02:20:03zooko:http://eprint.iacr.org/2015/235
02:22:05nsh:ty zooko :)
02:22:13nsh:is PET on atm?
02:22:26kanzure:positron emission tomography?
02:23:21nsh:privacy-enhancing technologies sympoconfomeetothings
02:23:55nsh:(if you twitter search 'privacy-enhancing' you get a lot of photos of bathrooms)
02:26:00nsh:(nope, PETS is next on in July in Philly)
02:26:17nsh:or June 30 -- July 2
02:28:19zooko:nsh: I just saw that paper from twitter from Frederic Jacobs:
02:30:24nsh:* nsh nods
04:28:49prodatalab__:prodatalab__ is now known as prodatalab
05:28:36maaku:maaku is now known as Guest85609
06:10:19fanquake:fanquake has left #bitcoin-wizards
06:32:38s1w-:s1w- is now known as s1w
08:05:16verne.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
08:05:16verne.freenode.net:Users on #bitcoin-wizards: andy-logbot damethos prodatalab_ thrasher` cbeams lclc_ Rynomster hktud0 Crowley2k coinheavy go1111111 bedeho s1w dgenr8 RoboTeddy orik Guest85609 coiner PRab p15 Apocalyptic Dr-G molec d1ggy_ zooko hashtag mkarrer xerox iddo copumpkin DoctorBTC Burrito justanotheruser espes__ PaulCapestany arubi bramc x98gvyn crowleyman nuke1989 adam3us1 waxwing hashtag_ MoALTz LeMiner jaekwon_ Emcy_ grandmaster HM adams_ SubCreative Adlai AdrianG devrandom
08:05:16verne.freenode.net:Users on #bitcoin-wizards: roasbeef spinza dc17523be3 OneFixt JonTitor jcorgan antgreen` Tiraspol GAit harrow tromp_ Pan0ram1x cluckj Starduster shesek Transisto [d__d] Luke-Jr realcr binaryatrocity kyuupichan NikolaiToryzin luny antgreen ahmed_ huseby face betarigs_admin melvster airbreather Visheate phedny dignork yorick amiller_ petertodd kanzure Iriez michagogo yrashk catcow Muis cfields Zouppen sneak coryfields_ stevenroose alferz gribble Cory LarsLarsen cryptowest_
08:05:17verne.freenode.net:Users on #bitcoin-wizards: ajweiss berndj kinlo Logicwax midnightmagic crescendo wizkid057 otoburb wumpus GreenIsMyPepper phantomcircuit BlueMatt jaromil gwillen dasource fenn tromp eordano nickler Alanius BananaLotus guruvan ryan-c lnovy ebfull sdaftuar veorq helo Hunger- xabbix runeks null_radix gmaxwell SwedFTP epscy nanotube andytoshi bliljerk101 starsoccer comboy nsh Taek EasyAt livegnik optimator fluffypony Meeh cursive yoleaux dansmith_btc morcos Fistful_of_Coins
08:05:17verne.freenode.net:Users on #bitcoin-wizards: dardasaba isis smooth Xzibit17 artifexd kumavis mariorz Krellan platinuum Oizopower Keefe catlasshrugged eric mappum jbenet wiz heath gnusha warren lechuga_ jessepollak Graet Eliel veox warptangent indolering K1773R TD-Linux leakypat CryptOprah Anduck a5m0 d9b4bef9 mr_burdell NeatBasis davout brand0 @ChanServ throughnothing btc___ azariah MRL-Relay hguux__ so BrainOverfl0w
10:37:06nickguest:solo mine spartancoin
10:37:44nsh:* nsh looks at nickguest
10:42:26fluffypony:nickguest: has spamming that junk ever worked for anyone ever?
10:42:27fluffypony:hint: the answer is no.
11:02:02phantomcircuit:ffs nobody with ops is awake
11:04:53phantomcircuit:sipa, nickguest is trying to spam some silly altcoin
11:06:18sipa:sipa has kicked nickguest from #bitcoin-wizards
11:06:41sipa:phantomcircuit: i've warned him about it before
11:09:11phantomcircuit:sipa, thanks
11:33:07Muis:Is there a proven method to distract a pseudo-random number from the chain that cannot be influenced by miners, or is that impossible by design?
11:34:38stonecoldpat:what do you mean by distract
11:34:41sipa:you can make it arbitrarily expensive
11:34:45sipa:he means extract
11:34:48stonecoldpat:ah sorry
11:34:56sipa:but you can't make it non-influencable
11:37:42phantomcircuit:sipa, arbitrarily expensive?
11:39:32sipa:by waiting long enough
11:41:37phantomcircuit:sipa, oh
11:42:00phantomcircuit:sipa, well you can get reasonably small amounts of entropy from the high? low? bits of the blockhash
11:42:04phantomcircuit:but that's about it really
11:42:49phantomcircuit:it would cost whatever the block reward is multiplied by 2^(fixed bits beyond target) to cheap
11:42:51phantomcircuit:cheat*
11:43:05phantomcircuit:even a small amount of cheating would be very expensive
11:43:16stonecoldpat:argubly that random number (blockhash) is influenced by the miner, if its a random number he doesnt like, then he doesnt publish it (at the cost of 25btc)
11:43:33stonecoldpat:^ just as you said...
11:49:40phantomcircuit:stonecoldpat, yeah i wouldn't suggest it for sure since there are better sources of entropy
11:50:01phantomcircuit:but for an application where you need widely witnessed entropy from the future
11:50:09phantomcircuit:well i cant actually think of anything else
11:51:00Guest89372:Guest89372 is now known as berndj
11:52:31Muis:if you take the hash of all the blocks in the chain
11:52:45Muis:does that make the number more random or secure than the hash of the last block
11:53:22phantomcircuit:sure but it's predictable
11:53:25Muis:since then an attacker would have to start from genesis
11:53:31phantomcircuit:or i guess known?
11:53:32Muis:how do you mean predictable?
11:53:47phantomcircuit:i dont mean you can predict the next one
11:53:56Muis:ah okay :)
11:53:59phantomcircuit:i mean that if you start now using previous block hashes doesn't help
11:54:04phantomcircuit:since everybody already knows those
11:54:29Muis:i dont mean the previous block hashes, but hashes over the full block (more work-intensive)
11:54:42Muis:but that doesnt change much to the concept
11:55:18stonecoldpat:Muis: the blockheader should already be the hash of all the blocks in the chain
11:55:33Muis:true
11:55:47Muis:but if you are a miner
11:55:55Muis:and you want to influence the random miner
11:56:47Muis:its harder to find a hash with difficulty X over the contents of all blocks, then to find over a hash, since that doesnt require much I/O
11:57:09Muis:*random number
11:59:33Muis:so SHA(SHA(B[0] + B[1] + B[2])) instead of SHA(SHA(MERKLE[0] , MERKLE[1])), etc.
12:00:37stonecoldpat:intuitively i think both of them are the same thing
12:00:56Muis:I guess they aren't
12:00:58stonecoldpat:since under all of that - the randomness comes from the signatures which both of them include
12:01:05Muis:because when you say: the order of the blocks doesnt matter
12:01:11Muis:and you want to try all combinations of orders
12:01:18Muis:would you rather hash hashes or hash blockcombinations?
12:01:55stonecoldpat:thats what i mean, hash hashes or hash block combinations, both of these are increated from the randomness in the public keys and ecdsa signatures, they are just different represetnations of the same randomness
12:02:09stonecoldpat:both of these are created*
12:02:13Muis:true
12:02:23Muis:but the sheer amount of data is much bigger
12:02:40Muis:and the time for a hash is dependant on the amount of data
12:02:55stonecoldpat:a hash just makes something look more random, but it may not necessarily be any more random than something that used the same source
12:04:05Muis:true
12:04:15stonecoldpat:ive got to run, but it is an interesting thought experiment
12:04:17Muis:but I mean it requires all miners to have fast access to a copy of the whole chain
12:04:26Muis:that is good for SPV nodes :)
12:04:44Muis:you cannot make such garantuees by hashing hashes
12:06:03Muis:phantomcircuit: suppose my 'coin' uses the bc.info to fetch a random value from bitcoins chain, instead of my own (poor secured) chain
12:06:16Muis:which value should I use?
12:06:48Muis:the number of transactions in a block? the block hash? something else?
12:07:55Muis:I just need the bitcoin protocol to give me a INT32 that I know is expensive too cheat, and will change frequently
12:08:44Muis:the total number of bytes from the block maybe?
12:26:52kanzure:Muis: fetching data from blockchain.info is a very bad design decision
12:27:31Muis:kanzure: if they dont trust it, they can use another explorer, or run a full client
12:28:00kanzure:that's not how consensus works
12:28:06Muis:i am not creating a financial network, so most people will trust blockchain.info to publish the correct chain, more than they have trust in my network
12:28:42kanzure:arguably you are not; you are creating a security vulnerability waiting to happen.
12:30:19eudoxia:he does have a bit of a point about trust
12:30:48eudoxia:then again there's probably a way you can offer users to verify your chain is the consensun
12:30:51eudoxia:consensus*
12:30:59kanzure:yes, it's possible that his software does not implement decentralized consensus, but integrating with a third party api like blockchain.info is trivial so i would assume that's not what he's asking about
12:43:46Muis:i need to select random miners for my blocks, and it seems more logical to pick them based on a random number in the bitcoin chain, then to let them do massive amounts of pow just so I can select one
12:47:40justanotheruser:Muis: what are you doing?
12:48:06kanzure:you could pick the same pubkey that mined the latest bitcoin block
12:48:12kanzure:in fact, you can implement bitcoin consensus
12:48:26kanzure:and directly connect to the bitcoin p2p network
12:48:28justanotheruser:PoW is only partially there to randomly select a miner. It is also there so it is prohibatively costly to create a fork.
12:50:50Muis:what I want to accomplish is that I can group my nodes in 255 groups
12:51:10Muis:they are free to pick a group, but they are not free to switch groups faster than 10 blocks
12:51:27Muis:then every block I select a random group that is allowed to mine
12:51:41Muis:and all others groups can switch off their equipment during that block
12:51:57Muis:since they already know they can never get the block reward
12:52:52Muis:now if the numbers I pick are reasonably random
12:53:03Muis:then won't my network offer better security as bitcoin with less power?
12:53:43Muis:since miners have no incentive to switch groups
12:53:52Muis:you could even allow them to already do PoW for their group
12:54:00kanzure:your idea seems to be vulnerabile to sybil
12:54:01Muis:and that that PoW stays valid for 3 blocks
12:54:05Muis:why?
12:54:09sipa:sipa has left #bitcoin-wizards
12:54:25Muis:if the group-number is included in the hash?
12:54:28kanzure:for the same reason all of your other ideas are vulnerable to sybil. we were just talking about this yesterday. read the backlog.
12:54:34Muis:how can a an attacker mine for two groups?
12:55:00Muis:if he can proof he spend X work for group X
12:55:02kanzure:identity just doesn't work. that's what sybil is able to exploit.
12:55:08Muis:and cannot do X work for all groups?
12:56:04justanotheruser:Muis: https://download.wpsoftware.net/bitcoin/pos.pdf
12:56:27Muis:the flaw in proof of stake seems to be that there is nothing at stake
12:56:34justanotheruser:basically decentralized consensus works through the burning of an external resource and probably can't be done otherwise
12:56:35Muis:so you can easily mine at two chains simultanously
12:56:54Muis:that flaw is not present in my idea?
12:57:00justanotheruser:yes, but this paper can apply beyond PoS
12:57:06Muis:so if there is a second flaw in PoS
12:57:30Muis:i am curious to know it. but I will read the paper first
12:57:33justanotheruser:Muis: so it's impossible for anyone but the selected miner to mine the block?
12:57:43Muis:justanotheruser: no
12:57:56justanotheruser:okay, so they can mine a fork and forge the timestamp
12:58:06kanzure:i agree with justanotheruser that pos.pdf is about more than just proof-of-stake
12:58:38Muis:its impossible for anyone outside the selected group to mine the block
12:58:45kanzure:haha
12:59:13justanotheruser:Muis: basically how do you prove you're in a group
12:59:34Muis:suppose we say a group = a gps coordinate, and you publish yours, and the difficulty is the distance between your coordinates and the target. then everyone can mine a block, but some are more lucky than others, because their location is closer to the target
12:59:47kanzure:gps is spoofable
12:59:54Muis:you proof you are in a group by comitting to a group
13:00:01kanzure:no
13:00:10Muis:so I hash my own gps coordinates for 2 years long
13:00:13kanzure:please read more about sybil attacks
13:00:18Muis:and I collect proof of work for that location
13:00:42Muis:if I want to collect pow for other coordinates
13:00:49Muis:how would that work? I would have to split the work
13:00:52justanotheruser:Muis: okay, so ignoring the fact that GPS is spoofable, I rent 255 servers for $2/month and they all talk to my full node multiplying my profits by 255
13:01:06Muis:that doesnt work
13:01:25Muis:i mean it does work
13:01:29justanotheruser:lol
13:01:37Muis:but you are at a disadvantage to the people that are really in that group
13:02:17Muis:because you do POW together with a partner, you hash eachother responses
13:02:32Muis:and you will always be the slowest one because of your proxy
13:02:36kanzure:trivial to just join a billion groups. there's no such thing as identity so you can run as many fake nodes in fake groups as you want.
13:02:36justanotheruser:yeah, my partner is another program running on my server
13:04:00fanquake:fanquake has left #bitcoin-wizards
13:04:18Muis:you commit PoW to a group, so you cannot join a thousands groups, and be the biggest every where. and you can do pow together with somebody else in that group. Suppose I have 10000 sybils, if I want to join group X, i need a 10000 real people that want to partner with me, otherwise I have to do twice the work for half the reward
13:04:47Muis:so unless thats a very popular group, every miner most likely already has a partner there
13:04:54prodatalab_:prodatalab_ is now known as prodatalab
13:04:56kanzure:not half the reward
13:06:45justanotheruser:you keep redefining this system
13:07:34justanotheruser:and requiring a group creates a huge economy of scale.
13:07:46Muis:economy of scale?
13:08:08justanotheruser:it becomes more profitable the more money you spend
13:08:55Muis:suppose we label the group by GPS coordinates, you can make them more precise? So first you mine for your continent, later you mine for your country or city, and when its mainstream you mine for your street.
13:09:15justanotheruser:ehh, read up on sybil attacks, this isn't workable
13:09:19Muis:wouldnt that spread out nicely across the globe, instead of 3 large datacenters
13:09:42justanotheruser:there is no trustless proof-of-coordinate
13:09:44kanzure:Muis: http://en.wikipedia.org/wiki/Sybil_attack
13:09:59Muis:I prevent the sybil attack by including the group-name in the pow hash?
13:10:16Muis:and I cannot think of a way an attacker could get around that
13:10:28justanotheruser:by writing a different group name
13:10:30Muis:because the amount of work you did for group X prooves your weight in that group
13:10:51Muis:how can you write a different group name?
13:11:09justanotheruser:Muis: okay, so alice is mining in one group right?
13:11:13Muis:yes
13:11:14justanotheruser:and bob is mining in another group right?
13:11:17Muis:yes
13:11:32justanotheruser:and alice can't be in bobs group at the same time?
13:11:36justanotheruser:right?
13:11:44Muis:alice can be in bobs group
13:11:52justanotheruser:but, since they're in another group they can't be
13:11:54Muis:but she must split her hash-power equalyy between the groups
13:12:05Muis:ok
13:12:30justanotheruser:well if you are using maximal hashpower your system doesn't accomplish it's original goal of reducing elecricity expended
13:13:11justanotheruser:but sure, you can put "Hey guys, I'm in group 193" in the coinbase if you like, not that it would do anything
13:17:14Muis:If a group decides to mine even though their group-number is so far away from the target, that they most likely always will be beaten, that's their choice, and in that case electricity is not reduced. but for the rational miners it is
13:18:19Muis:so if only 50% of them act rational and financially motivated, then 50% energy is saved
13:19:16kanzure:group membership doesn't work like that
13:19:31Muis:why not
13:19:39kanzure:do you know what i am going to say?
13:19:44Muis:screw you
13:19:50Muis::)
13:19:52kanzure:i am just asking
13:19:54Muis:no what did you plan to say?
13:19:57Muis:no
13:20:02kanzure:http://en.wikipedia.org/wiki/Sybil_attack
13:20:06Muis:lol
13:20:29Muis:I am willing to read all I can, but I still haven't heard a practical example of how someone can cheat in my scheme
13:20:37Muis:and I thought justanotheruser was about to explain one
13:22:43Muis:you pay 'rent' for a group, if you want to join multiple, no problem, but you pay much more in rent for many groups were you contribute small hashpower, than renting one group and focussing all your power there
13:23:06justanotheruser:Muis: your system has only been defined to the extent that you can throw on another component and fix the problem I just explained, only to create another problem.
13:24:42justanotheruser:Pastebin a definition for the system that is thorough enough so you can't say "oh, this additional component will fix that" in response to me pointing out a flaw.
13:25:09Muis::)
13:26:22kanzure:Muis: i think the more interesting thing you should be trying to learn is why bitcoin seems to be sybil-resistnat.
13:26:27kanzure:whoops i mean sybil-resistant
13:26:40kanzure:rather than trying to come up with your own sybil-resistant implementation (which so far you have not been able to do....)
13:28:26Muis:isnt it sybil resistance because you proof you dedicated effort into something that isnt fungible?
13:29:03kanzure:nope, bitcoin is sybil-resistant because who you are doesn't matter
13:30:15Adlai:bitcoin's PoW is equally difficult if you make your one huge mining farm look like $maxint small miners
13:30:15Muis:its not 1 cpu = 1 vote anymore, so who you are is defined by the amount of hash-rate that you have
13:30:33Adlai:there's no "who you are", only "what you can do with the hardware you control and the energy you feed it"
13:30:34kanzure:"1 cpu = 1 vote" was the wrong idea
13:30:50Muis:why
13:31:09kanzure:because it's nonsense. votes don't even make sense. there's no way to "register" a single cpu. it's all kinds of dumb.
13:31:13justanotheruser:oh here comes the vote discussion
13:31:36kanzure:"1 cpu 1 vote" is not sybil-resistant
13:31:49Muis:lol
13:31:49Adlai:it's closer to "1 hash/second = 1 lottery ticket"
13:31:53Muis:its in the Satoshi paper
13:32:17justanotheruser:the important thing is it still is 1 cpu 1 vote in the sense that now a 1000000 CPUs can fit into a single piece of hardware
13:32:18Muis:but it was the wrong idea and not sybil-resistant?
13:32:22Muis:does Satoshi know that?
13:32:38kanzure:there are many things that satoshi didn't know
13:32:40kanzure:like how to write a standard
13:32:42justanotheruser:Muis: he just disagrees with using the word "vote" to describe it
13:32:55kanzure:justanotheruser: i also disagree with the "1 cpu" thing too.
13:33:14Muis:im trying to find a way to bring back the idea of 1 person = 1 vote, and there may be solutions to accomplish that, and it could that it turns out that CPU was a bad measurement
13:33:30kanzure:Muis: there was never an idea of "1 person = 1 vote". sorry.
13:33:54Muis:1 person = 1 cpu = 1 vote
13:33:59kanzure:Muis: there is no way for a computer to "know" "your identity"... that's not a computable concept.
13:34:02justanotheruser:1 hash one lotto ticket!
13:34:21Muis:lets stick to the lotto ticket analogy
13:34:26Muis:suppose I can buy a lotto ticket
13:34:41kanzure:you can't...
13:34:45Muis:and with every ticket sold I decrease the total jackpot, and my own expected value
13:34:54Muis:would I buy two tickets? or 1000 as a Sybil?
13:35:23Muis:it would be in my best interest to act rational and buy one
13:35:39Muis:and hope that other people act rational too
13:35:46Muis:but Im assured that even if they do not
13:35:50Muis:they will make a loss
13:36:25Muis:so on average, they will
13:39:18p15x:do you know about the prisoner's dilemma
13:58:32Muis:yes
13:58:54Muis:its kinda similar
14:06:29stonecoldpat:I would agree with Aldai in the defintion that its more a lottery ticket than a vote
14:06:49stonecoldpat:its not the most votes who win, its just who gets the winning lotto ticket
14:08:16smooth:kanzure: who you are does matter in a way, because 51 people with 1% of hash power each is not the same as one person with 51% hash power
14:08:36kanzure:smooth: what do you mean?
14:08:45smooth:the incentives are different
14:09:36smooth:the assumption of the poorly named 1-cpu-1-vote is that all votes are "small"
14:16:37justanotheruser:smooth: all votes are about the same size because rational actors will use up to date ASICs
14:16:58justanotheruser:1 cpu 1 vote doesn't really imply a person can't have 10000 CPUs
14:17:09smooth:yes thats why i said its poorly named
14:17:20justanotheruser:oh, I see
14:17:34smooth:although i would argue it DID imply that
14:18:11smooth:well maybe 10k cpus fine, but not say 100m or more
14:20:50Muis:would there buy a problem if PoW is not coupled to a block
14:21:06Muis:that you can save it, as long as it can only be used once?
14:25:00Muis:my feeling says its insecure, but I cant really figure out why
14:26:50Muis:so for example, the only requirement for bitcoin miners is that they provide a hash for the string "BITCOIN" + random, which meets the difficulty, but the hash does not include the timestamp nor the blocknumber.
14:27:19Muis:and once you use one your hashes to create a block, you cannot use that same hash again for another block
14:28:43Muis:but you may store them or sell them as long as they dont get published
14:28:48stonecoldpat:if i understand what your saying... that means that hash could be used for *any* block, you produce the hash, i steal it and use it with my block - theres no criteria to stop it being used more than once
14:29:23stonecoldpat:the PoW is used to protect the integrity of the block - to make sure its contents cannot be changed without changing the PoW
14:29:25Muis:but if the hash is recorded in the chain, you could just lookup if its already used?
14:30:12Muis:if I produce it you can steal it, but we cannot both use it on the same chain
14:31:17stonecoldpat:the reason it cant be stolen today is because it is coupled with a block - otherwise its up to anyones discretion to choose which chain they follow - as using *any* pow with a block would allow infinite possible chains
14:32:06Muis:okay, thats true
14:32:24Muis:so if you couple a time, but not a block, does that make things different?
14:33:01stonecoldpat:well, the PoW acts as a relative timestamp - thats why it solves the decentralization problem
14:33:39justanotheruser:Muis: progress in PoW is bad. If you want more reading, pow.pdf is easier to understand and a nice read.
14:33:41Muis:relative to the blockheader it hashes
14:33:58Muis:justanotheruser: i will, tnx
14:41:33andytoshi:Muis: can you make precise this "more tickets you buy the smaller the jackpot gets" notion? specifically what is the likelihood of winning (i guess (#tickets bought)/(#total tickets)) and how does your jackpot function work ... i wonder if it's possible to set one up such that for each player the maximum expected payoff is achieved for 1 ticket (not zero) or at least for some small finite number of
14:41:36andytoshi:tickets
14:42:48Muis:It works exponential
14:42:52andytoshi:i think that's a well-defined mathematical problem, i think in solving it you'll convince yourself it's impossible (but maybe not, which would interest me too), and should provide some intuition about game theory ... then we can worry about things like "how to determine the number of tickets bought"
14:43:01Muis:So it decreases really quickly
14:43:10Muis:But starts very large
14:43:30justanotheruser:is the sybil problem even what a PoW solves? If sybil is solved, you need an incentive to keep all the actors in line.
14:43:37andytoshi:what i'm asking for is a mathematical proof that expected utility for each player is maximized if the player buys some small nonzero number N of tickets
14:44:38Muis:I am trying to accomplish that by making the entry fee for the lottery higher than the expected payout
14:44:56Muis:But because transaction fees also happen to be entry fees
14:45:08andytoshi:do whatever you want; i'm telling you that you can mathematically prove whether or not it accomplishes your goal (which i have stated precisely for you)
14:45:13Muis:People dont mind if they loose if they needed to make one anyway
14:45:59Muis:But if you buy tickets (make transactions) just for the jackpot
14:46:07andytoshi:and i'd like you to do this because these sorts of handwavey arguments don't accomplish anything; i suspect all parties are talking past each other because english is ambiguous and super bad at detecting miscommunication.
14:46:10Muis:You have a negative expected value
14:46:28andytoshi:no. write out the equations.
14:46:38Muis:I will try to make some document which proofs this
14:49:48Muis:But it can all be boiled down to this: in a regular lottery you buy tickets. here you get a ticket for free with each transaction, but they earn less on average than the tx fee costs.
14:53:10Muis:Would you join that lottery unless you really had to make a transaction? If your answer is no andytoshi, then it must be proovable
14:55:49kanzure:andytoshi: i think this guy is just bad at reading
14:55:55andytoshi:Muis: it's easy to make the EV negative regardless of the number of tickets i buy, have your payout function be 0. i thought you wanted to encourage participation but not sybilling, so you want my optimum number of tickets to be positive but not infinite
14:55:57kanzure:andytoshi: i don't have any other explanations to give you
14:56:41smooth:Muis: do this: < andytoshi> no. write out the equations.
14:56:57smooth:you are risking unnecesarily alienating people at this point
14:57:40Muis:andytoshi: I encourage particpation by giving away free tickets to the people paying TX fees?
14:57:47andytoshi:kanzure: :/ Muis: i'd like you to explore the math probelm i gave you above (devise a jackpot function which does what you want), i can't respond anymore to you until you do it because it's using a lot of -wizards scrollback, as well as the time of myself and other readers; i'm saying this because it's true, not to be mean
14:59:18stonecoldpat:+1 andytoshi point, unless you write a clear description then its hard to debate (as seen earlier by 'adding-on' new components)
14:59:20Muis:Okay, np
15:05:00Muis:Every TX is a ticket, every ticket earns back its total transaction-fee but only every 3 blocks on average. That is a good lottery if I need to make TX for other reasons, and a bad lottery if I try to use it to sybil attack or to make profits or spam. Thats a clear and well defined scheme.
15:48:17andytoshi:Muis: why do you say "every 3 blocks on average" instead of just "consistently 1/3 its fee" ... introducing randomness seems like totally unnecessary complexity. then why 1/3 rather than 0? i don't see how that changes the incentives. finally: if your transactions receive no payout (which i think is incentive-equivalent to what you described) what do you think you have accomplished? "here's my
15:48:20andytoshi:system: there are transactions"?
15:48:57amiller_:andytoshi, i think what he's saying is very simple, i don't see what you're sending him to the chalkboard for
15:49:00amiller_:he's just saying there's a -EV lottery
15:49:12amiller_:that's easy, you just delete some fraction of the transaction fees
15:50:16amiller_:and i think the point that he's making is one that i like to make, which is that people play -EV lotteries all the time, that's why charity fundraising drives often have 'raffles'
15:50:24andytoshi:amiller_: earlier he was suggesting a +EV lottery except it's -EV if you buy more than one ticket (to discourage sybilling). somehow he is trying to assemble a consensus system from all this, i'm just giving him subproblems so he can see what a concrete piece of something looks like
15:50:25zooko`:zooko` is now known as zooko
16:17:52Muis:andytoshi: always 1/3 is not the same as once every 3 blocks. Because when I have to make a single TX, one in 3 times i will make a profit and double my fee. And the other two times I loose nothing. With your scheme i can predict my return, which is not wanted
16:19:37Muis:Its true that over a long period it will have the same returns
16:20:54gmaxwell:gmaxwell has left #bitcoin-wizards
16:33:24StephenM_:StephenM_ is now known as StephenM347
16:40:17kanzure:"I am your enemy, the first one you've ever had who was smarter than you. There is no teacher but the enemy. No one but the enemy will tell you what the enemy is going to do. No one but the enemy will ever teach you how to destroy and conquer. Only the enemy shows you where you are weak. Only the enemy tells you where he is strong. And the rules of the game are what you can do to him and what you can stop him from doing to you. I am ...
16:40:23kanzure:... your enemy from now on."
16:42:57amiller_:andytoshi, agreed. Muis I don't want to discourage you because i think there's something useful in there, trying to design more carefully the incentive reward / lottery scheme to achieve some kind of effect on the participation distribution.
16:43:13amiller_:but it's really hard to analyze all this even just by thinking through it
16:43:34amiller_:try to find any way you can to break off a chunk of this as a subproblem and just discuss that maybe
16:44:19amiller_:i think do think that a -EV lottery is self-stabilizing and resistant to sybils
16:44:57amiller_:the economic assumptions that could justify this are a) individuals play lotteries, but only a limited amount over time, e.g. people that spend $10/week on lottery tickets or a few hours at a casino a year
16:45:29amiller_:and b) as a trend, "large entities" tend to be closer to expected utility theory and less likely to gamble compared to small individuals
16:46:04amiller_:the first one (a) is needed to justify having a -EV incentive scheme in the first place, and the second one (b) is why a -EV is inherently sybil resistant
16:47:14amiller_:anyway, this is a "subproblem" because i'm just talking for now about participation levels (who spends resources to participate and how much), and it doesn't say anything about "mining" or consensus reallly
16:48:08amiller_:forget about consensus and blocks and tx fees for now, if the incentive stuff ends up appealing, we could probably build a mining game around it, but its the incentive stuff that's weird / interesting to start with.
16:49:25kanzure:there may be valuable immunity in a direction like "fraud proofs and once showing a fraud proof being able to replace a large participant with any number of smaller participants without losing out on hashrate or being vulnerable to hashrate attacks from the larger participant that might decide to switch to your separate blockchain to mess with your retargeting".
16:50:05kanzure:(that sort of immunity makes larger participants less problematic)
16:50:49kanzure:((i was not proposing a mechanism))
17:21:16kanzure:"Password recovery attacks against RC4 in TLS" http://www.isg.rhul.ac.uk/tls/RC4passwords.pdf
17:52:31Guest85609:Guest85609 is now known as maaku
18:08:52huffer:Yeah, hello :) I was watching a talk of DevCore, and Gavin mentioned this chat room so I wanted to check if it exists :)
18:09:46Adlai:indeed it does, although discussion is slow sometimes (and rapidfire at others)
18:09:50huffer:so it does exist, though it’s awfully quiet in here
18:09:51huffer::)
18:10:10huffer:well, many thanks Adlai
18:10:10Adlai:all but the busiest irc rooms have dead time
18:11:07huffer:I don’t have a topic of discussion for now so I won’t bore you or distract you guys anymore - but thanks for future conversations
18:12:25phiche1:@huffer that's how I found this channel too. It was busy earlier today. Don't worry there is probably plenty of stuff in here to look forward to that will go right over your head (like mine)
18:13:12Adlai:if you're looking for immediate gratification, see /topic
18:13:15huffer:cool, phiche1, looking forward…
18:13:46phiche1:thanks for the tip Adlai!
18:55:01huffer:huffer has left #bitcoin-wizards
20:30:19waxwing__:waxwing__ is now known as waxwing
20:51:26belcher_:belcher_ is now known as belcher
20:59:37brand0:brand0 is now known as gwerwi
21:01:31gwerwi:gwerwi is now known as brand0
21:02:11BlueMatt:does anyone have any opinions on relative-to-my-inputs-OP_CLTV?
21:02:44BlueMatt:ie RCLTV is equivalent to CLTV?
21:02:50BlueMatt:maybe petertodd?
21:04:14BlueMatt:its useful in some contracts that take the form OP_IF everyone_signs OP_ELSE something_is_published_in_this_output (maybe just the fact that this output exists)
21:06:07BlueMatt:ehhh, I'll move to -dev, its not very wizard-y
22:56:29kanzure:factom stuff http://sourceforge.net/p/bitcoin/mailman/message/33603951/
22:57:23moa1:"The largest verified computation (SETI@home) uses verification by replication." https://en.wikipedia.org/wiki/Verifiable_computing
22:57:53moa1:you could argue bitcoin is a larger set of verified computations?
22:58:52phantomcircuit:moa1, bitcoin is actually a fairly small amount of verified computation
22:59:05phantomcircuit:it is however far more secure than seti@home's replication model
22:59:09moa1:done by > 6000 nodes though
22:59:13kanzure:what's the right measurement for the "size" of a verification? number of bits ?
22:59:18phantomcircuit:(they dont worry too much about people faking work)
23:00:00maaku:moa1: the amount of computation actually verified by bitcoin is small
23:00:14moa1:maaku: heh yes but ...
23:03:57moa1:6500 nodes verifying a small problem uses more computation resources than 2 nodes verifying a large problem
23:13:38phantomcircuit:moa1, you're massively under estimating the volume of work that goes through seti@home...
23:19:29phantomcircuit:petertodd, is it even possible to prove that you published something and that it's the only version without having censorship issues?
23:23:19zz_lnovy:zz_lnovy is now known as lnovy
23:25:04lnr:lnr has left #bitcoin-wizards
23:28:38amiller_:phantomcircuit, sure it is, petertodd convinced me by telling me how
23:28:49phantomcircuit:amiller_, ha
23:29:42phantomcircuit:amiller_, but how
23:30:06phantomcircuit:his scheme with the encryption of the key?
23:30:28amiller_:give me a sec, its simpler, trying to reconstruct it from memory now
23:33:10amiller_:okay got it in head-ram, gonna try explaining this, ive been trying to figure out how to unravel the idea, its really clever but a bit tricky to explain.
23:33:23amiller_:i'll try this way.... here's how you set it up.
23:34:29amiller_:start by putting on the blockchain an ordinary transaction with a single output you can spend
23:35:00amiller_:there's nothing apparently special about this transaction, it looks just like all the others and isn't "linked" to you
23:36:19amiller_:now, publish a transaction containing a description of your gadget (how the description is constructed i'll describe later),
23:36:37amiller_:the idea is this description is the name of a "write once, but *later*"
23:37:15amiller_:you will *later* want to choose that message, and prove to someone that you set it to one particular value and can't equivocate by convincing two different people you set it two different ways
23:37:42amiller_:okay i'm a little bogged down already by trying to describe the *goal* but since you brought it up, i think you get it, so ill switch to how it works.
23:38:07amiller_:this "description" is actually a commitment (a hash plus some randomness) of the nondescript transaction output we prepared earlier.
23:39:05amiller_:ah okay here's where the encryptoin comes in, the commitment is to a) that transaction output, and to b) a symmetric encryption key
23:39:18amiller_:okay so
23:40:29amiller_:you "write once" to that value by *spending* that output, and including an encryption of your message, under the symmetric key i mentioned, in some steganogrphic bits, like the transaction output pubkey hashes
23:41:27amiller_:this is the crux of the idea, you have already *committed* to the transaction output you are going to spend, but you haven't revealed any information about what it is yet
23:41:49phantomcircuit:amiller_, yeah i think that's what i was thinking of before
23:41:49amiller_:so you can actually do the spending of it and embed your message covertly.
23:41:54amiller_:okay
23:42:38amiller_:sorry, if i had remembered it required encryption i would have assumed you knew it when you mentioned that. oh well, i guess i got the practice explaining it i wanted. i think its a really great idea it took me a while to understand
23:42:51phantomcircuit:that's not actually censorship proof but it is resistant
23:44:05phantomcircuit:since a miner/relay node that understands the protocol can clearly block the last step
23:44:26amiller_:no
23:44:33amiller_:which last step
23:44:39amiller_:its censorship-proof
23:44:53phantomcircuit:two transactions A and B
23:45:06amiller_:the miner can't tell which transactions are involved
23:45:19amiller_:this technique involves hiding data in perfectly ordinary transactions, there's really no way to tell
23:45:23amiller_:the output can be any output you can spend
23:45:30phantomcircuit:sure they can, the set of possible candidates is small enough to brute force
23:45:37amiller_:wat no its not
23:45:49amiller_:oh, i think you misunderstood when i said "commitment"
23:45:53amiller_:not just the hash, but a hash plus some randomness
23:46:28amiller_:you can't just try all the transactions and see which one the hash matches, until i reveal the randomness (which i can do privately to anyone i want to give my unequivocable message to)
23:46:44amiller_:oh, actually encryption isn't required at all.
23:46:59phantomcircuit:amiller_, so the randomness is basically a key
23:47:19phantomcircuit:and i can publish multiple versions of the same thing only not using the same transaction output
23:47:39amiller_:yes
23:48:23phantomcircuit:i feel like there's an issue with that but i cant quite put my finger on it
23:48:34amiller_:there's not, i checked lol
23:49:28phantomcircuit:it clearly basically solves asset tracking issues but only if the transaction output is tied to the asset
23:49:53phantomcircuit:oh wait
23:50:41phantomcircuit:i was going to say there's nothing stopping you from committing to the txo twice with different random values butt hen i realized derp
23:51:11amiller_:its less obvious to me how it clearly solves asset tracking, im still trying to figure that part out actually.
23:51:51phantomcircuit:amiller_, i dont see how you could both track an asset using transaction outputs and keep the first transactions output censorship proof
23:52:30amiller_:well you have to start somewhere
23:52:40phantomcircuit:amiller_, that ones easy, you generate the next spend transaction in advance and commit to it with the message you're making censorship resistant
23:52:50amiller_:okay then you're done, what else is there exactly
23:52:50phantomcircuit:whoever controls that output controls the asset
23:53:33phantomcircuit:im not sure you can actually make that work without revealing to the world that the next transaction output is going to be though
23:53:44phantomcircuit:no you can
23:53:50phantomcircuit:neat
23:54:25phantomcircuit:well sort of
23:54:40phantomcircuit:anybody who has ever known which outputs the asset corresponds to can censor transactions
23:54:46amiller_:no
23:55:02amiller_:you can like, lazy load a chain of these things
23:55:03phantomcircuit:in that example they can because they would be able to identify the "next" output
23:55:36amiller_:use output #1 for your message, and #2 for the commitment to the next hidden-in-plain-sight transaction
23:55:58phantomcircuit:amiller_, that makes the protocol interactive and involves everybody whose ever owned the asset....
23:55:59amiller_:as long as you can keep putting nondescript transactions in the chain, you can link these together
23:56:31amiller_:of course it's interactive but not prohibitively so? one transaction per... transaction
23:56:34phantomcircuit:the random values need to be published at each step to prevent the thing from being a huge nuisance
23:57:03phantomcircuit:oh and this would be horribly broken by even a small reorg
23:57:04phantomcircuit:heh
23:57:14amiller_:no it wouldn't
23:57:22amiller_:you wait for longer than a small reorg before revealing your randomness
23:57:26phantomcircuit:sure it would since you have to reveal the random value
23:57:29amiller_:this is a lot like guy fawkes signatures
23:57:31phantomcircuit:a reorg would make it censorable
23:58:08phantomcircuit:i guess you could commit to two outputs one for the message and one for the random value
23:58:25phantomcircuit:and then delay the random value disclosure for long enough that a reorg wouldn't break the system
23:58:56phantomcircuit:it's certainly not a general solution to the problem i described though :P
23:58:59amiller_:no you commit to one output, but you "use" that output in a transaction with two outputs
23:59:02phantomcircuit:there's a bunch of edge cases
23:59:48amiller_:i think all of your criticisms have been due to the proposed solution being hard to visualize