00:22:44hulkhogan_:cool
00:29:33hulkhogan_:haha - one of the FAQs is "which functions are inside the black box?"
00:32:06gmaxwell:I'm sure people asked; it's the norm in for benchmarks in this space is that someone will publish a set of functions and you self-report your results. (If this sounds stupid, you've probably not been exposed to enough academia. :) )
00:34:55hulkhogan_:haha it seems silly, especially with the title of the competition being what it is, at least :P
00:35:14hulkhogan_:in principle its quite interesting, so you're searching for the best point under some budget
00:35:52hulkhogan_:it makes sense to compete i think, seeing as how there's a lot of field/point math in bitcoin
00:53:04bsm117532:moa: this is utter bullshit: http://www.newswire.ca/en/story/1525871/russian-scientist-makes-a-breakthrough-quantum-protection-for-physical-objects-is-created
00:55:23bsm117532:The premise is that there's so much data that you can't possibly read it to copy it. The "quantum" business is garbage, remove that word from the press release.
00:55:41bsm117532:I love PR Newswire. "We let anyone write anything!"
00:57:57gmaxwell:bsm117532: ah some of the functions in the PHC contest were going for supporting something like that. E.g. you have some random key you store safely offline; and use it with a CSPRNG to build a many-many-TB pseudorandom random pad you store online. To authenticate a password the middle of the expensive KDF function requires a lookup in your database.
00:58:36gmaxwell:So now it's "infeasable" (in the kind of very limiting armwaving sense that blockchain reorgs are infeasable) for an attacker to steal your password database.
00:58:47bsm117532:Let me tell you about a memory-hard PoW algorithm...
00:59:14bsm117532:It's not a bad idea if you have a source of many-many-TB data. But if it's all generated from a single seed...well...
01:00:03phantomcircuit:bsm117532, you throw away the seed obviously
01:00:08bsm117532:It's effectively a book cipher.
01:00:30gmaxwell:well the point there is that the seed can be kept totally offline and only used to repair your data (or, indeed, could just not exist if you're feeling especially brave)
01:01:00gmaxwell:I'm skeptical of the value, comapred, to say ... geting a couple $25 yubikeys and putting them in HMAC mode and loading them with some key you keep offline.
01:01:36gmaxwell:Then the yubis are your authentication oracle and cannot be stolen (short of compromising SHA1) in a _much_ stronger sense than your super expensive petabyte codebook.
01:01:55bsm117532:I agree. I don't see the value relative to offline keys. Online but-hard-to-find? Still attackable, while offline is not.
01:02:21gmaxwell:bsm117532: well something needs to be online to authenticate users. You just don't want the online thing to be online stealable.
01:02:33Eliel:* Eliel is wondering how come we're still using password authentication schemes when we have asymmetric cryptography that would be much better in many ways.
01:02:59bsm117532:* bsm117532 groans in agreement.
01:03:07gmaxwell:Eliel: users aren't so good at managing keys.
01:03:13bsm117532:If I could destroy the fucking password mania...
01:03:40phantomcircuit:gmaxwell, hsm's are much more difficult to deploy at small scale
01:03:41bsm117532:We have a serious UI and user education problem with any other (better) scheme.
01:03:46gmaxwell:I mean, don't look at me, all my personal stuff is not password auth.
01:03:51phantomcircuit:nobody sells dedicated servers with them installed
01:03:55phantomcircuit:rents*
01:04:29Eliel:you could even have a system that looks like password auth but actually transforms the password into a key and :P
01:04:41bsm117532:PBKDF...
01:04:46phantomcircuit:Eliel, i actually implemented that in javascript once
01:04:46bsm117532:It's great for making bad keys.
01:04:47gmaxwell:phantomcircuit: this is why I suggested a yubikey. ... but yea; I mean, if you have so little control over your hardware that you can't plug a usb widget into it... welll.. (Also: licensing dongles are still common in the windows world, I bet any hosting operaiton will let you plug something into the USB on a didi)
01:05:06phantomcircuit:it was god aweful slow but probably marginally more secure than standard https + plaintext password
01:05:16phantomcircuit:note: marginally
01:05:29gmaxwell:Eliel: thats still password auth, just in disguise. If you want to see actually superpowered password auth, what you want is something like SRP.
01:06:17Eliel:gmaxwell: well, as long as that's just an interface for luddites who want to keep using passwords :P
01:06:25c0rw1n:c0rw1n is now known as c0rw|sleep
01:06:55gmaxwell:Unfortunately, lucent's patent fund campaign has basically blocked PAKE deployments for over a decade; though the patents they were harassing people with have recently expired.
01:06:59bsm117532:There were several hardware wallet vendors at the Inside Bitcoins NYC conference that just finished...intriguing stuff.
01:08:17Eliel:gmaxwell: ... you mean we've got patents to blame for not having proper authentication mechanisms in widespread use yet?
01:08:47phantomcircuit:gmaxwell, PAKE?
01:08:53phantomcircuit:too many acronyms in this space...
01:08:58gmaxwell:Among other reasons, yes. I mean, some have theorized that the anti-pake patent nonsense is state sponsored, but who knows.
01:09:06gmaxwell:phantomcircuit: password authenticated key exchange.
01:09:42Eliel:wouldn't surprise me if it was state sponsored.
01:10:00phantomcircuit:ah
01:10:07bsm117532:I know a fellow who likes to go on about how the government and banks already have a ton of tech for electronic money that they're sitting on. I'd dismiss him as a crank if I didn't know better, but I don't know any details. Maybe PAKE is part of it?
01:10:19Eliel:but then again, there's a reasonable chance it's just due to misguided profit incentives too.
01:10:22gmaxwell:Eliel: SRP is really turning your password into a public key and authenticating with that; but it does so in such a way that if the server didn't know the pubkey to begin with, the server doesn't learn it. (likewise someone watching the channel never learns it); so even if the key is derrived from a crappy secret they don't learn anything that helps them grind it.
01:10:56gmaxwell:Eliel: hard to say; the patent fud stuff never earned them a drop of profit as far as I can tell; people just said "okay, we won't deploy that then".
01:11:00bsm117532:gmaxwell: that's neat. Zero Knowledge Authentication?
01:11:49gmaxwell:And a side effect is that if the server was the only one to know your password-hash (other than you), then the protocol mutually authenticates the server to you-- with no CA infrastructure.
01:11:49Eliel:what's SRP short for?
01:12:02gmaxwell:Eliel: https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol
01:12:24gmaxwell:It can be implemented over EC groups too, which would make it a bit more communications efficient.
01:13:34bsm117532:Hmmmm "This means that an attacker who steals the server data cannot masquerade as the client unless they first perform a brute force search for the password." -- So the list of commonly used passwords will still come in handy. Still need to move away from passwords.
01:15:58gmaxwell:bsm117532: sure; it's strictly better but not unboundedly so. You can use the same protocol with strongly generated keys instead; nothing requires a dumb-ass user 'password'. :)
01:16:46gmaxwell:its just _IF_ you've happened to use a dumb password; at least someone impersonating the server or sniffing the wire learns nothing that helps them.
01:18:00bsm117532:It's an improvement. But working around bad user habits is a losing game in the long run. We need to teach users better habits.
01:18:24gmaxwell:I mean, bitcoin had no password based keys anywhere; and an orgy of 'wallet innovators' (as I heard someone call them) were quick to produce things like brainwallet and BIP39 to 'fix' that surplus of security. :)
01:19:44bsm117532:hey now, I'm a bip39 fan. I can remember a 12 word passphrase and so can most people (+ HD wallets...)
01:19:49phantomcircuit:gmaxwell, so the question becomes why isn't SRP implemented in browsers?
01:20:40gmaxwell:phantomcircuit: patent fud.
01:20:52bsm117532:The person I was referring to above is on the IETF and W3C and claims they have something up their sleeve to replace the centralized CA mess. SRP sounds like a likely candidate.
01:21:03gmaxwell:phantomcircuit: because lucent went around and made people concerned that _all_ PAKE schemes were patented; even though a competent review says there is no chance SRP violates the lucent patent, once there is a cloud people won't bother.
01:22:27bsm117532:I've long been bothered that no one uses user certificates for anything...
01:22:35phantomcircuit:gmaxwell, :|
01:23:07phantomcircuit:bsm117532, it was non-trivial to run a CA until relatively recently
01:23:15phantomcircuit:the only tools for it were openssl and that was...
01:23:16Eliel:bsm117532: I hear they're a PITA to work with.
01:23:17phantomcircuit:not fun
01:24:04bsm117532:That's a UI problem, that no one put any effort into fixing.
01:24:44Eliel:(or there's someone blocking the fix with enough force that those who wanted to fix it gave up)
01:24:47bsm117532:CA's only half-authenticate. They (centrally) authenticate one side (the server) leaving the other side open to attack...
01:25:55gmaxwell:It doesn't help that the creator of SRP's instution (Stanford) itself patented some largely pointless extension (SRP-Z); and then didn't make the licensing clear for a long time.
01:47:05moa:TIL: patent concern trolls exist
02:13:20rusty:gmaxwell: watching your SF Bitcoin Devs talk. Wow.
02:16:46Sub|werk:Sub|werk is now known as SubCreative
02:35:12bsm117532:I watched it a few days ago, that was a great talk gmaxwell
02:36:03rusty:Yes, cogent and accessible; I've not seen anything like it wrt. bitcoin privacy.
02:59:27gmaxwell:I need to watch it so I can transcribe it; I actually forgot to mention a whole fork of my argument there.
03:06:16bsm117532:I think every talk I've ever given I forgot to give an entire fork. :-/
03:09:53bsm117532:OTOH you have a better sense of the flow of an argument "in the moment". I think it's more important to tell a cohesive intelligible story than to hit all the forks I have floating in my head. I try not to let the forgotten forks bother me.
03:35:14hulkhogan_:IIRC it started to get a little pessimistic when talking about the wallet signing stuff, but i think the conclusions were sensible ie. avoid using js for crypto if you can, (or use lots of strict/linting to get 'basically' type-safety)
03:37:57gmaxwell:yea, I wanted to mention e.g. typesafe languages that compile to JS and such; though I don't know anything about them except that they exist... but they're probably interesting.
03:38:30hulkhogan_:yea
03:39:19hulkhogan_:it was a insightful chunk of time for sure... i enjoyed the 'spurious beginnings' origin story as well ;p
05:23:43fanquake:fanquake has left #bitcoin-wizards
05:49:26phantomcircuit:gmaxwell, just place an assert typeof(a) == typeof(b) before every expression
05:49:40phantomcircuit:problem "solved"
06:07:29mm_0:mm_0 is now known as mm_1
08:05:16sendak.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
08:05:16sendak.freenode.net:Users on #bitcoin-wizards: andy-logbot fanquake1 wallet42 hulkhogan_ Crowley2k maraoz DougieBot5000_ damethos OneFixt b_lumenkraft priidu arubi_ user7779078 p15 tromp__ lclc gielbier lmacken Quanttek a5m0 unlord moa jeremyrubin delitzer ir2ivps5 justanotheruser Rynomster helo Dr-G2 ryanxcharles d1ggy_ null_radix HM mkarrer hashtag devrandom bsm117532 antgreen gsdgdfs cluckj sparetire jhogan42 grandmaster hashtagg_ waxwing Guest77630 jonasschnelli narwh4l Starduster
08:05:16sendak.freenode.net:Users on #bitcoin-wizards: jgarzik pigeons melvster gabridome ebfull copumpkin harrow spinza Luke-Jr Emcy_ Adlai dignork SwedFTP GAit BananaLotus guruvan elastoma c0rw|sleep dgenr8 Sqt Alanius Meeh MRL-Relay optimator bliljerk101 shesek NewLiberty fluffypony Eliel rustyn epscy sneak lnovy so ajweiss heath bosma iddo K1773R leakypat PaulCapestany xabbix LeMiner coryfields wiz nanotube luny dardasaba__ Cory kanzure go1111111 gnusha forrestv artifexd manan19 michagogo
08:05:16sendak.freenode.net:Users on #bitcoin-wizards: catcow Fistful_of_coins mariorz mappum yrashk mikolalysenko Muis nuke_ [d__d] livegnik MoALTz scoria nsh sadoshi lmatteis airbreather warren gmaxwell azariah Madars_ weex_ dc17523b13 face_ afdudley phantomcircuit yoleaux Xzibit17 runeks GreenIsMyPepper stonecoldpat andytoshi sdaftuar eric roasbeef throughnothing nephyrin` harrigan_ dansmith_btc crowleyman koshii adams__ s1w hguux____ NeatBasisW richardu1 CryptOprah jbenet huseby davout
08:05:16sendak.freenode.net:Users on #bitcoin-wizards: SubCreative brand0 Tiraspol kyletorpey kyuupichan Krellan dasource realcr @sipa mm_1 veox sparetire_ bedeho2 Taek morcos isis crescendo nickler binaryatrocity poggy Zouppen phedny EasyAt_ yorick platinuum smooth amiller Iriez cfields_ wumpus merlincorey [ace] sturles vonzipper berndj comboy jaromil catlasshrugged_ Apocalyptic cryptowest_ Graet indolering Keefe petertodd larraboj ryan-c jessepollak gribble tromp mr_burdell d9b4bef9 starsoccer
08:05:16sendak.freenode.net:Users on #bitcoin-wizards: kumavis otoburb midnightmagic BlueMatt TD-Linux wizkid057 Anduck luigi1111 gavinandresen AdrianG espes__ warptangent STRML sl01 kinlo gwillen Oizopower BrainOverfl0w @ChanServ
09:16:44mm_1:mm_1 is now known as mm_0
10:10:40mm_0:mm_0 is now known as mm_1
11:03:04c0rw|sleep:c0rw|sleep is now known as c0rw1n
11:22:11mm_1:mm_1 is now known as mm_0
11:22:59mm_0:mm_0 is now known as mm_1
12:27:06rusty:sipa: http://rusty.ozlabs.org/?p=486
12:28:04rusty:A first look at the mempool corpus data. Does anyone know off the top of their head why I see so many blocks at 731kb? Is that some miner soft limit?
12:45:16sipa:rusty: is 731k = 750000 bytes?
12:45:26sipa:;;calc 731/1.024
12:45:27gribble:713.8671875
12:45:32sipa:eh
12:45:37sipa:;;calc 731*1.024
12:45:38gribble:748.544
12:49:22rusty:sipa: Ah, probably. That'll teach me to use blockchain.info.
12:49:54rusty:sipa: so I assume that's a default blocksize softlimit then?
12:50:45rusty:* rusty finds it in the source...
13:08:50mm_1:mm_1 is now known as mm_0
13:29:47mm_0:mm_0 is now known as mm_1
13:41:14jgarzik:RE miner soft limit - that's why we don't appear to need to raise the block size limit any time soon
13:46:57mm_1:mm_1 is now known as mm_0
13:47:22mm_0:mm_0 is now known as mm_1
13:52:00zooko:I'm in New York today.
13:53:17fluffypony:I'm in Germany!
13:53:22fluffypony:* fluffypony ^5 zooko
13:54:32jgarzik:I'm in Atlanta today.
13:56:05fluffypony:as in the lost city?
13:56:06fluffypony:-P
13:57:22mm_1:mm_1 is now known as mm_0
13:57:44mm_0:mm_0 is now known as mm_1
13:58:29mm_1:mm_1 is now known as mm_0
14:13:25mm_0:mm_0 is now known as mm_1
14:20:14stonecoldpat:zooko how was the inside bitcoin thing ?
14:30:53kanzure:zooko: want to meet? "no" is okay.
14:32:02andytoshi:ah, damn, i still have zooko's phone cable from puerto rico ... had i known you'd both be in NY i'd have given it to kanzure
14:32:33kanzure:such thief wow
14:43:57zooko:stonecoldpat: as a conference goes, it was kind of dismal! Most people were… businessmen, I guess.
14:44:13zooko:I'm a businessman, and I like a lot of businesspeople, but there was kind of a low level of energy.
14:44:47zooko:There were also many bright spots, both techies that I connected with and also potential investors, since I'm raising money.
14:45:11zooko:andytoshi: ha! I forgot about that. I got a new one.
14:45:30zooko:andytoshi: I'll sell that one to you for 0.01ⓑ
14:45:35zooko:kanzure: yes!
14:51:23zooko:must shut down for a bit while checking out of hotel... bbiab
15:00:37[1]LeMiner:[1]LeMiner is now known as LeMiner
15:03:26zooko:fluffypony: Germany has a population of great hackers. Where are you?
15:03:48zooko:jgarzik: home is a nice comfortable place to be.
15:03:56sipa:I'm in Zurich.
15:04:05sipa:next week, in SF
15:04:23zooko:What are you doing in Zurich?
15:04:37zooko:I know I think 3 independent crypto hackers with connections there.
15:04:39zooko:Not counting you.
15:05:28zooko:Yay SF — the most massive gravity well of good hackers.
15:06:51sipa:zooko: I live there.
15:07:00zooko:4 then.
15:12:02b_lumenkraft_:b_lumenkraft_ is now known as b_lumenkraft
16:50:53mm_1:mm_1 is now known as mm_0
17:29:51kanzure:.tell zooko nice meeting you :-)
17:29:52yoleaux:kanzure: I'll pass your message to zooko.
17:35:41kanzure:.tell zooko http://diyhpl.us/~bryan/venture-deals.pdf
17:35:41yoleaux:kanzure: I'll pass your message to zooko.
17:38:19[1]LeMiner:[1]LeMiner is now known as LeMiner
17:47:11gabridome_:gabridome_ is now known as gabridome
18:40:25afdudley0:afdudley0 is now known as afdudley
19:29:05phantomcircuit_:phantomcircuit_ is now known as phantomcircuit
19:54:32antanst:antanst has left #bitcoin-wizards
20:45:39fluffypony:zooko: Frankfurt Oder, about an hour out of Berlin
20:45:44fluffypony:oh d'oh he's out already
20:46:09fluffypony:will go see ThomasV from Electrum next week or so
21:10:46arubi_:arubi_ is now known as arubi
23:33:23AlexStraunoff:AlexStraunoff is now known as Sqt
23:40:53moa:http://pdfaiw.uspto.gov/.aiw?PageNum=0&docid=20150120569
23:54:43c0rw1n:c0rw1n is now known as c0rw|sleep