i could even explain why somethng like snarks might be possible
15:29:11zooko:sipa: me too.
15:29:23sipa:i'm not talking about explaining snarks
15:29:24amiller_:you can encrypt a message such that anyone with a witness for that statement (i.e., a satisfying assignment such that the circuit outputs "1")
15:29:26zooko:And now I'm about to have a new thing that I can't understand crowding into my brain. witness encryption.
15:29:28amiller_:can decrypt the message
15:29:37zooko:amiller_: that's pretty awesome.
15:29:50amiller_:witness encryption is one of those things that's implied by indistinguishability obfuscation
15:30:36amiller_:so it's generically possible given some crazy assumptions about lattices or other multilinear maps, but the generic constructions are totally totally impractical, way worse than snarks or even fully homomorphic encryption
15:31:08amiller_:of course it's possible that there will be more efficient generic constructions, or that there will be efficient constructions for some limited class of statements, etc.
15:31:32realcr:amiller_: What would you do with this kind of construction, if it worked?
15:32:59amiller_:realcr, great question, that's actually what i wanted to talk about!
15:33:05andytoshi:hooray :) i actually know about witness encryption
15:33:28amiller_:okay so, if W.E. exists, we could use it so that proofs of work can decrypt a ciphertext.
15:33:36amiller_:that's similar to timelock encryption
15:33:57amiller_:but actually timelock encryption in crypto is pretty awful, like even though it loweer bounds the amount of time it takes to decrypt a thing,
15:34:32amiller_:a) it's still expensive, someone has to dedicate like a whole core-year to it if the time limit is a year, b) it's not amortized, to decrypt n messages you need n cores
15:35:07amiller_:so with W.E. you could make it so that you put a ciphertext in the blockchain, and after a month's worth of bitcoin proof of work, the miners have basically automatically decrypted it
15:35:25amiller_:because the W.E. circuit is basically a circuit that SPV checks a month-long proof of work chain
15:35:56amiller_:this would a) be amortizable, b) it uses the work bitcoin miners are already doing, and even better c) it can be pipelined
15:36:17amiller_:that is, if ther's a transaction that starts at block B and takes 1 year, then at B+6 months i can add a new one of these transactinos
15:36:29realcr:amiller_: I might not fully understand how w.e. works, but don't you need to know the instance x before you encrypt?
15:36:34amiller_:and in the following 6 months, the miners are simnultaneously finishing off decrypting the first transaction, while also putting in the first 6 months of work decypritng the second
15:36:34zooko:So, to dumb it down even more, for my benefit, WE can make time-lock-crypto actually practical, where the time-lock is a sufficiently long, or sufficiently work-bearing blockchain.
15:36:40andytoshi:realcr: nope :)
15:36:42amiller_:realcr, no you do not
15:36:50realcr:Oh cool.
15:36:53andytoshi:realcr: you have a secret key which lets you bypass the requirement for having a witness
15:37:00zooko:Until this moment, I thought time-lock-crypto wasn't good enough for my purposes.
15:37:03amiller_:okay so i have 1 more clever twist ending.
15:37:09amiller_:here's one application to motivate the big twist
15:37:17amiller_:you know how there's that lottery game
15:37:27fluffypony:realcr: so it lets you, for instance, create text that can only be decrypted by proof of a mathematical solution that doesn't yet exist
15:37:31amiller_:but since someone could just leave without revealing their commitment, everyone has to put in like N^2 deposits in total?
15:37:41andytoshi:(which does mean that -somebody- can bypass the timelock, specifically the encrytor, unless i'm remembering wrong)
15:38:10amiller_:well, you could use timelock encryption to make it so that if you don't reveal your commitment, after some time the miners will reveal it themselves
15:38:24amiller_:now, for the twist.
15:38:39realcr:fluffypony: It says in the article: An encryptor will take in an instance
15:38:44realcr:along with a message
15:38:48realcr:and run the encryption algorithm to produce a ciphertext CT
15:38:49amiller_:suppose you want to make it so that if you don't reveal something, like make a transaction that pays somewhere before a deadline, you want your plaintext to be revealed,
15:39:06amiller_:but if you *do* satisfy a condition, like pay out before the deadline, then you would prefer that the miners don't keep trying to reveal your secret
15:39:52amiller_:well, you can basically make a W.E. circuit that says, this ciphertext can be decrypted given X amount of work on a blockchain, as long as that blockchain does *not* include a transaction that pays out before the deadline
15:40:21zooko:* zooko applauds
15:40:31zooko:Two brain-breaking new things for me to digest.
15:40:31amiller_:so once miners start working on a blockchain that includes your transaction, they're no longer decrypting your message
15:40:35realcr:amiller_: It's really cool. I think I understand now.
15:40:48zooko:That latter thing is definitely one of those things that I thought was impossible.
15:40:52fluffypony:realcr: the trick is in the circuit, the circuit has to output a value, say 1, if x is the magical proof we expect, and 0 if it isn't
15:40:57zooko:Unfortunately, I need to go now. back in a bit.
15:41:10tromp:amiller: that cant be done SPV style though?!
15:41:10amiller_:ok thats all i got
15:41:20amiller_:tromp, i think that last part would require TXO commitments or something
15:41:38amiller_:well, utxo commitments
15:41:45realcr:fluffypony: And you just need to know ahead of time that x is actually inside the language L, and you do know that ahead of time. Cool.
15:41:49andytoshi:realcr: fluffypony: x is the instance of the problem; a witness w is the "proof" and you have some relation such that (x,w)=1
15:42:19tromp:amiller: yes, those would suffice
15:42:21realcr:I see. I mixed the ideas of witness and instance, but now I get it.
15:42:31realcr:tromp: What does spv stand for?
15:42:41tromp:simple payment verification
15:42:42sipa:realcr: simplified payment verification
15:42:47realcr:sipa: Thanks.
15:43:09sipa:read section 8 of the bitcoin whitepaper
15:43:27andytoshi:realcr: also be aware that the security property is a little weird: it says that if your instance x is -not- in the language, the encryption should be indistinguishable from random. it says nothing about if x -is- in the language, so to build actual cryptosystems you need to introduce other primitives which somehow "disguise" whether or not x is in the language
15:43:50andytoshi:c.f. the original W.E. paper which has no proof of security but otoh is easier to read http://eprint.iacr.org/2013/258
15:44:27andytoshi:there are a few pages of applications in there where they build public-key encryption, identity-based encryption, etc, from WE
15:44:41fluffypony:also a nice overview of W.E in general
15:45:56realcr:Do you think it is expected to be somewhat practical?
15:46:05realcr:I always fear that those things are just a far dream.
15:46:24andytoshi:realcr: one day, yes, but we are not close
15:46:27realcr:I mean practical by computation time etc. The math seems to be solid.
15:46:33realcr:I see.
15:46:57amiller_:realcr, the math is still questionable too tbh
15:47:07sipa:realcr: "the math seems to be solid", i doubt there are many people in the world who could reasonable make that statement
15:47:28andytoshi:my feeling is we should totally scrap this graded-encoding paradigm (as well as multilinear maps for that matter, even if they exist they won't be quantum hard) and think about building arbitrary oblivious circuits from something simpler like lattices
15:47:45amiller_:the assumptions are kinda out there, the top theory people are basically still exploring whether there's attacks that break the whole thing down or better assumptoins that suffice
15:47:47realcr:I looked at a few pages at random, and the math consequences seemed to be valid :) That's how you probabilistically check proofs.
15:47:59amiller_:realcr, hahaha :D
15:48:07andytoshi:realcr: the problem is that there are no axioms at the bottom, just super sketchy "assumptions"
15:48:18andytoshi:also haha at PCP :)
16:44:23instagibbs:assume crypto assumptions are spherical
18:36:52mrkent_:What are major reasons why someone wouldn't use default port while running bitcoin node
18:38:39gmaxwell:Their local network blocks it. Otherwise? I have no suggestion.
19:26:04maaku:because they don't want incoming DNS seed connections? i don't know
19:28:47gmaxwell:s/DNS seed/
19:28:53phantomcircuit:maaku, i dont think that would work
19:29:05phantomcircuit:if you make outgoing connections iirc you tell your peers about which port you're using
19:29:11gmaxwell:using a non-default port makes other nodes avoidconnecting to you.
19:29:20maaku:phantomcircuit: the DNS seed doesn't report non-standard port addresses
19:29:24phantomcircuit:non default ports are shunned?
19:29:54maaku:why is non-default ports shunned by bitcoind? that's news to me
19:34:21gmaxwell:amiller_: how is witness encryption adifferent from attribute based encryption?
19:38:40gmaxwell:maaku: to prevent people from making the network into a big nussance of connecting to non-nodes.
19:39:06gmaxwell:maaku: they're only connected to as a last resort if you're unable to get connected for a while (e.g. if the port is blocked outbound for you)
19:40:05maaku:gmaxwell: because the presumption that non-nodes connect via different ports?
19:40:35gmaxwell:I'm not following.
19:41:17maaku:why does it matter what port a node uses?
19:41:43gmaxwell:Bitcoin Core will not connect out to anything except 8333 unless its unable to get connected. This prevents an attack where someone announces, say, bob's fizzle-bop server as a 'node' and then 100,000 bitcoin nodes irritate bob by connecting to him over and over again.
19:41:58gmaxwell:(and then Bob files abuse complaints against random Bitcoin users)
19:45:01Taek:they would connect over and over again?
19:46:16fluffypony:Bob would be like a masternode
19:50:54maaku:gmaxwell: ok thanks that was my question
19:58:04phantomcircuit:Taek, no but it would be enough for lots of nodes to try to connect even periodically
20:21:04adam3us:amiller_: "way worse than fully homomorphic encryption" :( aka impractical, check back in a decade or so?
20:21:29phantomcircuit:horray i've loaded 635000 out of 62297829 transactions into my sql db
20:21:37phantomcircuit:only ~100% more to go
20:21:57kanzure:phantomcircuit: why are you taking so long?
20:22:13phantomcircuit:kanzure, dat bitcoind rpc yo
20:22:15adam3us:sipa: i think the brands credential scheme gives some indication of why snark-like things might work. a simplish generalisation/extension to schnorr signatures and then you can prove execution of a tiny/simple program (a small boolean circuit)
20:25:06adam3us:sipa: ftp://ftp.inf.ethz.ch/pub/crypto/publications/CamSta97b.pdf shows how to use brands respresentation problem and tree representations also brands semi-tech short paper http://cypherspace.org/credlib/brands-technical.pdf
20:38:08maraoz:phantomcircuit: try using the p2p protocol, it's much faster
20:38:40maraoz:(you need to run bitcoind with -txindex option)
20:39:17phantomcircuit:maraoz, uh thanks
21:16:19phantomcircuit:woo 3%
21:18:38gmaxwell:maraoz: uhhh txindex shouldn't change _anything_ about the p2p behavior.
21:18:42gmaxwell:if it does, thats a bug.
21:22:07maraoz:gmaxwell: my bad! I thought if a node received 'getdata' for an old tx it would not answer unless it had -txindex on
21:23:08phantomcircuit:it wont answer regardless
21:23:55phantomcircuit:and im using the rpc stuff so i can get bitcoind to decode the transactions for me
21:24:44maraoz:ah, got it. you could try getting blocks via p2p if you wanted ALL transactions.
21:34:28MRL-Relay:[othe] if you just want all stuff(tx, blocks) in a db format, why not use bitpays insight?
21:40:01phantomcircuit:mariorz, yes but then i have to decode them myself
21:40:17phantomcircuit:MRL-Relay, because ew
21:41:00MRL-Relay:[othe] theres a hystoric sync tool in js which reads the dat files and puts them in a leveldb (can easily modified to put it to whatever db) - just saying
22:32:23kyletorpey:kyletorpey has left #bitcoin-wizards
23:16:20Guyver2:Guyver2 has left #bitcoin-wizards
23:58:40gmaxwell:Does anyone know if ABISprotocol on bct happens to be a new identity of Anonymint?
23:59:07hearn:i think ABISprotocol has been posting to github and bct for a long time (years)