01:39:28 | c0rw1n: | c0rw1n is now known as c0rw|sleep |
02:15:45 | blablaa: | what do people here think about PoS? i'm thinking the savings in costs of maintaining network can be so huge, it's worth investigating... |
02:16:34 | phantomcircuit: | blablaa, doesn't work |
02:16:36 | bsm117532: | Yes, failing to achieve consensus is cheap. |
02:16:43 | phantomcircuit: | https://download.wpsoftware.net/bitcoin/pos.pdf |
02:17:02 | blablaa: | phantomcircuit, reading |
02:17:11 | phantomcircuit: | blablaa, there was a lot of hope that it would work early |
02:17:14 | phantomcircuit: | but sadly no |
02:19:42 | blablaa: | phantomcircuit, i was thinking about punishing double signers, i see it's dealt in your paper, reading it |
02:19:59 | phantomcircuit: | blablaa, thats from andytoshi btw |
02:25:16 | blablaa: | phantomcircuit, stake-grinding just gives some more revenues to people with more computational power, no? doesn't seem fatal... |
02:25:38 | phantomcircuit: | blablaa, it's just one of many issues |
02:25:41 | blablaa: | but the problem of people selling their "stake" before messing up the network indeed seems a solid... |
02:25:54 | blablaa: | a solid problem, even if maybe more theoretical than practical |
02:27:21 | kanzure: | also https://download.wpsoftware.net/bitcoin/alts.pdf |
02:27:50 | justanotheruser: | blablaa: a practical problem as well https://bitcointalk.org/index.php?topic=131901.0 |
02:28:48 | phantomcircuit: | justanotheruser, that's stake grinding i believe |
02:29:06 | justanotheruser: | yes |
02:29:36 | justanotheruser: | oh, he wasn't speaking of NaS in general |
02:29:42 | phantomcircuit: | the conclusion section notes that you can grind in such a way as to get yourself more stake in the future as well |
02:29:55 | phantomcircuit: | it's a powerful attack |
02:30:17 | phantomcircuit: | the only "solution" i've seen is limiting timestamp drift |
02:30:19 | phantomcircuit: | which doesn't work |
02:33:31 | blablaa: | phantomcircuit, timestamp is very ugly theoretically, maybe something like asking every block to be signed by 50% of coins would be more sensible |
02:33:38 | blablaa: | it would also kill stake grinding of any kind |
02:34:56 | phantomcircuit: | blablaa, doesn't work |
02:35:07 | blablaa: | why? |
02:35:58 | phantomcircuit: | because you cant get 50% of anybody to do anything in real time |
02:36:06 | blablaa: | hehe then make it 10% |
02:37:09 | blablaa: | but there is still the more general "stake" problem |
02:37:37 | blablaa: | well in this case there would be a battle for low delay |
02:40:19 | justanotheruser: | blablaa: that still leaves you open to other attacks, however that means an attacker needs 10% of the stake to grind |
02:40:28 | justanotheruser: | and your blocks will be *massive* |
02:40:39 | blablaa: | hehe yes i know |
02:41:37 | phantomcircuit: | also i (without thinking too hard) there's probably some speed of light issues with that |
02:41:42 | zooko`: | zooko` is now known as zooko |
02:41:48 | fanquake: | fanquake has left #bitcoin-wizards |
02:57:01 | blablaa: | phantomcircuit, i don't understand why long range attacks would still be possible. Can't we still choose longest chain, and still choose the "true" one in this way? Because the one signed by more people will be longer, no? |
02:57:35 | blablaa: | so it seems to me the "long-range" attack is feasible only if one really has largest "stake" |
02:57:54 | kanzure: | "more people" no.. that's not how it works. you can't count people. |
02:58:10 | blablaa: | kanzure, people weighted by (not recently moved) coins they have |
02:58:35 | gmaxwell: | You can count keys, and the attacker gets lots of keys with coins as a product of their attack, so it self amplifies. |
02:58:35 | kanzure: | uh what is your definition of a person? |
02:59:03 | blablaa: | kanzure, damn i mean just count the "stake" |
03:00:00 | blablaa: | gmaxwell, the idea is to only consider the coins held for some blocks when "stake" is needed |
03:00:13 | gmaxwell: | you should visualize a ouroboros-- you can't build a consensus system outside of itself, it's tautological. |
03:00:47 | blablaa: | hehe |
03:00:48 | kanzure: | what i'm really confused about is why you don't think pos.pdf covers these objections already---- maybe it doesn't, and i'm remembering phantom text? |
03:01:12 | gmaxwell: | blablaa: yes and? so I go and obtain old no longer useful keys from people who've left the system, I fork using their ability to create blocks back then, and play forward. My alternative looks just as good -- it _is_ just as good, if the real network could have done it the fake one can too. |
03:01:33 | gmaxwell: | This is all described in the writeup, indeed. |
03:02:03 | kanzure: | perhaps those sentences need to be repeated twice in a row for emphasis in the doc |
03:02:23 | gmaxwell: | maybe a latex macro that makes flaming text. |
03:02:49 | blablaa: | gmaxwell, ok, right, i was just confused |
03:03:09 | kanzure: | is there a way the document could be made more clear to you? |
03:03:21 | kanzure: | and, which aspects are confusing? |
03:03:29 | blablaa: | gmaxwell, even if your attack is not entirely trivial, you've to obtain enough useful keys |
03:03:38 | kanzure: | you are missing a verb |
03:03:48 | gmaxwell: | it's okay, so this subject confused us for a long time. PoS was invented by the bitcoin tech community and most of us that were around then were super psyched about it for a couple months until we really started to understand all the subtle implications. |
03:03:52 | kanzure: | oh, excess abbreviation |
03:03:52 | blablaa: | gmaxwell, that at some point in the past were a large stake |
03:04:39 | kanzure: | the only safe operation of that would be to never have any private keys to begin with, to guard against the accumulation of private keys by any single person |
03:05:13 | gmaxwell: | blablaa: thats just one example; so don't fall into a trap of confusing a _specific_ set of operations that were used to illustrate a fundimental limitation as being the thing that must be prevented; the error that leads to is 'patching' around it (which usually then introduces new and potentially worse vulnerabilityies) and exhausting the cryptoanaylsis resources and patience. :) |
03:05:29 | blablaa: | hehe |
03:06:19 | blablaa: | gmaxwell, it's just that for ALL fake chains you need to have them "nested" on a block where you had a large stake |
03:06:33 | kanzure: | "fake" |
03:06:49 | gmaxwell: | The point is that there is a fundimental issue there which results in many different attacks; and really should be addressed _in general_; otherwise you just get a system which is patchy and vulerable but too much of a PITA to analyize until it's really profitable to rip it off. (also the more complex the attack needed, the slower people are to respond to it; you can see an example with that with |
03:06:55 | gmaxwell: | pool hopping earlier in bitcoin's life) |
03:07:02 | kanzure: | there's no such thing as fake in these systems |
03:07:55 | kanzure: | there's no "fake history"... if a history validates then it is impossible to determine whether it was "fake" without resorting to a cetnral party. |
03:08:19 | kanzure: | (well, this could probably be tightened up to be more clear...) |
03:08:55 | gmaxwell: | blablaa: where collaborating attackers had enough stake to continue the system if the other users went away (in their alternative universe they'll expand their position thereafter). Also, in all these systems there is non-determinstic inputs, so you can 'boost' your apparent stake by trying over and over again. (often they delay the non-determinstic influence to make them not _instantly_ fail to |
03:09:01 | gmaxwell: | stake grinding, but they all have it for sufficiently large reorgs) |
03:10:14 | blablaa: | gmaxwell, the PoS i have in mind has no timestamp but many signatures per block |
03:10:31 | blablaa: | so there should be no grinding used for "boosting" your stake |
03:10:59 | blablaa: | hmm well but then it's entirely different, sorry |
03:11:22 | blablaa: | in the thing i've in mind, you can't mine not even a block without 10% stake |
03:11:55 | gmaxwell: | I do hope you've read alts.pdf; anyone can build a cryptosystem they themselves cannot break. It's really astonishingly hard to do anything in this space that doesn't just shatter. |
03:12:25 | gmaxwell: | blablaa: so if something like mtgox happened where ~10% of the coins were 'lost' at once the system cannot continue? |
03:13:04 | blablaa: | gmaxwell, indeed |
03:13:39 | blablaa: | gmaxwell, but agreed, the problem is people may still retain key even after having no longer the "stake" |
03:13:44 | blablaa: | so, in general, you're right |
03:14:04 | blablaa: | someone could buy these keys theoretically |
03:14:51 | instagibbs: | I'm sure the mtgox "hackers" would gladly mint some blocks for you ;) |
03:15:01 | gmaxwell: | blablaa: yea, and you can probably even automate selling them! e.g. having a smart contract that trustlessly buys them from people. |
03:16:26 | gmaxwell: | I mean, basically any such system _instantly_ fails on an incentives basis since the rational thing for a non-participant to do is to immeidately join in a costless attack with the prior participants; ... but maybe thats not a concern because of activiation energy; ... but the activiation energy from 'sell your key, get funds' is pretty darn low. |
03:17:13 | blablaa: | gmaxwell, i think this sell your key is the only problem. otherwise it would work. |
03:17:19 | blablaa: | but it's not a solvable problem |
03:18:16 | gmaxwell: | blablaa: I actually don't think its the root issue, it's an example of the more fundimental issue, which is the circular relationship, that everything in the system is defined in the system; so attacks cost nothing external. |
03:19:15 | blablaa: | gmaxwell, i think it's root issue. attacks require stake, and you can't have stake without keys, and you can't have someone else keys unless he gives them to you. |
03:19:16 | gmaxwell: | Even if there were some magical edict that prevented selling; it would still be in the rational interest for all participants who've exited to to participate in attacks. (keep in mind, it's not required that there be a single 'attacker'; it can just be the selfsame past users that create an alternative history) |
03:19:32 | gmaxwell: | You don't need someone elses keys though. |
03:20:11 | instagibbs: | blablaa: the original Master Stakeholders will always control the system, followed by the 2nd most powerful stakeholder in history, followed by the 3rd.... |
03:20:16 | gmaxwell: | You're adopting a mental model of a singular attacker; thats over constraining it. It's perfectly possible for people to collectively act in self interest-- even without explicit coordination, it happens in markets every day... and not just for wholesome purposes. |
03:21:21 | instagibbs: | related: one big problem with Vitalik's recent work, from someone who actually read the whole thing(not me), was that he was modeling attackers non-cooperatively. |
03:22:28 | blablaa: | gmaxwell, well that is just selling your key to some virtual group that will do the attack instead of selling to an individual. it's basically identical. |
03:22:30 | gmaxwell: | underimagination about attackers is one of the hardest things to deal with in cryptography. |
03:23:06 | kanzure: | you also don't have to sell your private key, people can just post them or derive them from faulty pseudorandom number ists |
03:23:09 | kanzure: | *number lists |
03:23:23 | gmaxwell: | blablaa: there is no virtual anything required! you keep it yourself, and you just have software that does whatever is most profitable for you; supporting the honest network is not profitable (as you have no coins in it), someone else shows up with a fork where you have coins... sign away baby! |
03:24:06 | instagibbs: | gmaxwell: but I'll just phone the Bitcoin CEO and figure out the true chain |
03:24:13 | blablaa: | gmaxwell, in game theory it's called a coalition :) |
03:24:23 | gmaxwell: | it's not hard to write mining software that does a straight expected value calculation and does all the profitable things; signing is cheap. |
03:24:54 | gmaxwell: | writing the software takes work, but its one time. |
03:25:33 | blablaa: | gmaxwell, indeed this is also what i had concluded at the first analysis of this issue (that the attack is valid but not so practical because u need large coalition).. then somewhat forgot it while thinking about it. |
03:25:47 | gmaxwell: | "The security of my system depends on no one being non-lazy enough to write a code that maximizes profits, or everyone being too lazy to run it" is kinda fragile! :P |
03:26:16 | blablaa: | gmaxwell, and large coalition is practical indeed, via market mechanism of selling keys |
03:26:23 | gmaxwell: | blablaa: well count yourself ahead a little bit then, as there are people out selling a lot of dreams without ever thinking of that much. |
03:27:16 | blablaa: | gmaxwell, i appreciated your help, sorry if questions were too stupid. |
03:27:21 | gmaxwell: | I still think you're overestimating the requirement level for selling; its an example; but "software that just automatically does whatever is in the owners interest; even 'rule breaking' things" is another. |
03:27:37 | gmaxwell: | There are no stupid questions, only stupid people. |
03:27:39 | gmaxwell: | :P |
03:29:05 | blablaa: | gmaxwell, ok... probably this stupid people was confused by bitcoin way of thinking... and didn't think about the "old" keys that no longer have coins... despite i had just read of this generalized "stake" problem so should have thought about it. |
03:29:19 | blablaa: | gmaxwell, i was too lazy to think and just asked for a stupid example to get it faster |
03:29:26 | kanzure: | he was not calling you stupid |
03:29:34 | gmaxwell: | thats why I call the circularity the fundimental problem, if not for it the key would not longer be useful. |
03:29:54 | gmaxwell: | I was not calling you stupid, indeed! |
03:29:59 | instagibbs: | it was a joke, I think ganked from a demotivational poster |
03:30:22 | instagibbs: | http://www.despair.com/cluelessness.html |
03:30:33 | kanzure: | what a wonderful domain name |
03:31:04 | gmaxwell: | this stuff is really hard, and require unusual ways of thinking. Even after working for years on distributed system with no uniform view of time or events in large routing networks cryptocurrency still trips me up from time to time. |
03:32:29 | blablaa: | gmaxwell, is there something that has some chance in your most optimist dreams to replace PoW? |
03:33:28 | gmaxwell: | kanzure: so many moons ago when that site was new, I worked for a municipality in the IT department, which was in the grips of some consultants that had us put up a bunch of posters of the style being mocked there (some stock art and some pithy meaningless statement), and one of my employees replaced them; and no one noticed for roughly a year. :P |
03:35:38 | gmaxwell: | blablaa: Hard to say; I've learned my lesson with claims of impossiblity; but I've seen a lot of failed things. I suspect that any replacement wouldn't be as attractive as you'd hope. POW works because there is an external cost; it also is what makes it fair and inclusive (anyone who can work can participate; which is another whole area where POS fails: existing majority of stake holders can ex |
03:35:44 | gmaxwell: | clude participants or censor transactions); but thats also 90% of the what anyone would have to complain about it! |
03:37:22 | instagibbs: | assuming the long-term economics of ASIC production/use aren't completely centralizing. Wonder what that landscape will look like in 5 years. |
03:37:31 | blablaa: | gmaxwell, problem i see with these "external costs" is that they're basically unlimited |
03:37:43 | andytoshi: | blablaa: they are limited by the landauer limit |
03:37:51 | kanzure: | asics can be produced outside of billion dollar fabs but it will require education and tooling (i estimate <$50k in parts) |
03:38:20 | blablaa: | andytoshi, i can't understand |
03:38:34 | kanzure: | .wik landauer limit |
03:38:35 | yoleaux: | "Landauer's principle, first argued in 1961 by Rolf Landauer of IBM, is a physical principle pertaining to the lower theoretical limit of energy consumption of computation." — http://en.wikipedia.org/wiki/Landauer_limit |
03:39:01 | andytoshi: | blablaa: sorry, that was a bit of a hit-and-run comment.. |
03:39:14 | andytoshi: | blablaa: there is a physical bound on how many joules are required to flip a bit |
03:39:40 | andytoshi: | blablaa: you can get a swag on how many bits are required to be flipped to compute a block.. |
03:40:00 | gmaxwell: | instagibbs: right well-- thats one of the allowed areas for improvement; really you can say what we use is "Proof of Resources Expended" and for our PoRE we use hashcash. You can ask how good a PoRE a given hashcash is, and things like control of semiconductor fabrication are a consideration. (some other hashcash implementations are worse on PoRE, e.g. a hashcash which requires a much more compl |
03:40:06 | gmaxwell: | ex design or patent licensing for the design is a much less decenteralized PoRE) |
03:40:13 | andytoshi: | oh, actually this is irrelevant, what matters is that ~25BTC of energy will get expended |
03:40:15 | blablaa: | andytoshi, yeah nothing to do with what i was saying :P |
03:40:50 | blablaa: | andytoshi, i was saying it's hard to put a bound on the rewards that have to be given to miners so that there are enough miners. |
03:40:50 | gmaxwell: | the construction costs are already small compared to operating costs though; for bitcoin's hashcash; so I don't know how much of a consideration any of that is. |
03:41:19 | andytoshi: | blablaa: oh, i see, that's fair |
03:41:40 | gmaxwell: | (also partly why I boggle at the 'memory hard' camp; since that super strongly moves costs back from operation to construction) |
03:43:34 | instagibbs: | won't be happy until I get an ASIC in a cereal box |
03:44:08 | gmaxwell: | And TSMC's profits of $3 billion dollars in a quarter suggest that there is a difference between what it actually costs to build state of the art semiconductor devices and what people pay for them on the market. |
03:44:37 | kanzure: | originally the 4004 did not cost billions to make |
03:44:44 | gmaxwell: | Competition for energy is a lot more efficient that competition for fab capacity. :) |
03:46:03 | gmaxwell: | kanzure: sure you can fabricate a mining asic in a bathtub, but if it's 100,000 times less energy efficient who cares? the cost is the operation, not the fabrication. I wouldn't be too surprised to find out that on the latest processes they can burn through more energy cost in a week than the marginal fabrication cost. |
03:47:54 | kanzure: | hm where are you getting 100 kilotimes less efficient from? |
03:48:09 | kanzure: | 4004? was just example |
03:48:19 | phantomcircuit: | gmaxwell, i believe the marginal cost of production is very close to zero actually |
03:48:41 | gmaxwell: | phantomcircuit: well wafers cost several grand a piece. |
03:49:38 | gmaxwell: | kanzure: random ass number, but you can see a factor of 100 alone between 100 nm and current state of the art miners. 10um bathtub circuits are a long way from 100nm. |
03:49:59 | gmaxwell: | phantomcircuit: but I know it's _very_ low, whatever it is. |
03:50:06 | kanzure: | i think you can get 1 micron with some effort, but agreed about 100 nm and 10 nm |
03:50:34 | phantomcircuit: | gmaxwell, i believe the cost to produce them is also marginally close to zero |
03:50:37 | kanzure: | 100 nm maybe with some focused ion beam milling (ugh) but 10 nm is more tricky |
03:50:43 | phantomcircuit: | the capital cost is huge for all of this though |
03:51:03 | phantomcircuit: | gmaxwell, iirc the expensive wafers are fairly larger |
03:51:06 | phantomcircuit: | large* |
03:51:23 | gmaxwell: | phantomcircuit: oh fair enough, indeed silicon boule construction scales really well; it mostly works because the crystal growth is self purifying. I'd not considered what the true marginal cost was there. |
03:51:59 | phantomcircuit: | so |
03:52:12 | phantomcircuit: | in theory someone could setup their own fab and absolutely own the asic market |
03:52:13 | phantomcircuit: | but well |
03:52:23 | phantomcircuit: | who has $10b to spend on bitcoin asics? |
03:52:35 | gmaxwell: | phantomcircuit: 300mm now, I think is most popular. which is pretty mind blowing. |
03:53:11 | gmaxwell: | (building a 'molecule' which is a foot across. :P ) |
03:53:16 | kanzure: | elvira sakhipzadovna nabiullina |
03:53:21 | kanzure: | or was that a trick question |
03:53:32 | phantomcircuit: | gmaxwell, larger wafers directly effect the marginal cost of production |
03:53:50 | phantomcircuit: | i believe the majority of the marginal cost is highly skilled labor |
03:53:58 | phantomcircuit: | which is roughly the same for large or small wafers |
03:54:10 | kanzure: | er which skilled labor in particular |
03:54:32 | gmaxwell: | the skill of not tripping over the cealing mounted fab robots. |
03:54:48 | phantomcircuit: | the people running the robots |
03:55:10 | kanzure: | "oh no my lazy susan wafer spinner is going to go all skynet on me"? |
03:55:13 | gmaxwell: | also, have you put on a bunnysuit? those things are tricky. |
03:55:21 | gmaxwell: | :P |
03:55:26 | kanzure: | not into that |
03:55:39 | phantomcircuit: | gmaxwell, ha no |
03:56:47 | phantomcircuit: | won't be happy until I get an ASIC in a cereal box |
03:57:03 | phantomcircuit: | im sure there are people who will gladly mail you an asic if you pay for shipping |
03:57:22 | gmaxwell: | one of the things that amuses me about living in the bay area is signs "For lease: office space with ISO 3 clean room" signs on random places. |
03:58:24 | phantomcircuit: | gmaxwell, biomedical research |
03:59:27 | instagibbs: | phantomcircuit: I really don't know the energy efficiency / overall capital cost curve that exists today. My impression is that all the most efficient ASICs are the big bricks/racks that cost a bit |
03:59:30 | kanzure: | * kanzure watches http://avideos.5min.com/134/5187134/518713362_4.mp4 (transcriptic's facilities) (blame maaku) |
03:59:38 | gmaxwell: | some is, but I doubt anyone is using ISO3 for biomed. |
03:59:54 | phantomcircuit: | instagibbs, power efficiency has virtually nothing to do with total size |
04:00:13 | instagibbs: | Theoretically sure, but how about the ASICs coming out of the fabs |
04:00:25 | instagibbs: | meaning |
04:00:40 | instagibbs: | they are marketed to people willing to drop thousands, so they're build and tested that way |
04:00:46 | gmaxwell: | instagibbs: the asics chips being fabricated are all fairly small for a number of reasons; the people who build huge single parts were crazy and their products sucked. |
04:00:52 | instagibbs: | I may be wrong. Just the impression |
04:02:43 | gmaxwell: | instagibbs: there is certantly a size for the whole applicance that is optimal, and may be a bit large for home use or whatever; but the same chips can be used in smaller quantity in smaller devices when someone cares to bother to do so. |
04:04:09 | phantomcircuit: | gmaxwell, that is more true now that antminer got the chained power stuff right |
04:04:43 | phantomcircuit: | before that it was less true for things with external 12v/control |
04:05:16 | gmaxwell: | you just have the regulator costs. but there are also shared mechnicals. |
04:05:19 | instagibbs: | I wonder what the curve looks like for size. If it's nothing too crazy I don't see why not. |
04:05:50 | phantomcircuit: | gmaxwell, eh with 1 asic you could get away without a fan or anything usually |
04:09:05 | phantomcircuit: | instagibbs, the gist is that as real scale you can do things like disable the tiny fans and use facility fans (5-10% power reduction) |
04:09:37 | phantomcircuit: | supply 12v in parallel with multiple PSUs (do not try with consumer ATX PSUs...) |
04:13:26 | instagibbs: | Interesting. |
04:14:38 | phantomcircuit: | instagibbs, otoh you have to actually pay for the power infrastructure you're using |
04:14:48 | phantomcircuit: | which consumers mostly dont pay for directly |
04:15:08 | instagibbs: | Hobbyists are willing to take various "dings", and 5-10% isn't that crazy |
04:16:19 | gmaxwell: | also, cooling is much easier at non-industrial scale "free heat, hurrah" ... I mean, people use space heaters... |
04:18:02 | phantomcircuit: | which reminds me |
04:18:08 | phantomcircuit: | gmaxwell, just how quiet is an sp20? |
04:22:42 | gmaxwell: | with the fan at whatever low setting I have it at (I think not the lowest?), it's pretty quiet; dunno. desktop computer loud. |
04:23:03 | instagibbs: | oh that's not as bad as I was thinking |
04:24:25 | gmaxwell: | if it's cranked up its loudish but its much much better than the SP10. not just in terms of how loud, but the SP20 is a not unpleasent white noise; people pay for devices to make noise like this. |
04:24:36 | gmaxwell: | SP10 is a minature jet engine array. |
06:13:47 | gmaxwell: | andytoshi: some conversation fluffypony and I were having about privacy in ringsignature schemes: http://0bin.net/paste/ZALkbSAwgJ2tS8K1#TbazYhfm4Aegx9ZiIXK0r1j-DYcQwfYV0WVGLVNuJHu |
06:14:47 | gmaxwell: | andytoshi: I'm wondering what the necessary and sufficient criteria is for determining if an output has been removed from the sensible anonymity set; and what cheaply computable input selection approach produces better decisions. |
06:15:26 | gmaxwell: | I give an example of inputs falling out of the set; three transactions with mixin sets [A, B], [B, C], [C, A]; once those txn exist, inputs A, B, C are out of the running. |
06:16:51 | gmaxwell: | I suggest a sufficient algorithim (I think) for avoiding creating bad graphs, which is start with your input, then do not use any other input which is reachable via an undirected co-mixin graph (efficiently computable by running union find over the mixin sets); but thats too agressive, as it'll exclude many reasonable candidates. |
06:17:25 | gmaxwell: | (Sad: Union find is probably my favorite algorithim :P ) |
06:29:24 | gmaxwell: | fluffypony: another criteria to avoid bad graphs is to never create a spend whos mixin set is a permutation of another existing mixin set. |
06:32:03 | gmaxwell: | as that necessarily guts the privacy of both. It takes only N spends using an identical mixin set of size N to remove it from the running. I think thats always the smallest number of transactions required to take a txout out of the running. |
06:35:42 | gmaxwell: | Thats also not toooo expensive to avoid. Just keep track of every mixin set involving your own inputs; and don't duplicate it. |
06:35:52 | smooth: | gmaxwell: alternatively do it on purpose to allow pruning and prevent worse failures |
06:37:50 | gmaxwell: | it's expensive to use it for pruning though. I suppose you could detect when you can close a group with a single transaction, then just do a kind of explicitly less anonymous one and close the group... but the issue there is that _detecting_ that a closed group has been formed is not cheap. |
06:38:25 | gmaxwell: | trivial examples are easy but I can construct graphs which no greedy assignment will be successful. |
06:38:34 | gmaxwell: | but are solvable. |
06:39:27 | smooth: | hmm, im not sure. Let say A mixes with B and C. Then if we say that B and C must also mix with (A,B,C) and no one else can mix with those, then it seems easy |
06:40:11 | smooth: | but this may allow attacks where you own A and C and mix with B because you are trying to attack B |
06:40:28 | gmaxwell: | yea, also it preclused B and C from having larger sets. |
06:40:33 | gmaxwell: | er precludes. |
06:40:42 | smooth: | i was sort of assumeing fixed size sets |
06:40:52 | smooth: | or maybe specified per output |
06:41:11 | gmaxwell: | you actually get much harder to solve graphs with variable sized groups in general. |
06:42:52 | gmaxwell: | keep in mind e.g. [A, B], [B, C], [C, A] ... each of A,B,C actualy know who everyone was in this set. The world doesn't, but those parties do. |
06:43:31 | gmaxwell: | e.g. if you know that the real input in the first was A, then you know that the others were B, C. If it was B, then the others were C, A. |
06:43:58 | gmaxwell: | which is pretty awful, works for a cycle of any length too. |
06:45:07 | gmaxwell: | e.g. [a,b] [b,c] [c,d] [e,f] ... [z,a] if you know a single transaction in the cycle you know all of them. |
06:47:57 | smooth: | this is the chain reaction of MRL-0001. you dont need a closed cycle and the chain can go on arbitrarily |
06:48:06 | smooth: | once you know a then you know the second is b, etc. |
06:51:16 | gmaxwell: | yea, it's espeiclaly bad in the for e.g. bytecoin where the initial utxo set is probably owned by a single person or something due to the fake history. |
07:18:23 | jmaurice: | jmaurice is now known as wiz |
08:05:18 | cameron.freenode.net: | topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja |
08:05:18 | cameron.freenode.net: | Users on #bitcoin-wizards: andy-logbot HostFat Mably arubi p15x Starduster_ hashtagg_ b_lumenkraft xcthulhu kmels zooko` sparetire TheSeven PRab moa GAit justanotheruser melvster Dr-G2 coinrookie mkarrer RoboTeddy PaulCapestany Kwelstr nessence x98gvyn dansmith_btc Firescar96 hashtagg [d__d] Rynomster c-cex-yuriy hulkhogan42o dignork pollux-bts p15 nuke1989 Emcy dc17523be3 binaryatrocity adam3us kanzure cluckj gnusha OneFixt_ luny bedeho unlord_ DougieBot5000 |
08:05:18 | cameron.freenode.net: | Users on #bitcoin-wizards: BananaLotus guruvan lmacken dgenr8 rustyn harrigan Pan0ram1x antgreen waxwing spinza Eliel shesek airbreather Cory K1773R kgk LeMiner warren c0rw|sleep grandmaster xapp Alanius brand0 poggy ajweiss Zouppen Krellan stonecoldpat phedny aakselrod HM s1w lechuga__ EasyAt_ yorick afdudley mm_0 Taek lnovy cdecker gielbier wiz leakypat Tiraspol platinuum koshii MoALTz isis smooth sneak SubCreative Madars tromp_ throughnothing_ amiller sparetire_ |
08:05:18 | cameron.freenode.net: | Users on #bitcoin-wizards: gmaxwell maaku Xzibit17 adams_ forrestv richardus adlai Fistful_of_coins go1111111 prodatalab morcos sdaftuar andytoshi helo Iriez copumpkin face nsh cfields_ wumpus mappum jbenet NeatBasisW dasource dardasaba ebfull luigi1111w bliljerk101 jonasschnelli merlincorey [ace] eric a5m0 nephyrin null_radix crescendo Sqt mikolalysenko sturles GreenIsMyPepper harrow vonzipper berndj manan19 comboy jaromil catlasshrugged_ Apocalyptic cryptowest_ |
08:05:18 | cameron.freenode.net: | Users on #bitcoin-wizards: runeks__ Graet veox indolering Keefe petertodd jcorgan larraboj ryan-c jessepollak gribble tromp mr_burdell d9b4bef9 starsoccer weex SwedFTP Hunger- Luke-Jr yrashk artifexd kumavis otoburb huseby midnightmagic BlueMatt TD-Linux mariorz hguux___ wizkid057 Anduck kyuupichan Logicwax phantomcircuit luigi1111 nanotube yoleaux gavinandresen AdrianG livegnik optimator fluffypony Meeh cursive roasbeef_ espes__ pigeons warptangent STRML michagogo null |
08:05:18 | cameron.freenode.net: | Users on #bitcoin-wizards: sl01 catcow Muis coryfields_ kinlo gwillen nickler epscy Oizopower CryptOprah BrainOverfl0w MRL-Relay azariah @ChanServ davout |
09:47:27 | fluffypony: | gmaxwell: yep exactly - I think we even mentioned something along those lines in MRL-0001, that they can't promise privacy because 80%+ of the txoset is owned by a person (or people) those motives remain unknown |
09:48:46 | gmaxwell: | might also be true for monero (well obviously not 80% but a lot-- just due to the advantages from the obfscuated miner :( ) |
09:52:07 | fluffypony: | obfuscated miner was replaced quickly, though, and the number of mixin 0 transactions may end up working in our favour from that perspective |
09:52:17 | fluffypony: | should probably do some analysis of that at some point |
10:02:02 | smooth: | the total amount mined before the obfuscaated miner was fixed was around 5%, and that certainly wasn't all mined by them |
10:02:37 | smooth: | however, it is a fair point that you cant really know the ownership of coins in general |
10:06:37 | gmaxwell: | didn't realize it was fixed so fast. well I guess at the time it was fixed it was 100%. :P |
10:07:06 | gmaxwell: | I didn't mean to raise that as a major concern. |
10:07:56 | fluffypony: | lol no, it's a valid point |
10:10:58 | smooth: | lots of other people were certainly mining though. the market was so bubbly at the time that even the dumb miner was profitable |
10:18:42 | fluffypony: | smooth: change was commited May 7th, so ~19 days from launch = 2.58% of initial emission (we have infinite tail emission, too, but still use the 18.4 million initial emission as a reference point) |
10:19:04 | smooth: | fluffypony: that was only a small part of the fix though |
10:19:16 | fluffypony: | yep, but that was the big jump |
10:19:23 | fluffypony: | 10x improvement in speed |
10:19:45 | smooth: | oh okay, faster than i thought then |
10:30:27 | gmaxwell: | I guess my impression was a little distorted in that I went and mined on it right away, and even after speeding up the miner quite a bit myself still found fairly few blocks; but it might have been bad luck. |
10:32:16 | fluffypony: | I solo mined on AWS at the beginning for maybe a month and a half, and my estimations were generally aligned with what I actually solved |
10:33:07 | smooth: | gmaxwell: people used many cloud instances so unless you were doing that you were just a small share |
10:33:31 | smooth: | it was rather shocking how long you could actually pay for cloud computing, use the crappy miner, and still be profitable |
10:33:49 | fluffypony: | you should mine on testnet, global testnet hashrate is 230h/s |
10:33:55 | smooth: | haha |
10:33:58 | fluffypony: | [wallet 9xoaou]: balance |
10:33:59 | fluffypony: | balance: 2762282.169573881548, unlocked balance: 2761513.652564764300 |
10:33:59 | fluffypony: | ^^rich |
10:34:14 | gmaxwell: | thats like my bitcoin testnet wallet. |
10:34:16 | smooth: | it was zero for a while right? |
10:34:52 | fluffypony: | smooth: yeah, my two testnet mining nodes hiccuped, one didn't start the miner on a reboot and it crashed on the other one, nobody noticed for 2 days |
10:56:48 | Mably_: | Mably_ is now known as Mably |
11:31:24 | Dr-G: | Dr-G is now known as Dr-G2 |
12:55:01 | fanquake: | fanquake has left #bitcoin-wizards |
13:10:25 | c0rw|sleep: | c0rw|sleep is now known as c0rw1n |
14:31:33 | zooko``: | zooko`` is now known as zooko |
15:09:42 | c0rw1n: | c0rw1n is now known as c0rw|away |
19:25:15 | zooko`: | zooko` is now known as zooko |
22:23:42 | omni: | omni is now known as Guest55444 |