2015-01-01.log

--- Log opened Thu Jan 01 00:00:10 2015
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Client Quit]		00:00
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards		00:00
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Client Quit]		00:03
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards		00:03
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Client Quit]		00:06
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards		00:48
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Client Quit]		00:50
-!- andy-logbot [~bitcoin--@wpsoftware.net] has quit [Remote host closed the connection]		01:05
-!- damethos [~damethos@unaffiliated/damethos] has joined #bitcoin-wizards		01:05
-!- andy-logbot [~bitcoin--@wpsoftware.net] has joined #bitcoin-wizards		01:05
* andy-logbot is logging		01:05
-!- digitalmagus8 [~digitalma@s173-180-44-168.bc.hsia.telus.net] has joined #bitcoin-wizards		01:29
-!- digitalmagus8 [~digitalma@s173-180-44-168.bc.hsia.telus.net] has quit [Changing host]		01:29
-!- digitalmagus8 [~digitalma@unaffiliated/digitalmagus] has joined #bitcoin-wizards		01:29
-!- digitalmagus [~digitalma@unaffiliated/digitalmagus] has quit [Ping timeout: 265 seconds]		01:30
-!- paveljanik [~paveljani@unaffiliated/paveljanik] has joined #bitcoin-wizards		01:36
-!- moa [~kiwigb@opentransactions/dev/moa] has quit [Quit: Leaving.]		01:51
-!- shesek [~shesek@109.67.132.151] has joined #bitcoin-wizards		01:56
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-fsyrnkbfyjbhuuui] has quit [Ping timeout: 256 seconds]		01:58
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-ymvadbglnyvyrkdt] has joined #bitcoin-wizards		02:00
adam3us	happy new year wizards :) may 2015 be even more interesting if thats possible without our heads popping from blockchain coolness overload.	02:27
-!- damethos [~damethos@unaffiliated/damethos] has quit [Ping timeout: 265 seconds]		02:27
adam3us	yeah anyway. so maybe people skimmed vitalik's latest attempt to repair proof of stake that he calls "weakly subjective". the idea is there is a stake (pre commit to some coins) and you are only allowed to vote on one branch of the chain, if anyone sees you double vote (and i guess your vote doesnt count unless you pre-commit to it to cast it)	02:30
op_mul	adam3us: you got snipped there.	02:31
gmaxwell	adam3us: the precommit and lose your coins part is something we've discussed here in the past. (IIRC Zooko was the first I heard propose it.)	02:31
-!- jtimon [~quassel@34.pool85-59-141.dynamic.orange.es] has joined #bitcoin-wizards		02:31
adam3us	op_mul: really that was only 6 lines?	02:31
gmaxwell	But, e.g. it doesn't prevent getting rid of your bonded coins and the replacing the chain.	02:32
op_mul	was that the post that "solved" boostrapping nodes with ask-a-friend?	02:32
gmaxwell	adam3us: your line ended with "unless you pre-commit to it to cast it)"	02:32
-!- MoALTz__ [~no@user-188-33-7-126.play-internet.pl] has quit [Quit: Leaving]		02:32
adam3us	yeah that was the end of it :)	02:32
-!- MoALTz [~no@user-188-33-7-126.play-internet.pl] has joined #bitcoin-wizards		02:32
adam3us	then if they see your double vote they can prove it and you lose some of your stake. so then obviously as there's no mining cost, people can just create fake histories from further back repeatedly and it devolves to the usual nothing at stake, his attempt to repair that is to impose a kind of rolling auto-checkpoint	02:33
adam3us	where its defined you cant go further back than n-blocks.	02:33
op_mul	"auto checkpoint" really is a oxymoron. I wish altcoins wouldn't use that as a security feature.	02:33
adam3us	he didnt use that term, he calls it "weak subjectivity" but anyway i hope its clear; he calls it subjective because the side effect is there can be multiple equally valid looking chains if you look back further than n-blocks so he says you need to find a trustworthy party who is on the network longer than n-blocks to certify which is the correct chain	02:34
gmaxwell	I'll be very glad to get to a position where grep on "checkpoint" in bitcoin core returns nothing; so tired of awful centeralized features in altcoins being called "checkpoints" and justified on the basis that bitcoin core implements something largely unrelated under the same name.	02:35
op_mul	NXT has been quoting that as a solution to everything for quite a long time, they prevent large reorgs to some degree.	02:35
op_mul	"To keep an attacker from generating a new chain all the way from the genesis block, the network only allows chain re-organization 720 blocks behind the current block height. Any block submitted at a height lower than this threshold is rejected. This moving threshold may be viewed as Nxts only fixed checkpoint."	02:36
adam3us	gmaxwell: unsurprising that someone already thought of that (zooko). or that vitalik failed to quote them or ask if someone had already done that. PoS could be interesting if it could work, though I am not sure its very economically fair. if bitcoin had it form day 0 satoshi would own 90% not 10% as if you have 10% of coins, you keep that percent, as you get 10% of reward for free for holding.	02:36
adam3us	gmaxwell: thats an ongoing interest or rent for free supply inflation protection for any holders.	02:38
adam3us	so i wonder can people go all-in do lots of double-votes and maintain a lead and then purge history or suppress proofs they double voted until the rolling consensus window kicks in where i think its definitionally disallowed to revise which block won. and then other people have to engage in the same practice or they reliably lose, and then the whole thing devolves to nothing at stake grind the vote instead	02:38
adam3us	do y'all think that attack works?	02:38
gmaxwell	adam3us: wrt economically fair, you could make it as orthorgonal as you want. I mean, you could choose to do distribution some more fair way... (of course for every reason that it's not very fair for subsidy, it's not very fair for control of the consensus order either)	02:39
op_mul	adam3us: there's other "checkpoint" systems in altcoins too. peercoin and it's clones all rely on having a central person signing all of the new blocks on the network. that's not an outlier either, all the PoS coins have it to prevent their networks from fragmenting.	02:39
adam3us	op_mul: there is no one signing checkpoints in vPoS. i believe its just that there is a rule that reorgs are not allowed to be more than n-blocks deep. i am not sure how that wont endup in a consensus fork either	02:40
op_mul	vpos?	02:41
adam3us	gmaxwell: you mean vPoS for transaction confirmation, and bare mining for reward for example. i guess then there's no economic motive to confirm transactions but yes i thought of that also. that much is kind of good in that you can solo mine on fractions of coins with tiny bandwidth for keeping up with the network.	02:41
adam3us	op_mul: just short for vitalik PoS.. not sure what its name is probably dagger version 23 (he keeps changing it when people break it)	02:42
op_mul	adam3us: yes. he is good at that.	02:43
adam3us	op_mul: only i think dagger was his name for his evolving PoW, so maybe as this is a PoS repair attempt he has a diff name for it, i didnt notice him give it a name in the article.	02:43
op_mul	it doesn't really matter what it's called, it's all just marketing. I find his blog posts to be almost unreadable.	02:46
iddo	adam3us: you cannot start pure PoS from day 0, you must have other rules (checkpoints being a bad example), otherwise anyone can do a fork from genesis with no effort	02:47
op_mul	all of their stuff has so many random names assigned to it that it's impossible to follow what the hell is going on, and which umbrella a concept falls under (if at all).	02:47
iddo	and other proof-of-x too, e.g. proof-of-storage you need to be careful not to have same problem	02:48
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has joined #bitcoin-wizards		02:48
adam3us	i am just wondering if the stake that is pre-committed to vote is actually a problem. presumably its not just a question of having a proof of double vote, you need to get that info into the blockchain, otherwise people can pretend to not receive it - like the difference between proof of publication and timestamping. committed tx have the same problem.	02:48
adam3us	if you can go nuts pre-commiting to billions of chain variants, and keep winning you can suppress the consensus knowledge of your double-voting.	02:49
gmaxwell	iddo: even if you solve some genesis, anything reduces to {from point X} where X in the past. Say you've bootstraped, then over time the original people leave the system. Becaues they've left their keys are wortless and the lose control of them or sell them. Now you can happily replace from that point.	02:49
adam3us	iddo: true for PoS (cant start from scratch)	02:50
gmaxwell	adam3us: yea you can be excluded from participating by the current participants.	02:50
adam3us	gmaxwell: but they dont want to fork the network or they have a consensus breakdown. they cant accept the proof of double-vote unless everyone receives it? ah i guess they could. they would only have a reason to ignore it if they were in on the conspiracy. that makes it a bit different to proof of publication. it is self-validatable, and they have an incentive to accept it without it being committed to consensus.	02:52
iddo	gmaxwell: yes you need an assumption on point X, such as assuming that majority of stake at point X is rational (not that i claim that then there is a good solution, just that with X=0 you cannot have pure PoS)	02:52
gmaxwell	iddo: rational isn't enough. It's rational, after you've spent all your coins to sell your past empty private keys.	02:53
adam3us	gmaxwell: i guess the other objection is if we say hypothetically it worked but the distribution is unfair. it seems the only fair distribution is PoW, and then there is no power saving and its strictly security weaker so a net loss. lets say it worked and bitcoin adopted it (phased in) then i suppose we could stop fresh coin mining, the existing volatility and distribution is good enough.	02:54
gmaxwell	adam3us: forget the double vote proof for a moment and consider the initial bonding they can just simply reject the bonding transactions from the consensus history, there is no fork.	02:54
iddo	gmaxwell: i don't understand what you mean? if majority got rid of their coins because they don't believe in the system, an minority is malicious, then this system should no longer exist anyway?	02:55
gmaxwell	adam3us: e.g. say I'm the only user of the system initially, with my premine. I sell you some of the coins. But when you try to mine, oops I never seem to hear your bonding transaction.	02:55
op_mul	iddo: private keys being empty doesn't mean you got rid of your coins, it just means you've moved them somewhere else.	02:56
adam3us	gmaxwell: so it seems everyone has an incentive to pretend to not hear anyone elses bonding transaction. thats kind of interesting.	02:56
gmaxwell	iddo: They do so _later_. at time >> X, after the majority at X has moved on to other things, the majority at X leaks/sells/gives away their keys.	02:57
iddo	adam3us: it's interesting question whether PoW gives fair distribution, the too extremes are unknown/unpopular new cryptocurrency, and a highly popular/hyped new cryptocurrency, whether you get fair distribution with PoW in these two cases?	02:57
gmaxwell	iddo: Then at time Y (Y>>X) someone replaces the history starting at X using those keys.	02:57
op_mul	iddo: it's more possible that the bitcoin bootstrapping only worked properly once. like a ring pull on a can of beans.	02:57
adam3us	iddo: i think gmaxwell means they can rollback the bonding transaction that originated the double-vote, however if they do that the flush the transaction confirmations and different transactions may be confirmed later so if this n-blocks is kind of long (which it must be to avoid frequent orphans) that would kind of suck for them.	02:58
gmaxwell	iddo: under certian assumptions it gives a distribution which is "fair" in a particular sense (mining for distribution is effectively a constant all-pay auction to get the next group of coins)	02:58
adam3us	iddo: i think PoW fair distribution can only happen once - in bitcoin. no future distribution can be fair as there is no surprise. nor electrically efficient as difficulty immediately ramps form speculators.	02:59
gmaxwell	adam3us: I'm not even talking about bonding there. I'm just pointing out that the initilization problem iddo spoke about is actually a problem at all points in time, not just 0.	02:59
iddo	gmaxwell: yes, i see you point, thinking about it now...	03:00
gmaxwell	Because even if you are rational, you have no incentive to not leak your keys after you've exited the system and no system of rewards/costs in the system can change that.	03:00
adam3us	gmaxwell: doesnt that imagine the exit of every initial holder?	03:00
adam3us	gmaxwell: but leaked keys wouldnt hurt after transfer is acknowledged past the n-block window, and reorgs arent accepted past it	03:01
gmaxwell	Someone in here proposed a bond that never runs out, that your stake is non-transferable and can only be used for mining and takes infinite time to return its costs... though in which case why would anyone ever mine, and I came up with a scheme that made the keys more or less securely transferable, even though the system fixes it to a single pubkey.	03:01
adam3us	gmaxwell: ok. i was focussed on the vitalik params to the idea. fair enough!	03:02
gmaxwell	adam3us: if you won't accpt reorgs past some height then consensus failure is guarenteed in at least some cases (though perhaps they're crazy ones and you'd rather the failure or handle it in other ways)	03:02
gmaxwell	but yea, I wasn't talking about the bonded coins idea specifically.	03:02
iddo	gmaxwell: yes, you need to assume that the majority at time X is rational at all future time Y, weaker assumption :(	03:02
adam3us	gmaxwell: yes i think so. use small stake you can afford to lose, vote multiple ways in the block before the n-window expires, keep doing it post your wins to different parts of the network, due to network latency some will see it and others not. ta-da fork!!	03:03
gmaxwell	iddo: actually that it is rational at X but _honest_ (altruistic) at all sufficiently far future times, so it's even stronger.	03:03
iddo	actually rational is unclear in this context, i meant that it will be rational for the majority of time X not to attack	03:03
gmaxwell	adam3us: yep. I think you're right.	03:04
op_mul	iddo: I don't think you really want to predicate security on rationality	03:05
gmaxwell	op_mul: in consensus systems you are limited in what you can do there.	03:06
gmaxwell	op_mul: ultimately there is no physical defintion of the right state, so any security argument has to involve the users.	03:06
gmaxwell	And the best you can probably argue for is that rational (if perhaps evil) users will prefer to go along with the rules. A weaker assumption involves 'honest' users -- ones who will follow the rules even if its more profitable to break them.	03:07
iddo	gmaxwell: maybe there are possibilities to mitigate this problem by having the majority of stake sign a checkpoint, this has some efficency drawbacks depending on details	03:08
gmaxwell	iddo: after they've done that they can leave the system (sell their coins), in which case it would be rational to then sell their useless-to-them old private keys to the highest bidder.	03:08
iddo	ok but they already signed a checkpoint, and users will prefer the older signed checkpoints (details are missing here, but it might be possible i think)	03:09
adam3us	gmaxwell: but i think selling should transfer both vote and coins simultaneously. and people wont accept sale where they dont get their coin private keys or you can respend it under them	03:09
gmaxwell	adam3us: uh, I think you misunderstood me.	03:10
gmaxwell	you sell your coins and your vote. sure. But that doesn't prevent your old private key from being used to forge an alternative history that branches back from when it was still yours.	03:11
adam3us	gmaxwell: you'd want to invalidate voting for a n-block period after sale.	03:11
op_mul	gmaxwell: I have some dissonance there. while I know that's the case, I don't like direct assertions that people won't do something that's against the ecosystem. people are, if at least in some portion, not predictable or rational.	03:11
adam3us	op_mul: sure people graffiti and spam and do crazy-ass stuff that actually costs money to no effect at times. schadenfreude paying to screw up someone elses day its a psychological effect.	03:13
iddo	adam3us: i don't see why n-block period matters, after you sold you can go back in history to whenever you want, and fork...	03:13
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards		03:14
adam3us	iddo: yeah that was insufficient. you need the sale to take n-blocks maybe before its considered settled. thats kind of slow and frustrates trade however. as n is not 6 its like 1000s i think.	03:14
iddo	adam3us: i still don't see your point, what if majority at block that corresponds to one year after genesis decides to fork, while the current history is at year 2 after genesis ?	03:15
adam3us	gmaxwell: the sell and double-vote is a problem.	03:15
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-ymvadbglnyvyrkdt] has quit [Ping timeout: 272 seconds]		03:16
adam3us	iddo: that would take the majority. bitcoin could fork or rewrite history (eg to a snapshot before mtgox went bad)	03:17
iddo	adam3us: yes majority of those who already sold and no longer have any stake... weak assumption :(	03:17
adam3us	iddo: i mean there's a difference as vPoS assumes you ask the majority what is the correct chain, where as bitcoin (currently) assumes you pick the highest PoW chain	03:17
iddo	adam3us: i suggested majority to checkpoint to avoid this problem, it has tricky issues too	03:18
op_mul	s/highest/most difficulty/	03:18
adam3us	iddo: i imagine vitalik would tell you to pick not from sybil random people but people you trust. hence weak subjectivity	03:18
op_mul	yes.	03:18
adam3us	op_mul: yeah thats what i meant, poor phrasing.	03:18
op_mul	and you can imagine how that will devalue.	03:18
op_mul	a central service that does the checking for you.	03:19
iddo	adam3us: gmaxwell and i were talking about any pure PoS system, not assuming particular ways that it behaves	03:19
adam3us	iddo: well pure PoS has nothing at stake so is buried and forgotten?	03:19
iddo	note that bitcoin PoW requires checkpointing too to avoid DoS, so that comparison is a bit unfair when we say that we checkpointing to also avoid other problems	03:20
op_mul	requires?	03:20
iddo	adam3us: i proposed a variant that tries to mitigate nothing-at-stake by only having single possible block that can extend the chain at any point	03:21
iddo	op_mul: yes see e.g. https://bitcointalk.org/index.php?topic=194078.msg2014204#msg2014204	03:22
adam3us	iddo: "bitcoin PoW requires checkpointing too to avoid DoS" well a DoS resistant multi-path network is part of the bitcoin security assumption, so i think thats in scope. PoS has nothing at stake even without DoS	03:22
op_mul	iddo: that's not really a requirement.	03:23
iddo	adam3us: i meant to avoid creating easy-difficulty blocks at genesis and carry out DoS, eg. see bitcointalk link i pasted	03:23
adam3us	iddo: oh _that_ DoS, ok.	03:23
op_mul	iddo: slightly less important with headers first, too.	03:24
gmaxwell	iddo: Bitcoin core no longer requires checkpointing to avoid DOS.	03:24
adam3us	maybe compact SPV proofs could fix that. you fill the in backwards if presented with a compact SPV proof that is higher work.	03:24
iddo	gmaxwell: how come?	03:25
gmaxwell	Headers first almost completely eliminates that concern.	03:25
gmaxwell	(and compact SPV proofs could close it off further)	03:25
adam3us	iddo: "i proposed a variant that tries to mitigate nothing-at-stake by only having single possible block that can extend the chain at any point" how could you have consensus on what that block is in a decentralised system?	03:26
gmaxwell	iddo: At least sipa and I are in argreement to remove checkpoints in bitcoin core now that we use headers first sync; it just didn't make it into 0.10.	03:26
op_mul	gmaxwell: I thought your stance at one point was that they were still desirable?	03:26
gmaxwell	op_mul: huh? no. I have no clue what I would have said that might have indicated that!	03:27
iddo	gmaxwell: hmm with header first, couldn't you create extentions to genesis block and spam the network with that?	03:27
op_mul	gmaxwell: must have been someone else, don't worry I haven't been spreading that as "gmax says//"	03:27
adam3us	iddo: i guess the point is headers are small.	03:27
gmaxwell	iddo: you can only ask nodes to take 80 byte headers there. So the cost in Kw of power per kbit/sec of bandwidth is rather high. You're better off just doing an IP layer dos attack at that point.	03:28
iddo	gmaxwell: anyway thanks for pointing out this extra problem of PoS, i'll need to update my pure-PoS paper, it will be less attractive now:) http://www.cs.technion.ac.il/~idddo/CoA.pdf	03:28
gmaxwell	iddo: Not sure if you've seen, https://download.wpsoftware.net/bitcoin/pos.pdf	03:29
iddo	adam3us: this ^^ link is the construction that we proposed, it relies on randomized lottery among stakeholders	03:29
gmaxwell	iddo: which presents a number of generic POS issues.	03:29
iddo	gmaxwell: i've seen an old version, i don't think the problem that we discussed now is there?	03:29
gmaxwell	(while trying to avoid going into the weeds of any specific proposal; because the problem is that people making these proposals just keep making tweaks to dodge any concrete attack example; without clearly improving the security fundimentally)	03:30
gmaxwell	iddo: I think it is, but perhaps thats just because I see what we discuss as a specific example of the simulation argument in there.	03:30
iddo	ok	03:31
iddo	gmaxwell: ok so maybe the need for checkpoint in PoS isn't unfair if you can avoid it in Bitcoin	03:31
adam3us	so going back to this claim that after early people drop out and then you have another instance of the genesis problem. i'm not sure about that. the current people at that point learnt about the true chain from trusted others, and can carry the torch after they left. if you believe in WoT maybe they can make that work.	03:31
iddo	gmaxwell: but still, checkpoints to speed up performance to end-users is nice with PoW too, SNARKs can help	03:32
-!- e1782d11df4c9914 [~e1782d11d@172-7-226-202.lightspeed.hstntx.sbcglobal.net] has joined #bitcoin-wizards		03:32
iddo	adam3us: yes, in my example they can because they will respect the original signd checkpoint instead of an attempt by malicious/rational stakeholders to create a competing checkpoint, i think that you say that it can be more simple, but try to specify exact rules and i might be tricky	03:34
iddo	s/i might/it might	03:34
adam3us	iddo: but its not really rule based - you make sure to learn about the best chain via your social connections to people you consider trustworthy. its pure WoT that you hope is fully connected, and if there's money at stake maybe people put enough effort in for once to make WoT actually work.	03:36
adam3us	iddo: it doesnt sound so terrible as an assumption to me really - it gives the world a one-true trust anchor to rally around. they can broadcast it, include it on news tickers, people sign it, any bitcoin company put on their web page beside the bitcoin price etc etc?	03:37
iddo	you'll need to mention at least some rules, if it's only WoT then it'd be similar to ripple proof-of-consensus, that doesn't seem to work as a decentralized system	03:37
gmaxwell	iddo: if you are invoking a snark though you don't need anything like a checkpoint.	03:37
gmaxwell	iddo: a peer can just prove to you some state is valid and hand it to you.. at that point it shouldn't be called a checkpoint at all as it has no resemblance to anything else people call checkpoints. :)	03:38
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Quit: Leaving.]		03:38
iddo	gmaxwell: ok maybe i used bad terminology, i meant using snark as a trust-free checkpoint	03:38
adam3us	iddo: well its one removed from ripple consensus i think. in ripple your trusted or blessed hierarchical transaction voters work to achieve teh definition of consensus. in vPoS the introduction is _only_ to get you started on the one true chain, once you're there you can stay there by yourself.	03:39
gmaxwell	iddo: I understood. You shouldn't use the word checkpoint there. Becuase, e.g. that doesn't vindicates trusty-checkpointing PoS schemes. :)	03:40
gmaxwell	adam3us: well you already pointed out why that doesn't work in the face of a byzantine attacker.	03:40
adam3us	gmaxwell: you mean the consensus is trivially forky? sure but thats another design area. iddo seemed to be equating the introduction to the ripple voting. well ok vPoS voting is forky too, just due to race conditions rather than trusting WoT convergence.	03:42
iddo	well the snark could be for the computation of the majority of stakeholders' signatures, but it's true that with PoS it's to solve a real security problem, not just optimization like in Bitcoin	03:42
gmaxwell	I think his comparison with ripple is apt. though because the forkyness you pointed out means that ultimately it reduces to trust your friends (if it doesn't just fail entirely with a byzantine attacker, I guess thats unclear)	03:43
adam3us	gmaxwell: btw I _love_ how people cant see race conditions. very funny. reminds me of someone i knew who tried to design distributed network protocols in a debugger. he'd watch it fail then tweak the algorithm. uh no you have to be mathemtically certain there is no undefined behavior and no fork scenario.	03:43
gmaxwell	iddo: it doesn't actually solve any security problem there, it's just an optimization regardless.	03:43
adam3us	gmaxwell: yeah there is some similarity in outcome for sure.	03:44
iddo	gmaxwell: if majority signed at time X, and then at later time Y build a competing chain, then that signature is supposed to mitigate the security problem	03:44
gmaxwell	iddo: sure but you can just expose the signatures, no snark needed.	03:45
iddo	yes, i meant the "checkpoint" is needed, snark is always just (maybe) an optimization	03:45
adam3us	i wonder if they think the fork you could easily create would have an eventual longest fork winner like bitcoins consensus convergence approach? with vPoS you could work to keep the forks continually balanced and then start an actual PoW race to break the tie.	03:47
adam3us	where the PoW would be double voting dust to nudge one or other fork to win.	03:47
gmaxwell	adam3us: related to debugging race condtitions; IIRC one feature of "rr" (A replay debugger: http://rr-project.org/ ; records all non-determinstic inputs to your program, including scheduling, so you can effectively go backwards in a debugger ) is that it can schedule your threads in a somewhat adversarial	03:47
adam3us	(no longer part of their protocol anyway, that probably counts as a fail)	03:47
gmaxwell	iddo: I dunno if you saw, but someone posted a tool with a new metalanguge wrapper around libsnark complete with circuits for sha256 and sha512.	03:48
gmaxwell	I'm pretty close to being able to demonstrate an actual zero knoweldge contingent payment in bitcoin using it.	03:48
adam3us	gmaxwell: eventually i had to rescue this situation and rewrite the entire thing in a week (6mo failed project:) he was puzzled why i would sit there and think about the protocol rather than reach for the debugger if anything failed.	03:49
iddo	gmaxwell: nice to know, alas it requires trusted setup, i'm working on non-trusted-setup variant (PCP proofs) now	03:53
iddo	gmaxwell: in the trusted-setup world that are new competitors too, like this one http://eprint.iacr.org/2014/976/20141201:093827 (not sure which system if the most efficent these days)	03:54
gmaxwell	iddo: well for a ZKCP there is no trust, because there is a designated verifier (the person buying the info) who can just do the setup.	04:01
gmaxwell	iddo: the non-trusted setup work is super important. Do you yet have any ideas on the concrete efficency?	04:01
-!- Starduster_ [~guest@unaffiliated/starduster] has joined #bitcoin-wizards		04:03
-!- Starduster [~guest@unaffiliated/starduster] has quit [Ping timeout: 240 seconds]		04:05
iddo	gmaxwell: yes the buyer/verifier can do the setup but then it isn't really a SNARK (no succinct verification, unless it's amortized over many proofs), so it's used just for non-interactive ZK proof in that case (and as you pointed out, interactive ZK proof can be even more efficient for ZK contingent payment)	04:06
gmaxwell	iddo: well I have a setup that is amortized. (assuming that you really like buying sudoko answers...)	04:07
iddo	nothing concrete yet:( jury is still out regarding whether it will be efficient in practice, but there are reasons to be optimistic... i'll update you when it becomes more clear, maybe soon	04:07
gmaxwell	it saves computation though even if you only use it once, because the thing inside the snark is a verification equation that is much faster than solving the problem you're buying the answer to.	04:08
iddo	but the verifier will also need to compute the keygen procedure...	04:08
gmaxwell	iddo: Right. For a ZKCP you do not put the hard problem inside a SNARK. Instead you put an admissable solution _verifier_ for the hard problem inside the SNARK.	04:09
gmaxwell	The seller of information does the hard problem solution totally external to the ZKP, finds a solution, encrypts it, and then uses the SNARK to prove to you that some data is the encryption of the solution you want, and the hash preimage of some value is the key to that encryption.	04:10
iddo	not sure that i understand, anyway the keygen is just some totally generic procedure that prepared random elements for bilinear pairings, or something	04:11
* gmaxwell forehead		04:11
gmaxwell	iddo: Yes, I know how the system works. :P I'm pointing out that if it's applied in this way you still get an effectively succinct protocol (one which is not trivial and saves the verifier computation) even if the verifier must do keygen for each and every use.	04:12
iddo	BTW it needs snark circuit for AES, anyone wrote that yet? the zerocash people only wrote SHA256	04:13
gmaxwell	iddo: I replaced the AES with more SHA256. Also the zerocash people haven't released any of their circuits; fortunately someone else did.	04:13
iddo	gmaxwell: i don't see how it is succinct, the verifier needs to run keygen for number of steps that's the same as the prover running time	04:14
gmaxwell	iddo: E.g. SHA256(secret\|\|counter)^data is a nice enough stream cipher.	04:14
gmaxwell	iddo: because the vast majority of the computation is outside of the ZKP entirely.	04:14
iddo	ok, but still number of steps for encrypt+hash are needed	04:15
iddo	i.e. the proof needed for ZKCP isn't made more succinct that a non-snark ZK proof for this encrypt+hash computation	04:16
iddo	s/that/than	04:16
gmaxwell	Thats true. But the whole protocol is succinct, so it isn't pointless. And I have no implementation of _any_ succinct or not ZKP for sha256. (well except for my crappy one with enormous quadratic in the circuit size communications complexity)	04:17
iddo	hmm yes nice stream cipher, i guess no one uses that because AES is actually more efficient that SHA256, just nobody bothered to implement it in libsnark yet	04:17
gmaxwell	ZKCP doesn't need a succincy ZKP to be worth doing; it just needs to be pratical enough.	04:18
iddo	in the garbled circuits world i think the situation is reversed, there are AES implementations, and no one bothered to implement SHA2	04:19
gmaxwell	iddo: yea, AES looks pretty easy in the circuits libsnark gives access to, indeed. But I can't justify spending weeks hand coding a boolean logic implementation of AES for something that just demonstrates the tech.	04:19
-!- MoALTz_ [~no@user-46-112-49-198.play-internet.pl] has joined #bitcoin-wizards		04:20
gmaxwell	yea, seveal of the MPC programs I've seen have a semi-honest protocol that does AES.	04:20
iddo	maybe they also have cut-and-choose implementation to handle malicious case	04:21
gmaxwell	iddo: perhaps but the snark is nice because it's a two move protcol for the snark itself, the MPC like ways of doing this require heavy interaction.	04:22
iddo	not even implementation, just some automation i guess, it'd work because interactive is ok for ZKCP	04:22
gmaxwell	yea, interactive is okay, though engineering wise its better if there is less.	04:23
gmaxwell	e.g. SNARK ZKCP works over email.	04:23
-!- MoALTz [~no@user-188-33-7-126.play-internet.pl] has quit [Ping timeout: 272 seconds]		04:23
gmaxwell	where as a MPC one wouldn't.	04:23
iddo	yes you'll need several rounds, to send garbled circuits, then open some circuits, then oblivious-transfer for the input wires... many emails to send:)	04:24
gmaxwell	so I think in general one can support N minutes of computation for each round of communication you eliminate; where N is however long it takes to copy some text into an email. :P	04:26
iddo	what about the verification circuit for sudoku or whatever, it's implemented as snark already?	04:29
iddo	13:53 < iddo> gmaxwell: nice to know, alas it requires trusted setup, i'm	04:30
iddo	13:53 < iddo> gmaxwell: nice to know, alas it requires trusted setup, i'm	04:30
iddo	oops paste, my keyboard sucks sorry :(	04:30
-!- Profreid [~Profreitt@gateway/vpn/privateinternetaccess/profreid] has joined #bitcoin-wizards		04:30
gmaxwell	iddo: yea, I came up with a pretty simple construction (with some cluesticking by gwillen) that makes it require pretty much only addition and equality tests, linear in the number of cells in the puzzle. I still have some gluing to do to get it all running.	04:33
-!- llllllllll [~lllllllll@53-109.bbned.dsl.internl.net] has joined #bitcoin-wizards		04:35
iddo	cool	04:35
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has joined #bitcoin-wizards		04:39
-!- narwh4l [~michael@unaffiliated/thesnark] has joined #bitcoin-wizards		04:40
-!- narwh4l [~michael@unaffiliated/thesnark] has quit [Remote host closed the connection]		04:53
-!- e1782d11df4c9914 [~e1782d11d@172-7-226-202.lightspeed.hstntx.sbcglobal.net] has quit [Ping timeout: 240 seconds]		04:54
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-vbpbkojhkdzsxuqy] has joined #bitcoin-wizards		04:56
-!- luny [~luny@unaffiliated/luny] has joined #bitcoin-wizards		05:32
-!- luny` [~luny@unaffiliated/luny] has quit [Ping timeout: 240 seconds]		05:34
adam3us	is larger blocksizes (as gavinandresen was discussing) a hard fork? i presume it must be?	05:42
-!- luny` [~luny@unaffiliated/luny] has joined #bitcoin-wizards		05:42
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards		05:42
gmaxwell	Of course. (gosh if the system didn't control the maximum size...)	05:43
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Client Quit]		05:44
adam3us	gmaxwell: so then for people worried about tx throughput being only 3-4x way from full blocks (more if you discount spam that'd go away if the space shortage pushed up the tx fee) - this idea of gavinandresen's is going to be real tricky to deploy.	05:44
-!- luny [~luny@unaffiliated/luny] has quit [Ping timeout: 265 seconds]		05:45
Luke-Jr	adam3us: until we have regular full blocks, it's hard to speculate on when we might need to increase block size IMO	05:46
adam3us	gmaxwell: maybe you could intro a new address type that is only valid in an extension block (another 9MB of block committed to somewhere in the 1MB block) and existing coins can be paid to extension coins (with something that looks a bit PoB burn like to old clients for old utxo compaction), and extension coins can be paid to extension coins) then people who upgrade get more tx througput	05:50
-!- damethos [~damethos@unaffiliated/damethos] has joined #bitcoin-wizards		05:50
adam3us	gmaxwell: to get a soft-forkable blocksize increase.	05:50
gmaxwell	you don't neven need that, you can just have the moved coins disappear.	05:52
adam3us	gmaxwell: you'd want the 1mb utxo to be compatible i think.	05:53
gmaxwell	and preclude their doublespends even though non-upgraded systems can't see the initial spends, its still a soft fork; In general anything that can be done in a hardfork can be made a softfork with enough rocket thrusters; though uh. most people who've realized this have though better than to promote the idea.	05:53
gmaxwell	adam3us: why? it doesn't matter: The coins just are invisibly unspendable to old nodes.	05:53
adam3us	gmaxwell: they dont know its unspendable so 1mb block utxo set grows. minor point.	05:54
gmaxwell	in any case I think thats a generally horrible idea (with or without the burn enhancements) since it's really just a hardfork in disguise, esp since it changes the social contract of the network for other participants somewhat.	05:54
gmaxwell	adam3us: well true though its rate of growth should fall since all future transactions from the moved coins can't be seen there at all.	05:55
adam3us	gmaxwell: rocket thrusters! (yeah i'm not sure its a good idea, just i heard "must be hard fork" which of course caused immediate oh really adversarial thinking to kick in and look for a way to soft-fork it).	05:55
adam3us	gmaxwell: why do u say it changes the social contract? its not like p2sh soft-fork where miners are basicaly lieing to old clients with an op_true	05:56
adam3us	gmaxwell: social contract of not having stupidly large blocks which then creates centralisation? agree. but if blocks really fill up with non-spam and transactions backup thats not cool either.	05:57
gmaxwell	adam3us: when some softfork adds some scripting rule anyone who the scripting rule effects opted into it for their own coins (ignoring perhaps a covenant).	05:57
gmaxwell	But a rule that changes, effectively, whom can actually run a node, isn't something that ought to be slipped in quietly on people via minor censorship of transactions.	05:57
adam3us	gmaxwell: the extension coins seem a bit opt-in no?	05:58
adam3us	gmaxwell: ok you're talking about blocksize, yes i agree.	05:58
adam3us	gmaxwell: (centralisation side-effects of)	05:58
gmaxwell	adam3us: yea, and I'm not saying it's good vs bad, just that soft forking is less good of a mechenism when something has more third party effects. I could argue either way how opt-in an extension block is; it depends on how it was implemented. E.g. I'd presume that it would be completely transparent in wallets that supported it, so if it was actually successful anyone who didn't like it would be	05:59
gmaxwell	very rapidly forced onto it.	06:00
adam3us	gmaxwell: yes, there is an avalanche effect with security soft-forks, eg p2sh where you are at ongoing risk until you upgrade. this isnt that but it does foist blocksize which is bad for centralisation.	06:01
-!- grandmaster [dansmith3@knows.the.cops.are.investigat.in] has joined #bitcoin-wizards		06:01
adam3us	gmaxwell: if we strap on even more boosters perhaps you could make extended coins payable to non-extended ones, via a pool of op_true coins (dont delete via PoB but spend them to op_true <magic>). barf.	06:02
gmaxwell	adam3us: it's a bit different though, e.g. someone with a pre-p2sh client can still use the network, though their low confirm count security may be slightly lower than before. And upgrading to enforce the extra rule is cheap. Vs say a block extension softfork, where perhaps they can't recieve coins at all anymore quite quickly... and upgrading means large increases in operating cost.	06:03
gmaxwell	oh jeez, indeed, thats true.	06:04
gmaxwell	well I suppose that takes away the can't recieve at all point I was just making.	06:04
gmaxwell	At that point it's basically what we discribed in the sidechains whitepaper as "risk of softfork", but without the truth in advertising that the addition is something seperate which ought to be considered seperately.	06:05
gmaxwell	described*	06:05
-!- bit2017 [~linker@42.116.152.78] has joined #bitcoin-wizards		06:06
adam3us	gmaxwell: hmm i wonder if we just described an alternate view of sidechains there?	06:06
adam3us	gmaxwell: make the extension block merge mined, something close & related anyway.	06:07
adam3us	gmaxwell: send the extension transactions over a different p2p port/magic number.	06:07
-!- coiner [~linker@58.186.142.128] has quit [Ping timeout: 265 seconds]		06:08
gmaxwell	yes, I mean, we actually talk about this specifically in the sidechains whitepaper. The two distinctions are soft forking the validity of the extension, and interface papering over the system (Also before you mentioned the dummy pool, the inability to do the return peg)	06:08
adam3us	gmaxwell: re-reading it now :) kind of forgot that bit	06:09
adam3us	alright yes thats very related commentary.	06:11
gmaxwell	I actually do see that as a reasonable way to do system upgrades, but I'm unsure of the boundaries where its a fair and equitable thing to do... because when it comes to the technical aspect the social contract of bitcoin is unclear.	06:12
adam3us	gmaxwell:so i think i got my connection right now: with this model it could actually be main-chain mined (an actual-soft-fork) but because there are two coin types, it has a security firewall in the same way that sidechains do. so if the extension block has some additional rules, different contract language, zerocash etc. the coins with op_true <magic> are serving as a peg pool.	06:16
gmaxwell	yea, it's just a soft-forked sidechain at that point, from a technical perspective; but it also matters how it's presented to people.	06:17
adam3us	gmaxwell: the universes can co-exist and security defects do not leak from the extension coins to people who dont opt in.	06:17
adam3us	gmaxwell: so separate from increasing block size that seems actually kind of interesting.	06:18
gmaxwell	adam3us: reacall we had a similar discussion about sidechains before with enforced consensus and I pointed out that consensus instability in the (sidechain in that discussion) extension 'leaks'	06:18
adam3us	gmaxwell: yes you are right. thats the limitation. hmm.	06:19
gmaxwell	so if the code for the extension has a non-determinstic verifier failure; and the validity of the extension is soft-fork mandated in the main chain, then the main chain splits too. So the firewall is not as strong.	06:19
gmaxwell	adam3us: wumpus has been toying some with getting bitcoin consensus code running inside moxie box... which is partially an expirement around sandboxing the consensus code to turn it into a bytecode to be damn sure its implemented determinstically...	06:20
adam3us	gmaxwell: yeah i get it from first comment. my counter to that is to make a tight interpreter that is security provable and right the extensions in that.	06:20
adam3us	gmaxwell: yes. somehow coerce it into being deterministic now matter.	06:21
gmaxwell	yea, thats the goal of the thing I just mentioned, and I agree it may be adequate for this.	06:21
adam3us	gmaxwell: (i made that counter in the last discussion some months back) but yes its basically the same thing i guess as this moxie box that you mentioned before.	06:22
gmaxwell	yea, moxie is a simple virtual machine, it's implementable as a ~1kloc of C switch statement.. so it should be fairly straightforward to prove that an implementation of it is absolutely determinstic and memory safe, etc. and presumably people could make optimized versions which were provably consistent with the spec and so on.	06:24
adam3us	gmaxwell: and if you have that deterministic vm byte code you can also validate side-chains, or (for bandwidth saving) disprove claims about the sidechain if the sidechain must provide both an interpreter and a claim disproving script (in the same byte code). ie prove you do not own the returned coin according to sidechain more rules than validating the full chain of ownership in the sidechain	06:24
gmaxwell	adam3us: yes but without interaction those proofs may not be compat.	06:25
gmaxwell	compact*	06:25
adam3us	gmaxwell: which avoids the "and then 51% takes all the coins" and avoids the need for a bitcoin denominated fraud bounty (my other idea for imposing a counter-veiling disincentive to doggedly trying to take the coins)	06:26
adam3us	gmaxwell: yes. kind of like rusty seemed to be thinking of for disproving fraud in other shards in pettycoin	06:26
adam3us	gmaxwell: alright op_spv + op_moxie :)	06:27
adam3us	gmaxwell: maybe there are an interesting enough range of things that are compactly non-interactively disprovable.	06:31
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards		06:36
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Client Quit]		06:39
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards		06:53
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Quit: Leaving.]		07:13
-!- orwx [~orw@bzq-148-168-31-177.red.bezeqint.net] has joined #bitcoin-wizards		07:17
-!- fanquake [~anonymous@unaffiliated/fanquake] has quit [Quit: fanquake]		07:22
-!- MoALTz_ [~no@user-46-112-49-198.play-internet.pl] has quit [Quit: Leaving]		07:47
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards		07:47
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-vbpbkojhkdzsxuqy] has quit [Ping timeout: 245 seconds]		07:51
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Quit: Leaving.]		08:01
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards		08:05
-!- shesek [~shesek@109.67.132.151] has quit [Ping timeout: 250 seconds]		08:09
-!- damethos [~damethos@unaffiliated/damethos] has quit [Quit: Bye]		08:24
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has quit [Read error: Connection reset by peer]		08:32
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has joined #bitcoin-wizards		08:34
atgreen	gmaxwell: re: optimized versions.. there's a QEMU port that is more performant. I was just hacking it this AM to bring up Linux port.	08:53
atgreen	uClinux, I mean.	08:53
gmaxwell	atgreen: hah, yea but I wouldn't consider touching QEMU for consensus criticial code in bitcoin; sorry, went through a fair bit of it and don't consider it even slightly trustworthy (not the moxie specific parts, but spent time looking at qemu arm code)	08:54
gmaxwell	For what I was talking about before an optimization wouldn't be reasonable consider without a machine checkable proof that it computed exactly the same function as the straight C version.	08:55
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has quit [Quit: iang]		09:02
-!- Tjopper [~Jop@dhcp-077-249-237-229.chello.nl] has joined #bitcoin-wizards		09:07
-!- Tjopper1 [~Jop@dhcp-077-249-237-229.chello.nl] has quit [Ping timeout: 256 seconds]		09:08
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has joined #bitcoin-wizards		09:09
-!- e1782d11df4c9914 [~e1782d11d@172-7-226-202.lightspeed.hstntx.sbcglobal.net] has joined #bitcoin-wizards		09:10
-!- hashtag [~hashtag@CPE-69-23-213-3.wi.res.rr.com] has quit [Ping timeout: 240 seconds]		09:11
-!- Guest49039 is now known as mr_burdell		09:13
-!- mr_burdell [~mr_burdel@hop.cryptolabs.net] has quit [Changing host]		09:13
-!- mr_burdell [~mr_burdel@unaffiliated/mr-burdell/x-7609603] has joined #bitcoin-wizards		09:13
-!- e1782d11df4c9914 [~e1782d11d@172-7-226-202.lightspeed.hstntx.sbcglobal.net] has quit [Ping timeout: 264 seconds]		09:18
-!- Tjopper1 [~Jop@dhcp-077-249-237-229.chello.nl] has joined #bitcoin-wizards		09:27
-!- Tjopper [~Jop@dhcp-077-249-237-229.chello.nl] has quit [Ping timeout: 264 seconds]		09:30
-!- tacotime [~mashkeys@198.52.200.63] has joined #bitcoin-wizards		09:35
-!- Tjopper1 [~Jop@dhcp-077-249-237-229.chello.nl] has quit [Ping timeout: 256 seconds]		09:40
-!- Tjopper [~Jop@dhcp-077-249-237-229.chello.nl] has joined #bitcoin-wizards		09:41
-!- atgreen [~user@CPE687f74122463-CM84948c2e0610.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]		09:41
-!- atgreen [~user@CPE687f74122463-CM84948c2e0610.cpe.net.cable.rogers.com] has joined #bitcoin-wizards		09:42
-!- damethos [~damethos@unaffiliated/damethos] has joined #bitcoin-wizards		09:48
-!- benten [~benten@unaffiliated/benten] has joined #bitcoin-wizards		10:04
-!- koshii [~0@c-68-58-151-30.hsd1.in.comcast.net] has quit [Quit: leaving]		10:04
-!- koshii [~0@c-68-58-151-30.hsd1.in.comcast.net] has joined #bitcoin-wizards		10:05
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has quit [Quit: iang]		10:10
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has joined #bitcoin-wizards		10:18
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has quit [Remote host closed the connection]		10:19
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Quit: Leaving.]		10:28
gmaxwell	petertodd: Building consensus code in very high level languages, demonstrated: https://www.youtube.com/watch?v=RkTvDjhImwo	10:30
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards		10:31
-!- belcher [~belcher-s@5ec1ab86.skybroadband.com] has joined #bitcoin-wizards		10:32
-!- belcher [~belcher-s@5ec1ab86.skybroadband.com] has quit [Changing host]		10:32
-!- belcher [~belcher-s@unaffiliated/belcher] has joined #bitcoin-wizards		10:32
-!- dgenr8 [~dgenr8@unaffiliated/dgenr8] has quit [Quit: Leaving]		10:32
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Quit: Leaving.]		10:36
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards		10:50
-!- narwh4l [~michael@unaffiliated/thesnark] has joined #bitcoin-wizards		10:52
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Quit: Leaving.]		11:06
-!- mkarrer [~mkarrer@135.Red-83-52-38.dynamicIP.rima-tde.net] has quit []		11:19
-!- wallet42 [~wallet42@f052165145.adsl.alicedsl.de] has joined #bitcoin-wizards		11:19
-!- wallet42 [~wallet42@f052165145.adsl.alicedsl.de] has quit [Changing host]		11:19
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards		11:19
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has quit [Quit: iang]		11:20
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Quit: Leaving.]		11:26
-!- MoALTz [~no@user-46-112-49-198.play-internet.pl] has joined #bitcoin-wizards		11:28
-!- damethos [~damethos@unaffiliated/damethos] has quit [Ping timeout: 250 seconds]		11:29
-!- Burrito [~Burrito@unaffiliated/burrito] has joined #bitcoin-wizards		11:36
petertodd	gmaxwell: heh, I didn't even need to hit play to know what that video was...	11:50
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has joined #bitcoin-wizards		11:51
petertodd	gmaxwell: anyway, note that I didn't claim anything about building consensus code in high level languages, beyond the fact that C is too low-level to do it safely, and C++ probably is a decent choice in the current language ecosystem	11:55
-!- benten [~benten@unaffiliated/benten] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]		12:00
-!- benten [~benten@unaffiliated/benten] has joined #bitcoin-wizards		12:00
narwh4l	petertodd, don't shoot me, but serpent is a turing complete contract language, right?	12:01
narwh4l	petertodd, so a clone of that might suffice	12:01
narwh4l	petertodd, then you build you consensus system on top of that? Maybe? Just thinking out loud	12:02
michagogo	gmaxwell: uh, wtf is happening in that video	12:03
-!- benten [~benten@unaffiliated/benten] has quit [Ping timeout: 256 seconds]		12:04
-!- kgk_ [~kgk@76.14.85.43] has joined #bitcoin-wizards		12:04
michagogo	Ah, heavily modified components	12:08
michagogo	https://www.youtube.com/watch?v=mzDTZuFJYX4	12:08
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has quit [Quit: iang]		12:10
-!- hearn [~mike@84-75-198-85.dclient.hispeed.ch] has joined #bitcoin-wizards		12:17
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards		12:18
-!- todays_tomorrow [~me@d114-78-106-45.bla803.nsw.optusnet.com.au] has quit [Read error: Connection reset by peer]		12:26
-!- bitstein [~bitstein@unaffiliated/bitstein] has joined #bitcoin-wizards		12:26
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-ozzefriockavbufu] has joined #bitcoin-wizards		12:32
-!- belcher [~belcher-s@unaffiliated/belcher] has quit [Quit: Leaving]		12:37
-!- atgreen [~user@CPE687f74122463-CM84948c2e0610.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]		12:40
-!- mortale [~mortale@gateway/tor-sasl/mortale] has joined #bitcoin-wizards		12:40
-!- roconnor [~roconnor@e120-pool-d89a63c0.brdbnd.voicenetwork.ca] has joined #bitcoin-wizards		12:50
-!- bektar [~jakob@c-46-162-82-69.cust.bredband2.com] has joined #bitcoin-wizards		12:57
-!- roidster [~chatzilla@96-41-48-194.dhcp.mtpk.ca.charter.com] has joined #bitcoin-wizards		13:02
-!- roidster [~chatzilla@96-41-48-194.dhcp.mtpk.ca.charter.com] has quit [Client Quit]		13:03
-!- roidster [~chatzilla@96-41-48-194.dhcp.mtpk.ca.charter.com] has joined #bitcoin-wizards		13:05
-!- roidster is now known as Guest66177		13:05
-!- Guest66177 [~chatzilla@96-41-48-194.dhcp.mtpk.ca.charter.com] has quit [Client Quit]		13:05
petertodd	narwh4l: I believe credit goes to gmaxwell for suggestion that - make your consensus system be a codebase that can run in a much simpler virtual machine	13:25
adam3us	are the btcd guys on this channel?	13:25
adam3us	just got some reaction from davec on bitcointalk to the question of what btcd funding is and what the motivation / profit model is for that, and also about forking risk re-impleenting the consensus critical part of bitcoin and persuading people to use it.	13:27
adam3us	(who it seems is lead dev on btcd)	13:27
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-ozzefriockavbufu] has quit [Ping timeout: 245 seconds]		13:30
kanzure	well, i can think of many incentives, although i don't know if they have mentioned any in public (i wasn't paying attention)	13:30
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-kuymeqzypvivcubp] has joined #bitcoin-wizards		13:32
-!- bitstein [~bitstein@unaffiliated/bitstein] has quit [Quit: My Mac has gone to sleep. ZZZzzz…]		13:32
-!- cluckj [~cluckj@cpe-24-92-48-18.nycap.res.rr.com] has quit [Quit: Leaving]		13:33
-!- ebfull [~ebfull@c-76-120-40-34.hsd1.co.comcast.net] has quit [Read error: Connection reset by peer]		13:41
-!- ebfull [~ebfull@c-76-120-40-34.hsd1.co.comcast.net] has joined #bitcoin-wizards		13:42
adam3us	kanzure: i thought it was a fair question. the answers i got werent very clear https://bitcointalk.org/index.php?topic=68655.msg9998070#msg9998070 and btcd second reply https://bitcointalk.org/index.php?topic=68655.msg9998327#msg9998327	13:42
kanzure	"First, both of these are completely irrelevant. No one knows who Satoshi was/is, yet that isn't a problem for Bitcoin Core" arguably people did get to know satoshi in public	13:43
adam3us	they still dont seem to see the fork risk, or alternatively claim the see and understand it fine but its not a problem, or no more of a problem for btcd vs bitcoin fork compared to bitcoin vs itself — which is bollocks.	13:45
kanzure	oh, you think they do see the fork risk?	13:45
adam3us	kanzure: well read the second post he tried to refute my claim they had to be educated by quoting himself from his first announce before anyone knew about btcd to have educated them about the fork risk.	13:46
kanzure	they seem to be saying "as long as there is no fundamental improvement to the situation (e.g., other than "use bitcoind") to permanently avoid fork risks, it is perfectly acceptable for alternative implementations to lose user money"	13:47
fluffypony	adam3us: do you have the same concerns with Bits of Proof's client?	13:47
adam3us	fluffypony: the problem is when people use alternate consensus code in miners and clients simultaneously with a alt-consensus code < 50% or also a problem if its > 50% hashrate even if no clients use it. thats what i think but others spent more time analysing the problem.	13:49
fluffypony	sure, but the consensus rules are (and should be) clear and open, you can't prevent alternate clients on principle alone	13:49
adam3us	fluffypony: if someone finds a malicious divergence opportunity they can exploit the crap out of it to steal money from people using that fork.	13:49
kanzure	right	13:50
kanzure	or do things like "get a transaction signed on one fork, and then relay it on another"	13:50
adam3us	fluffypony: we cant stop people making home nukes either, doesnt make it any less ill-advisable :) also known as two wrongs dont make a right.	13:50
fluffypony	if one of those alternate clients (or Bitcoin core) has a bug unique to it...well, fuck, it's a bug, people who are risk averse won't be using a non-core client anyway	13:51
* narwh4l laughs at "home nukes"		13:51
kanzure	nah we know how to protect ourselves from people making home nukes (= don't put all your eggs in one basket within the blast radius)	13:51
kanzure	(or the fallout zone)	13:51
kanzure	((i asked elon for a space habitat for xmas but it hasn't arrived))	13:51
fluffypony	I don't get the "one client to rule them all" logic, sounds more like control-freak logic to my ears but maybe I'm misunderstanding the sentiment	13:51
-!- hktud0 [ncidsk@unaffiliated/fluffybunny] has quit [Read error: Connection reset by peer]		13:52
kanzure	"control freak" as in "you shouldn't expose your users to your incompetence"?	13:53
* fluffypony shakes his head		13:53
kanzure	*possible incompetence	13:53
fluffypony	the very nature of a consensus system means that there may be consensus to use a client different to Bitcoin Core	13:53
fluffypony	and that should, at the very least, be respected	13:53
adam3us	fluffypony: it is both true that you should not do this (implement alternate consensus code AND encourage > 50% miners to use it OR ( encourage < 50% miners + clients) while also true that it would be better if bitcoin consensus was specification based with a tight formally verifable interpreter and a standardised "consensus byte code implementation" string. people would like to do that but	13:53
kanzure	adam3us: you are still experiencing cutoff methinks	13:53
adam3us	fluffypony: client alone, yes thats caveat emptor	13:53
adam3us	kanzure: clients) while also true that it would be better if bitcoin consensus was specification based with a tight formally verifable interpreter and a standardised "consensus byte code implementation" string. people would like to do that bu	13:53
fluffypony	yeah I saw cut off at "people would like to do that but"	13:54
-!- hktud0 [ncidsk@ip-188-121-63-164.ip.secureserver.net] has joined #bitcoin-wizards		13:54
-!- hktud0 [ncidsk@ip-188-121-63-164.ip.secureserver.net] has quit [Changing host]		13:54
-!- hktud0 [ncidsk@unaffiliated/fluffybunny] has joined #bitcoin-wizards		13:54
adam3us	fluffypony: (yes i type six lines then go to next msg or i get chopped) but it doesnt help move us closer to that to blow up bitcion with a catastrophic fork while people are working towards that.	13:54
kanzure	there are some subtleties that would be missed here if "control freak" is the only explanation you can use	13:54
kanzure	adam3us: you should consider installing an irc client or a plugin for your irc client to split lines of text	13:55
adam3us	kanzure: yeah there is a plugin but lazy.	13:55
-!- Keefe [~Keefe@unaffiliated/keefe] has quit [Ping timeout: 256 seconds]		13:57
-!- eslbaer [~eslbaer@p579E94C3.dip0.t-ipconnect.de] has quit [Ping timeout: 256 seconds]		13:58
-!- roasbeef [~root@104.131.26.124] has quit [Ping timeout: 256 seconds]		13:59
-!- wiz [~sid1@d06f3063.wiz.network] has quit [Ping timeout: 256 seconds]		13:59
-!- JonTitor [~superobse@unaffiliated/superobserver] has quit [Ping timeout: 256 seconds]		13:59
-!- Fistful_of_Coins [~o3u@162.243.79.19] has quit [Ping timeout: 256 seconds]		13:59
adam3us	kanzure: dont do that its dangerous seems like a fair comment no?	14:05
fluffypony	ok so maybe I'm oversimplifying, kanzure and adam3us, but how is it any different from everyone deciding not to update a version because of the inclusion of some rule or change they disagree with and the network forks as a result?	14:05
-!- kgk_ [~kgk@76.14.85.43] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]		14:05
kanzure	"everyone deciding not to update a version"?	14:05
adam3us	fluffypony: that doesnt happen because upgrades are soft-forks for this reason	14:05
fluffypony	*update to a version	14:05
-!- cluckj [~cluckj@cpe-24-92-48-18.nycap.res.rr.com] has joined #bitcoin-wizards		14:05
kanzure	"everyone deciding not to update to a version"?	14:05
kanzure	we were talking about forks i thought	14:05
adam3us	fluffypony: backwards compatible = soft-forks	14:05
fluffypony	so there will be no hard forks ever in future?	14:05
fluffypony	hearn won't be happy about that :-P	14:05
adam3us	fluffypony: they are much riskier and require a full-on flag day which is hard to enforce in a p2p network.	14:05
adam3us	whats the history - has bitcoin ever had a hard fork?	14:05
fluffypony	yes several	14:06
-!- wiz_ [~sid1@d06f3063.wiz.network] has joined #bitcoin-wizards		14:06
adam3us	fluffypony: its not a principle thing - in many ways it would be nice to clean up some stuff, but its more dangerous to do a planned one (or unplanned) than soft-forks.	14:06
-!- Keefe_ [~Keefe@unaffiliated/keefe] has joined #bitcoin-wizards		14:06
-!- Sub\|afk [~SubCreati@c-76-121-19-166.hsd1.wa.comcast.net] has joined #bitcoin-wizards		14:06
kanzure	an unplanned fork caused by btcd miners would be pretty bad :/	14:06
adam3us	fluffypony: i would presume all of them have been bug fixes.	14:06
kanzure	"unplanned" could also mean "indistinguishably adversarial" of course...	14:06
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-kuymeqzypvivcubp] has quit [Ping timeout: 244 seconds]		14:06
fluffypony	either way, a broadcast tx would be received by both sides of the fork, so in general you get the diminutive fork that ends up just petering off into non-existence	14:06
fluffypony	I also think that it's unavoidable - if someone releases a competing client and provides a compelling enough reason to switch, what are you going to do?	14:06
-!- roasbeef_ [~root@104.131.26.124] has joined #bitcoin-wizards		14:06
kanzure	hmm, i'm not sure transactions are relayed between forks forever	14:06
-!- koshii_ [~0@c-68-58-151-30.hsd1.in.comcast.net] has joined #bitcoin-wizards		14:06
kanzure	*between nodes running on different forks	14:06
kanzure	don't the nodes eventually permaban each other?	14:06
-!- o3u [~o3u@162.243.79.19] has joined #bitcoin-wizards		14:06
-!- o3u [~o3u@162.243.79.19] has quit [Changing host]		14:06
-!- o3u [~o3u@unaffiliated/o3u] has joined #bitcoin-wizards		14:06
fluffypony	kanzure: afaik old clients will only reject broadcast transactions / blocks that fail validity, not standardness	14:06
adam3us	fluffypony: if the clients fork the risk is self-contained they either break (dont receive payments) or they get abused (if they misunderstand tx and they lose money and switch). they dont screw up the network.	14:06
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-wsfmitseaigtaivo] has joined #bitcoin-wizards		14:06
fluffypony	adam3us: so maybe I'm being dumb, but I'm not understanding how that scenario is different from a btcd-originated fork?	14:06
-!- OneFixt_ [~OneFixt@unaffiliated/onefixt] has joined #bitcoin-wizards		14:06
-!- eslbaer_ [~eslbaer@p579E94C3.dip0.t-ipconnect.de] has joined #bitcoin-wizards		14:06
adam3us	fluffypony: say btcd gets > 50% of the mining network, they could screw up the network with confused tx that are exploitable and wreck things for everyone not just people who opted to use experimental software	14:06
kanzure	can you elaborate on "confused tx" specifically	14:06
michagogo	00:02:02 <fluffypony> kanzure: afaik old clients will only reject broadcast transactions / blocks that fail validity, not standardness	14:06
fluffypony	I would hope that by the time they get to > 50% of the network their software is worthy of > 50%, which means it is significantly more robust than "experimental"	14:06
michagogo	There's no such thing as "standardness" for blocks	14:06
fluffypony	michagogo: I know	14:06
adam3us	fluffypony: confused but not so confused to fail validation or the rest of the network ignores them then you get a different outcome btcd clients and full nodes that will listen to one fork and the rest that listen to the other fork.	14:06
fluffypony	michagogo: but blocks contain transactions - the rules are the same for including a block that contains transactions that fail validity	14:06
-!- wiz_ is now known as wiz		14:06
-!- llllllllll [~lllllllll@53-109.bbned.dsl.internl.net] has quit [Ping timeout: 264 seconds]		14:06
-!- koshii [~0@c-68-58-151-30.hsd1.in.comcast.net] has quit [Ping timeout: 264 seconds]		14:06
-!- SubCreative [~SubCreati@unaffiliated/cannacoin] has quit [Ping timeout: 264 seconds]		14:06
-!- pi07r [~pi07r@f212009.upc-f.chello.nl] has quit [Ping timeout: 264 seconds]		14:06
michagogo	Well, yeah	14:06
-!- pi07r_ [~pi07r@f212009.upc-f.chello.nl] has joined #bitcoin-wizards		14:06
adam3us	fluffypony: theres a difference between "doesnt blow up when we fuzz test it" and the best someone adversarial can do to confuse it	14:06
michagogo	a block that includes an invalid transaction is, of course, invalid	14:06
-!- pigeons [~pigeons@titan.sysevolve.com] has quit [Ping timeout: 250 seconds]		14:06
-!- pigeons [~pigeons@titan.sysevolve.com] has joined #bitcoin-wizards		14:06
fluffypony	I'm uneasy about agreeing with your hypothesis, adam3us, as I think it's a non-issue, and if they garner > 50% of the network then clearly they have the superior client and deserve to do so	14:07
-!- pigeons is now known as Guest61644		14:07
-!- OneFixt [~OneFixt@unaffiliated/onefixt] has quit [Ping timeout: 250 seconds]		14:07
adam3us	fluffypony: so you know how its hard to have complex sw without undefined or unusual or overflow etc behavior? its like that but worse - all the attacker has to do is find any difference in interpretation for something valid and constructible on bitcoin and they can steal money fast of btcd users.	14:07
fluffypony	I don't think that their client at the hypothetical 50% stage is more at-risk than Bitcoin Core is right now	14:07
adam3us	fluffypony: you're wrong i'm pretty sure.	14:07
kanzure	it's not their client, it's the people using the client, right?	14:08
-!- Dizzle [~Dizzle@2605:6000:1018:c0f5:e90b:3bb9:f53b:cf8d] has joined #bitcoin-wizards		14:08
kanzure	i mean, it's the number of parallel forks increasing from 1 to >1 that is the real problem	14:08
adam3us	fluffypony: as i wrote above "they still dont seem to see the fork risk, or alternatively claim the see and understand it fine but its not a problem, or no more of a problem for btcd vs bitcoin fork compared to bitcoin vs itself — which is bollocks."	14:09
kanzure	that is not a good argument because someone will just say "arguably at x% of the network it is not bitcoind vs bitcoind it's btcd vs btcd" or something	14:10
-!- OneFixt_ is now known as OneFixt		14:10
adam3us	fluffypony: the thing is bitcoin may have some weird behavior lurking in its consensus or other code, but its self-consistent - its weirdly behaving on all nodes. with btcd that automatically becomes a disastrous fork bug that could just about destroy bitcoin. i really doubt they'd have found them all that is really hard. anyone who knows anything about bitcoin core programming would tell you that.	14:11
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-wsfmitseaigtaivo] has quit [Ping timeout: 255 seconds]		14:11
adam3us	fluffypony: given from what i heard it took a long time to even get them to acknowledge fork risk as a problem - that doesnt exactly speak of top fight adversarial thinking nor security audit experience of the kind that finds zero days. not confident _at all_.	14:12
-!- JonTitor [~superobse@unaffiliated/superobserver] has joined #bitcoin-wizards		14:12
fluffypony	adam3us: I don't disagree with that assertion, but I do think that it's a not worth making a fuss about - the majority of the network are too risk-averse to use their client, and if it's compelling enough to use that > 50% of the network uses it, well then all hail our great Conformal gods.	14:12
adam3us	fluffypony: if you add in that they're _still_ arguing its not a problem after people spent a bunch of time ELI5ing them.. its downright scary no?	14:12
-!- e1782d11df4c9914 [~e1782d11d@193.138.219.233] has joined #bitcoin-wizards		14:13
-!- mkarrer [~mkarrer@135.Red-83-52-38.dynamicIP.rima-tde.net] has joined #bitcoin-wizards		14:13
-!- ebfull [~ebfull@c-76-120-40-34.hsd1.co.comcast.net] has quit [Quit: cya]		14:13
adam3us	fluffypony: that assumes miners are on their A-game. a lot of miners are not super sophisticated - plug in electricity - print bitcoins - profit	14:13
-!- damethos [~damethos@unaffiliated/damethos] has joined #bitcoin-wizards		14:13
-!- ebfull [~ebfull@c-76-120-40-34.hsd1.co.comcast.net] has joined #bitcoin-wizards		14:13
fluffypony	adam3us: the majority of miners don't have a say in the matter	14:13
kanzure	fluffypony: a fork like that would be very damaging, it's not about who gets to be god	14:13
adam3us	fluffypony: maybe a charm offensive or a side contract from conformal could fix that real fast.	14:13
-!- Guest61644 is now known as pigeons		14:13
adam3us	fluffypony: they'd only have to convince 2 or 3 people.	14:14
adam3us	fluffypony: sure it does, if 50% of miners are running btcd and some people are using btcd related clients we have a live nuke ready to go	14:14
fluffypony	I'm not even sure what you're replying to anymore	14:15
fluffypony	IRC is a tough mechanism for this ;)	14:15
adam3us	fluffypony: you said "the majority of miners don't have a say in the matter"	14:15
adam3us	fluffypony: i said sure the miners control what software they are running	14:15
fluffypony	and you said "sure it does", which is either a grammatical faux pas or nonsensical, hence my confusion :)	14:16
fluffypony	miners don't control the software that mines the block	14:16
fluffypony	they use mining software	14:16
fluffypony	the mining pool is the thing that dictates it	14:16
kanzure	haha	14:16
adam3us	fluffypony: pedantic much?	14:16
fluffypony	no no, not pedantry - I'm actually acknowledging your earlier point about them having to convince "2 or 3 people"	14:17
-!- NewLiberty [~NewLibert@76-255-129-88.lightspeed.irvnca.sbcglobal.net] has joined #bitcoin-wizards		14:17
kanzure	large miners just operate their own pool, so that difference doesn't matter	14:17
adam3us	fluffypony: anyway i hope you see why its a reasonable question to ask btcd what they're trying to do.	14:17
fluffypony	sure	14:17
adam3us	kanzure: right	14:17
fluffypony	kanzure: nonsense, the "unknown" block is only 19% at the moment	14:18
adam3us	fluffypony: ok (I'm actually acknowledging your earlier point about them having to convince "2 or 3 people")	14:18
kanzure	fluffypony: huh?	14:18
fluffypony	80% of miners mine at known pools, kanzure	14:18
fluffypony	https://blockchain.info/pools	14:19
kanzure	why would it matter if you already know the pool? wtf	14:19
adam3us	fluffypony: s/miners/pools/ same story	14:19
kanzure	there's a principle agent problem with mining software	14:19
kanzure	... possibly not the right classification, but it's there heh	14:19
adam3us	kanzure: yeah Luke-Jr is working on fixing that.	14:20
kanzure	it's the mining software that is mining, not the miners that are paying the bills, etc.	14:20
kanzure	"do what i say not what i mean" or something	14:20
* kanzure pages larry wall for clarification		14:20
adam3us	kanzure: meaning separating voting from hashrate, so you can pool while chosing your own blocks.	14:21
kanzure	oh, i am probably talking about something different	14:21
kanzure	a miner (person) can have whatever intentions, but still install software that does something contrary to whatever delusions	14:21
kanzure	oh, you're talking about principle agent problems with pools, that sounds neat	14:23
-!- bektar [~jakob@c-46-162-82-69.cust.bredband2.com] has quit [Quit: Lämnar]		14:24
-!- belcher [~belcher-s@5ec1ab86.skybroadband.com] has joined #bitcoin-wizards		14:26
-!- belcher [~belcher-s@5ec1ab86.skybroadband.com] has quit [Changing host]		14:26
-!- belcher [~belcher-s@unaffiliated/belcher] has joined #bitcoin-wizards		14:26
kanzure	adam3us: do you think it would be wise to advise users of btcd or other alternative implementations to wait for double all the typical recommended confirmation counts? or would that not be helpful	14:27
kanzure	i don't know why i picked double	14:27
adam3us	kanzure: its probably going to fail on human time and have devs up 40hrs straight trying to figure out a work-around. i dont think there's a safe usable parameter	14:27
-!- e1782d11df4c9914 [~e1782d11d@193.138.219.233] has quit [Ping timeout: 264 seconds]		14:30
adam3us	kanzure: btcd could help work on libconsensus if they want to be useful. or use bitcoin consensus code.	14:30
kanzure	is libconsensus different from libbitcoinconsensus	14:31
adam3us	kanzure: i mean that what ever its called.	14:32
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-uweidbluouduuyxn] has joined #bitcoin-wizards		14:32
kanzure	right, okay. just keeping track and all.	14:32
-!- SDCDev [~quassel@unaffiliated/sdcdev] has joined #bitcoin-wizards		14:37
-!- SDCDev [~quassel@unaffiliated/sdcdev] has quit [Read error: Connection reset by peer]		14:37
-!- SDCDev [~quassel@unaffiliated/sdcdev] has joined #bitcoin-wizards		14:38
-!- null_radix [Elite7851@gateway/shell/elitebnc/x-mawwowtwotvngbmy] has quit [Read error: Connection reset by peer]		14:38
-!- null_radix [Elite7851@gateway/shell/elitebnc/x-qaupwlpaurmefgrc] has joined #bitcoin-wizards		14:42
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has joined #bitcoin-wizards		14:43
phantomcircuit	<fluffypony> if one of those alternate clients (or Bitcoin core) has a bug unique to it...well, fuck, it's a bug, people who are risk averse won't be using a non-core client anyway	14:44
phantomcircuit	iirc they have been actively attempting to get people to use btcd	14:45
adam3us	phantomcircuit: right i heard that somewhere probably here. so again it raises the question of why, and who funded them, and whats the profit or other motive.	14:46
adam3us	i guess one version of the counter is to go bleat to coindesk :) sort of what people do as an alternative to bleating to reddit :)	14:46
phantomcircuit	heh	14:49
-!- luny` is now known as luny		14:51
-!- shesek [~shesek@IGLD-84-228-189-223.inter.net.il] has joined #bitcoin-wizards		14:52
-!- benten [~benten@unaffiliated/benten] has joined #bitcoin-wizards		14:53
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has quit [Quit: iang]		14:56
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has joined #bitcoin-wizards		15:00
-!- Elio20 [~elio19@gateway/tor-sasl/elio19] has joined #bitcoin-wizards		15:01
-!- Elio19 [~elio19@gateway/tor-sasl/elio19] has quit [Ping timeout: 250 seconds]		15:04
-!- wiz_ [~sid1@d06f3063.wiz.network] has joined #bitcoin-wizards		15:06
-!- wiz [~sid1@d06f3063.wiz.network] has quit [Ping timeout: 272 seconds]		15:07
-!- wiz_ is now known as wiz		15:07
-!- paveljanik [~paveljani@unaffiliated/paveljanik] has quit [Quit: This computer has gone to sleep]		15:08
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has joined #bitcoin-wizards		15:12
op_mul	phantomcircuit: adam3us: I think part of the problem is that people don't know why running non-core software is dangerous. I'm sure all it would take to fork bitcoin-ruby or btcd off the network would be peter todd having a lazy weekend.	15:14
-!- hearn [~mike@84-75-198-85.dclient.hispeed.ch] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]		15:14
-!- hearn [~mike@84-75-198-85.dclient.hispeed.ch] has joined #bitcoin-wizards		15:15
michagogo	op_mul: pretty sure the former has forked off several times	15:16
op_mul	oh heaps of times	15:17
-!- benten [~benten@unaffiliated/benten] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]		15:18
-!- benten [~benten@unaffiliated/benten] has joined #bitcoin-wizards		15:20
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has quit [Quit: pgokeeffe]		15:23
-!- fanquake [~anonymous@unaffiliated/fanquake] has joined #bitcoin-wizards		15:24
-!- hashtag [~hashtag@CPE-69-23-213-3.wi.res.rr.com] has joined #bitcoin-wizards		15:36
-!- agorist0000 [~fircuser@97.95.172.50] has joined #bitcoin-wizards		15:38
-!- damethos [~damethos@unaffiliated/damethos] has quit [Ping timeout: 256 seconds]		15:39
-!- Aquent1 [~Aquent@gateway/tor-sasl/aquent] has joined #bitcoin-wizards		15:42
-!- narwh4l [~michael@unaffiliated/thesnark] has quit [Remote host closed the connection]		15:43
-!- Aquent [~Aquent@gateway/tor-sasl/aquent] has quit [Ping timeout: 250 seconds]		15:43
agorist0000	Has anyone ever tried the second two party multisig escrow method described in this blogpost? http://opine.me/future-of-bitcoin-escrow/	15:45
agorist0000	I'm considering using it to construct a new marketplace project in the near future.	15:46
belcher	agorist0000 i havent used it for a real economic transaction, but its been pretty well known for more than a year	15:46
belcher	you can use this to do it http://coinb.in/multisig/	15:46
belcher	www.bitrated.com is another project with it	15:47
agorist0000	Would there be demand for such a market? Similar to Bitmarkets, but using this different escrow method.	15:47
belcher	you might want to look up the openbazaar project	15:50
-!- Profreid [~Profreitt@gateway/vpn/privateinternetaccess/profreid] has quit [Quit: Profreid]		15:51
agorist0000	Does open bazaar offer this type of 2party escrow?	15:51
belcher	yes	15:52
belcher	it does some other nice stuff, proof of burn to buy your reputation, so you send bitcoins to an unspendable address, and the more bitcoins a merchant has burned the more you can trust them, since they've invested a lot in their merchant identity	15:52
agorist0000	Can you point me to any sources for this claim?	15:52
belcher	/join #openbazaar	15:53
-!- catlasshrugged [~satoshi-u@65.209.60.146] has joined #bitcoin-wizards		15:53
op_mul	belcher: what. burning money gives you a reputation?	15:53
-!- hashtag [~hashtag@CPE-69-23-213-3.wi.res.rr.com] has quit [Ping timeout: 240 seconds]		15:53
belcher	i think thats how it works	15:53
belcher	idea is it costs money for the merchant to constantly make new identities	15:54
gwillen	I assume there's also a way to rate merchants	15:54
belcher	oh yes	15:54
gwillen	that's necesasry for that kind of scheme to function	15:54
op_mul	right off the bat, I can tell you that those with the intent to defraud will be in the best position to do that.	15:54
belcher	you can start a merchant account without burning anything, give you real life identity perhaps to get reputation	15:54
belcher	or do small deals first to build rep	15:54
gwillen	op_mul: if people are smart, such a scheme should work well -- if someone has a perfect feedback record and a burn of 1 BTC, you should be pretty safe doing deals under 1 BTC with them	15:55
gwillen	op_mul: if you do a 10 BTC deal, of course that doesn't protect you	15:55
gwillen	(of course, people aren't smart, but.)	15:55
op_mul	I think that sort of system falls in the same way that hashcash failed. it hampers honest people if you make the difficulty high enough to be an obstruction to a professional.	15:55
gwillen	that could well be true	15:56
-!- SDCDev [~quassel@unaffiliated/sdcdev] has quit [Read error: Connection reset by peer]		15:56
gwillen	I think more likely who it favors is large but honest businesses, over small but honest ones	15:56
gwillen	since the former can put up much larger burns (or bonds, in a bond system) than the latter	15:56
-!- MoALTz_ [~no@user-46-112-49-198.play-internet.pl] has joined #bitcoin-wizards		16:00
-!- agorist0000 [~fircuser@97.95.172.50] has quit [Remote host closed the connection]		16:00
-!- agorist0000 [~fircuser@97.95.172.50] has joined #bitcoin-wizards		16:01
-!- MoALTz [~no@user-46-112-49-198.play-internet.pl] has quit [Ping timeout: 244 seconds]		16:02
-!- hashtag [~hashtag@CPE-69-23-213-3.wi.res.rr.com] has joined #bitcoin-wizards		16:05
-!- agorist0000 [~fircuser@97.95.172.50] has quit [Remote host closed the connection]		16:15
-!- hashtag [~hashtag@CPE-69-23-213-3.wi.res.rr.com] has quit [Ping timeout: 240 seconds]		16:18
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has quit [Quit: iang]		16:25
-!- hashtag [~hashtag@CPE-69-23-213-3.wi.res.rr.com] has joined #bitcoin-wizards		16:35
-!- hashtag [~hashtag@CPE-69-23-213-3.wi.res.rr.com] has quit [Ping timeout: 255 seconds]		16:39
-!- Adlai` [~Adlai@gateway/tor-sasl/adlai] has joined #bitcoin-wizards		16:44
-!- Adlai [~Adlai@gateway/tor-sasl/adlai] has quit [Ping timeout: 250 seconds]		16:45
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has joined #bitcoin-wizards		16:48
-!- jtimon [~quassel@34.pool85-59-141.dynamic.orange.es] has quit [Ping timeout: 244 seconds]		16:51
adam3us	who made the first altcoin?	16:51
belcher	i believe it was namecoin	16:52
-!- cpacia [~chris@2601:6:1f81:6620:8508:8707:10ea:a953] has joined #bitcoin-wizards		16:52
adam3us	hmm ok nm. not making my case as its non-clone. oh well.	16:52
belcher	litecoin is probably the second	16:52
adam3us	nah there was one before litecoin, litecoin is a clone of it, it was by artForz and called??	16:53
op_mul	tenebrix.	16:53
adam3us	tenebrix	16:53
adam3us	there we go yes.	16:53
adam3us	but i was imagining there were many more before?	16:53
op_mul	http://mapofcoins.com/	16:53
adam3us	oho solidcoin SC or IXC	16:54
adam3us	https://bitcointalk.org/index.php?topic=38453.0	16:55
adam3us	that'll do solidcoin is kind of infamous the one Luke-Jr killed :)	16:56
op_mul	wasn't that coiled coin?	16:56
adam3us	op_mul: sorry yes you're right	16:56
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has quit [Quit: iang]		16:58
-!- catlasshrugged [~satoshi-u@65.209.60.146] has quit [Remote host closed the connection]		17:02
-!- hashtag [~hashtag@CPE-69-23-213-3.wi.res.rr.com] has joined #bitcoin-wizards		17:04
kanzure	adam3us: does testnet count as an altcoin?	17:13
michagogo	And how about Luke's TBC?	17:21
op_mul	TBC isn't an altcoin, it's just a client that changes the rendering of the values.	17:21
michagogo	op_mul: Luke would disagree :P	17:22
michagogo	(I think I agree with you, though)	17:22
Luke-Jr	gotta think it through :P	17:25
-!- hashtag [~hashtag@CPE-69-23-213-3.wi.res.rr.com] has quit [Ping timeout: 240 seconds]		17:27
-!- koshii_ [~0@c-68-58-151-30.hsd1.in.comcast.net] has quit [Quit: leaving]		17:33
-!- koshii [~0@c-68-58-151-30.hsd1.in.comcast.net] has joined #bitcoin-wizards		17:35
-!- koshii [~0@c-68-58-151-30.hsd1.in.comcast.net] has quit [Client Quit]		17:37
-!- koshii [~0@c-68-58-151-30.hsd1.in.comcast.net] has joined #bitcoin-wizards		17:37
-!- benten [~benten@unaffiliated/benten] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]		17:51
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has joined #bitcoin-wizards		17:58
adam3us	this was the reason why… https://bitcointalk.org/index.php?topic=911339.new#new	17:59
kanzure	adam3us: hmm, i thought the reason why people made these forks was because they wanted a separate ledger to take advantage of people's inability to keep track of which ledger or blockchain they should be using. the supply function parameter fiddling is separate, i think.	18:07
adam3us	kanzure: i'm pretty confident that if they were was no economic incentive they wouldnt have opened their compiler.	18:08
adam3us	kanzure: my point is you can scale bitcoin and its better to use a single unit of account for network effect reasons, and really there is a simple method to value a coins cost and compare that to bitcoins, and yet people are paying huge multiples of that cost for less utility.	18:11
kanzure	presumably they are paying those huge multiples because of the separate ledgers they are speculating on, not because they value proof-of-work bitcoin scarcity less than some speculative alternative they forgot to evaluate	18:12
adam3us	kanzure: you have to hope most people are speculating knowing its a zero sum thing and hoping to get out before it crashes as there is no way most of these things could last long.	18:13
kanzure	well, actually, it's quite possible that people are literally doing coin cost evaluations as you say, i suppose	18:13
adam3us	kanzure: most alts have no wallets, no merchant integration, no transactions (other than speculating on cryptsy etc)	18:14
kanzure	hmm so my alternative, which i admit i am not good at expressing, is related to how an onboarding user knows whether or not they are actually using the bitcoin blockchain (or any other blockchain) (or why they should prefer one blockchain to another for their commerce/transactions/business)	18:14
adam3us	the other point about the pacman game is the features of the coin are separable from it	18:14
kanzure	right, so basically it's obvious that they are hoping that others will also choose this other blockchain as a speculation on future integration	18:15
kanzure	and it's not so much about the cost per coin	18:15
adam3us	but the feature can be copied to any coin, so why would someone value a new coin	18:15
kanzure	oh, for the incentive reasons you identified above, right? speculation on integration/adoption	18:16
kanzure	*for the same	18:16
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has quit [Quit: pgokeeffe]		18:17
-!- hearn [~mike@84-75-198-85.dclient.hispeed.ch] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]		18:17
adam3us	wouldnt it make sense to go play roulette or synthetic stock wars or something?	18:17
kanzure	i agree with you that it's crazy, i'm just nitpicking about what they are probably thinking about (not so much the cost per coin specifically)	18:17
kanzure	yeah, probably, but i doubt people have ridiculously easy access to that often	18:18
adam3us	well if any of them are genuinely suckered into thinking black gold coin is going somewhere they're going to get ripped off.	18:18
kanzure	one anecdote i keep bringing up is a buddy of mine after being introduced to bitcoin on day two became a day trader for some reason, the guy never did any forex or currency day trading in his life before that point	18:18
adam3us	my wifes cousin got cold called by some boilerroomers trying to sell him black gold coin. he went to his bank and they told him they wouldnt send the money because the recipient account was blacklisted as probably fraud. (he's a bit of a sucker)	18:19
kanzure	(when i pointed this out to him he realized the error he had made and then promptly forgot why he did that)	18:19
-!- atgreen [~user@CPE687f74122463-CM84948c2e0610.cpe.net.cable.rogers.com] has joined #bitcoin-wizards		18:19
adam3us	if you read the web page for black gold coin its talking crazy stuff, that the coin is backed by a virtual element called black gold.	18:20
kanzure	wait, i remember now, it was something about "well if you sell and then buy back, you can make money obviously, duh" (i'm paraphrasing)	18:20
adam3us	its gamified. cryptsy needs to unplug from actual coins and go pure synthetic virtual mining virtual coins that exist no where, and are not mined.	18:20
kanzure	right, i think zynga should look into that for sure	18:21
kanzure	that can be cryptsy's exit strategy!	18:21
kanzure	i'm trying to think of any way for me to dig up data to confirm my statements above regarding "it's more about speculation on alternative-blockchain integration/adoption" but i dunno where i would find that, maybe deep in some awful bitcointalk threads...	18:23
kanzure	i mean, clearly with on adoption the price per coin doesn't matter anyway, because you wont be able to sell it to anyone ever by definition	18:24
kanzure	*without adoption	18:24
adam3us	i mean it has to be one of 3 things or a combination right: knowing speculation, unknowing speculation/investment, or confusion about utility being attached to a coin as if code cant be copied.	18:24
kanzure	oh maybe i meant *with zero adoption	18:24
adam3us	yes. well a tell tale sign is spammy marketing drives. a guy jumped into the middle of a technical bitcointalk thread yesterday to pump som especial offer for getting stellar handouts.	18:25
adam3us	give aways, marketing stories, professionally edited videos, nice websites, etc its completely transparent.	18:26
kanzure	ah right, the giveaways are a good example to reason from	18:26
op_mul	kanzure: I don't think crypsty needs an exit strategy. they make bank from the fees alone.	18:28
-!- ysangkok [janus@hapy.0x90.dk] has joined #bitcoin-wizards		18:33
kanzure	although, on the other hand, the integration speculation is much more obviously a bad bet	18:34
kanzure	so you'd have to ask why it happens if that's what's going on	18:34
kanzure	(compared to adam3us's notes about pricing of scarcity and quantum magic)	18:35
adam3us	kanzure: there are some real suckers. my wife's cousin tried to wire these black coin boiler room people money. his bank protected him. they're non technical and heard of bitcoin. or they feel the mised out on early adoption and maybe this one is different.	18:35
adam3us	kanzure: bryce weiner is a good example of a guy pumping stuff. he's always talking up some coin or other with faux analysis	18:36
op_mul	adam3us: shut up and read some published content on how to evaluate altcoins. https://github.com/aantonop/bitcoinbook/blob/develop/ch09.asciidoc	18:37
adam3us	op_mul: it must be right its written by bitcoin expert antonopoulos!	18:38
kanzure	someone should definitely do a writeup of an explanation of how to evaluate altcoin opportunities, and include a factor like "technicalities that i am not familiar with" that has like a 99.9999% weight	18:38
op_mul	adam3us: honestly give it a read, you'll be in tears.	18:38
op_mul	some of the altcoins suggested don't even have consensus methods at all.	18:39
-!- cpacia [~chris@2601:6:1f81:6620:8508:8707:10ea:a953] has left #bitcoin-wizards []		18:39
adam3us	op_mul: lol consensus innovation. i imagine its all broken. seriously someone should fork the crap out of it. or its completely centralised.	18:39
adam3us	kanzure: so reading that.. what do you think the author was thinking?	18:40
op_mul	"Since then, innovation in the consensus mechanism has continued at a frenetic pace. Several alt coins adopted a variety of algorithms such as scrypt, scrypt-N, Skein, Groestl, SHA3, X11, Blake, and others."	18:40
kanzure	adam3us: reading what, sorry?	18:40
adam3us	op_mul: link op_mul posted	18:40
kanzure	"i have to be careful writing about this topic or else my audience will lynch me and i will lose face"	18:40
kanzure	i'd imagine that some calculation like that went through his head for this section (are we sure he didn't just pay someone to write his book for him?)	18:41
adam3us	i mean either they unbelievably naive or they're like the like people selling cheap plastic stuff on those us tv channels with nothing but marketing fluff for useless junk that'll break within hours	18:41
op_mul	I think it's actually a list of the altcoins he has bought into.	18:41
adam3us	omfg u think? well the git checkin has another name so maybe it was ghost written	18:42
op_mul	adam3us: no, that's the "editor" (who missed spelling mistakes).	18:42
adam3us	https://github.com/myarbrough	18:42
kanzure	https://github.com/aantonop/bitcoinbook/commit/6d94cc23311ffa87289c9ad17cd4eec6c37db892	18:43
kanzure	https://github.com/aantonop/bitcoinbook/commits/develop/ch09.asciidoc?page=2	18:43
adam3us	Many are just get-rich-quick schemes by their creators. To evaluate alt coins, I look at their defining characteristics and their market metrics.	18:44
adam3us	Here are some of the key financial and market metrics to consider:	18:44
adam3us	•What is the total market capitalization of alt coin?	18:44
adam3us	•How many estimated users/wallets does the alt coin have?	18:44
adam3us	•How many merchants accept the alt coin?	18:44
adam3us	•How many daily transactions (volume) are executed on the alt coin?	18:44
adam3us	•How much value is transacted daily?	18:44
-!- benten [~benten@unaffiliated/benten] has joined #bitcoin-wizards		18:44
adam3us	holy moly.	18:45
gmaxwell	Does that list have any item in it that cna't be trivially faked?	18:45
adam3us	sorry antonopoulos credibility just dropped	18:45
op_mul	he had any to begin with?	18:45
kanzure	op_mul: so do you think it is more likely that it is his list of altcoins he has bought/got paid in, or any chance that he was just trying to avoid getting lynched by altcoiners to keep them from torpedoing him?	18:46
-!- everettForth [~everett@c-69-181-97-171.hsd1.ca.comcast.net] has joined #bitcoin-wizards		18:47
adam3us	i think he maybe went through a pro-alt phase	18:47
gmaxwell	My expirence is that altcoiners will usually leave you alone if you leave them alone; you only get attacked if you mention something that might influence them... and deaththreats and such seem to take actually calling them out by name.	18:48
kanzure	ah	18:48
op_mul	kanzure: there was some comments on this from him when he published the first draft, lots of outcry that he didn't pump whatever altcoin. I think it's just a list of ones he owns, CureCoin and GridCoin for instance don't even have proof of work.	18:48
* adam3us sleeps		18:48
op_mul	well they do, but it's not related to their stated aims of BOINC and folding@home.	18:48
kanzure	adam3us: i think that to outsiders the "control freak" label is warranted because never have people been exposed to people being so critical about the differences between connecting to one server implementation or another for "blockchain data"	18:49
kanzure	adam3us: it may be helpful to explain more generally why being on the same blockchain is so important. this may not be obvious to others.	18:49
kanzure	(important to users, i mean)	18:49
kanzure	or rather, why it should be important to users	18:49
gmaxwell	I've had pretty good luck in 1:1 discussions impressing on people some of the scope and challenge of consistency in consensus implementations; and the significant dangers of reimplementing. But 1:1 doesn't scale, and any time I've said anything not 1:1 I've been treated pretty rudely by people who zip to simpler assumptions about my motivations.	18:51
op_mul	can anybody actually defend implementations? as far as I can see it's all negatives.	18:54
kanzure	eh, learning tool? as long as nobody uses it	18:54
op_mul	pretty rough learning tool	18:56
kanzure	reimplementing something is often a good way to spot your own errors	18:56
gmaxwell	Like a lot of things, it's just not worth talking about. Somewhat similar to the issue with altcoins in fact; if I see some altcoin is doing something I think is incorrect or outright dishonest and I speak up; I'm taking a risk that I'll be attacked with things like death threats. About the most I can safely do is speak generically so that no one is threatened. (By expirement I've found some gene	18:56
gmaxwell	ral patterns where I can go beyond that without trouble, but it's generally true) ... and ... I personally gain _nothing_ from pointing out why this or that claim is probably spurrious; at least nothing beyond the amorphous feeling of maybe helping my fellow man not make a bad decision.	18:56
gmaxwell	kanzure: yes, its a great documentation excercise to rewrite something and throw the result out. Though I'm surprised and concerned that of the reimplementers only bluematt and roconnor seems to have discovered and reported a considerable amount of latent behavior.	18:58
BlueMatt	"considerable"	18:58
op_mul	kanzure: sure, but for something like bitcoin reimplementations it's a hell of a lot of work to get to the point where you can actually find anything interesting.	18:58
kanzure	what counts as considerable here, BlueMatt	18:58
BlueMatt	notice even minor things and actually report them	18:59
gmaxwell	kanzure: considerable may be basically more than zero.	19:00
kanzure	wonderful	19:01
-!- everettForth [~everett@c-69-181-97-171.hsd1.ca.comcast.net] has quit [Ping timeout: 244 seconds]		19:03
-!- benten [~benten@unaffiliated/benten] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]		19:04
-!- jcluck [~cluckj@cpe-24-92-48-18.nycap.res.rr.com] has joined #bitcoin-wizards		19:34
-!- cluckj [~cluckj@cpe-24-92-48-18.nycap.res.rr.com] has quit [Ping timeout: 255 seconds]		19:37
-!- jcluck is now known as cluckj		19:41
-!- belcher [~belcher-s@unaffiliated/belcher] has quit [Quit: Leaving]		19:41
-!- HaltingState [~HaltingSt@unaffiliated/haltingstate] has joined #bitcoin-wizards		19:48
-!- eslbaer__ [~eslbaer@p57BCE1FC.dip0.t-ipconnect.de] has joined #bitcoin-wizards		19:49
-!- eslbaer_ [~eslbaer@p579E94C3.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]		19:52
-!- zooko [~user@c-75-70-204-109.hsd1.co.comcast.net] has joined #bitcoin-wizards		19:55
-!- Burrito [~Burrito@unaffiliated/burrito] has quit [Quit: Leaving]		19:58
-!- Tjopper1 [~Jop@dhcp-077-249-237-229.chello.nl] has joined #bitcoin-wizards		20:06
-!- Tjopper [~Jop@dhcp-077-249-237-229.chello.nl] has quit [Ping timeout: 244 seconds]		20:09
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has quit [Ping timeout: 265 seconds]		20:21
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has joined #bitcoin-wizards		20:23
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Quit: Leaving.]		20:31
-!- HaltingState [~HaltingSt@unaffiliated/haltingstate] has quit [Quit: Leaving]		20:35
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has joined #bitcoin-wizards		20:48
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has quit [Quit: pgokeeffe]		21:18
-!- bramc [~bram@99-75-88-206.lightspeed.sntcca.sbcglobal.net] has joined #bitcoin-wizards		21:22
bramc	Hey everybody	21:22
kanzure	hello	21:22
bramc	It turns out there's an interesting approach to tackling the electricity problem	21:24
maaku	bramc: the electricity problem?	21:25
bramc	maaku, the problem that mining inevitably winds up producing economic waste equal to the value of the rewards because it gets spent on electricity	21:25
op_mul	I'd call that a core function rather than a problem	21:26
bramc	The potential loophole is to use a calculation which uses no electricity and no time	21:26
bramc	op_mul, The use of resources is a core function, but ideally the calculation would demonstrate depreciation of already extant resources rather than require the sinking of new resources	21:27
bramc	nobody seems curious about my idea	21:31
gwillen	I think we're all assuming you're about to provide it and we're waiting to hear it	21:32
bramc	gwillen, fair enough	21:32
kanzure	and i think you probably lost maaku already :p	21:32
kanzure	given his previous thoughts regarding the universal scarcity of entropy	21:32
maaku	i will hold off my cynacism until he at least explains his idea :P	21:32
gwillen	(I'm curious but skeptical of the idea of demonstrating consumption of an existing resource, in a way where that demonstration can't be reused, without wasting any new resources.)	21:32
kanzure	maaku: no, no, your cynacism amuses me and is totally necessary	21:33
bramc	The various attempts at asic resistance have focused on making the calculation use memory, which makes a fair amount of sense: If you spend time waiting for memory you aren't using electricity during that time, and memory is much more commodity than CPU calculations are	21:34
maaku	i've gotten enough use out of bittorrent to allow bramc a few cycles of my time in good faith	21:34
bramc	The other idea I suggested before is to use proofs of sequential work, aka proofs of time, as essentially placeholders where everybody sits around doing nothing until the proof of time is done	21:35
bramc	These both can do a probably pretty good job of asic resistance, but I think they don't go far enough	21:36
phantomcircuit	gmaxwell, fewer people getting burned by altcoin schemes leaves more people who are still interested in genuine advancements	21:37
phantomcircuit	ut	21:37
kanzure	what were your prior objections to the objections to asic resistance?	21:37
phantomcircuit	improvements to the commons at personal expense and what not	21:37
bramc	What you need is a proof of storage, because storage is vastly more commodity than even memory is: there's basically no way to optimize it more than is already done. and there's lots of it always sitting out there depreciating. And there's a simple proof of storage calculation which can be done. Embarassingly trivial, really.	21:37
phantomcircuit	bramc, except actually using storage is often very expensive	21:37
kanzure	salting isn't enough	21:37
bramc	kanzure, I have nothing against asic resistance, it's a worthy thing, the problem is that it doesn't fix the problem that electricity will be essentially wasted on mining, exactly in accordance with what the mining rewards are	21:38
kanzure	yes i know you have nothing against asic resistance	21:38
kanzure	i was asking about your objections to the objections to asic resistance	21:39
bramc	phantomcircuit, hold on, I'm getting to how to design the proofs of work so that basically nothing other than storage is useful	21:39
gmaxwell	bramc: do you mean https://bitcointalk.org/index.php?topic=310323.0 or more like permacoin?	21:39
bramc	gmaxwell, no nothing like any of those	21:40
phantomcircuit	bramc, so that the storage is useful, but not access times for that storage?	21:41
bramc	Now this gets into the part which is really weird. Absolutely central to my idea is alternation between proofs of storage and proofs of time, with essentially no time at all being used in the proofs of storage and all of it spent in the proofs of time, but the two interacting	21:42
-!- Dizzle [~Dizzle@2605:6000:1018:c0f5:e90b:3bb9:f53b:cf8d] has quit [Quit: brb]		21:43
-!- kgk_ [~kgk@76.14.85.43] has joined #bitcoin-wizards		21:43
bramc	Here's the proof of storage, which might help clarify or make what I'm saying even more mysterious: The proof of storage is a public key whose hash when xored to the hash of the previous proof of time is as small as possible	21:43
bramc	To initialize everything, you fill up all available storage with a list of public keys sorted by their secure hash, the more the better	21:44
bramc	(there are some constant factor improvements on that, but I'll skip over them for now because they don't change anything fundamentally)	21:45
bramc	After you find out the output of the previous proof of time, you go look up the best proof of storage you have locally, use it to sign a new set of transactions, and start giving these to your peers. You re-transmit any record breaking one which peers might send you	21:46
gmaxwell	bramc: I'm not folling your construction. From what you've described, I can work that function with no memory by grinding public keys instead of sequential POW. (e.g. compute one sequential POW, now generate unbounded pubkeys for a match)	21:48
bramc	Meanwhile some people out there have supercooled overclocked machines which are working on the proofs of time. They do a proof of time on the best proof of storage anybody puts out (there's no direct reward for finding a proof of time)	21:48
kanzure	wasn't there a vanitygen grinder proposal at some point	21:49
bramc	gmaxwell, Yes you can do the same calculation by grinding keys, the problem is that takes time, while doing a lookup of storage is instantaneous, and the interaction with the proofs of time makes the grinding approach lose badly, because it falls behind on time	21:50
op_mul	bramc: there is actually an altcoin that does proof of storage.	21:51
op_mul	it has users pre-compute tables of H(nonce + pubkey), and then uses that to salt the previous block hash. the more nonces you have in your lookup table, the more "hashpower" you have.	21:53
gmaxwell	bramc: uh access times are not at all instant; abstractly storage capacity scales much better than throughput/latency due to difference between volume and surface area. I can generate on the order of 20 million pubkeys per second on a single cpu. It's not that hard to beat out storage access times.	21:54
bramc	The interaction with proof of time is that there's a single composite difficulty function for proofs of storage and proofs of time, and alternating steps are paired and their combined value has to be over the threshold. The formula is you take the value of the hash of the mined value of the public key taken from proof of storage, xor it with the output of the last cycle, take 1/x, then multiply that by the number of iter	21:55
bramc	ations the proof of time went through. That gives a composite value which has to be greater than the target	21:55
op_mul	gmaxwell: burstcoin tries to get around that by splitting the table up into "plots" of 4096 based on some feature of the previous block hash. you only end up reading one 4096th of the total data as a result. in their case it's not faster to mine it PoW style, or at least not sensible.	21:57
bramc	gmaxwell, Let's say that a machine has a terabyte of data. With some optimizations that can effectively store 250 billion sorted keys. If you have 10 cpus generating 20 million keys per second, that's 200 million keys/second, so it will take you about 1000 seconds to grind through that amount of public keys. Time to look it up after it's pre-calculated: a few milliseconds	21:57
bramc	op_mul, I haven't heard of burstcoin before, I thought you were talking about permacoin, which does a completely different thing	21:58
phantomcircuit	gmaxwell, not to mention building custom systems optimized specifically for massive concurrent random io access is pretty trivial	21:58
bramc	Although that plots thing is much less effective than what I'm talking about	21:58
op_mul	bramc: be warned, it's a shitty NXT fork. https://bitcointalk.org/index.php?topic=731923.0	21:59
gmaxwell	bramc: so what you're saying is that you do a sequential-POW and then you find the nearest pubkey to have to that output value, and the closeness of the match determines the work-factor of your composite solution?	22:00
phantomcircuit	bramc, asic resistance is whatever, but you really cant assume that other operations cannot be optimized just as much with custom hardware	22:00
bramc	gmaxwell, the closeness of the match determines how much work will be required in the next sequential-POW	22:01
-!- jps [~Jud@68.34.201.156] has joined #bitcoin-wizards		22:01
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has joined #bitcoin-wizards		22:01
phantomcircuit	actually i wonder if there's a commercial solution available for that	22:02
bramc	phantomcircuit, the idea here is that it's dodging the whole issue, the only thing any time is spent on is the sequential-pow	22:02
gmaxwell	bramc: so there is a weird surface there of storage vs sequential speed that have the same apparent performance.	22:02
bramc	gmaxwell, not sure what you mean. The assumption is that the proof of storage is published and anyone running a sequential-pow runs it on whatever thing will result in them finishing fastest	22:03
bramc	and as soon as they finish they blast it out to everybody else	22:03
gmaxwell	So I can fork this to make it parallel. E.g. I make a step but then select the _two_ nearest pubkeys, and start two sequential processes. And then find four new solutions; and then I cull to pick the two best of those.	22:03
gmaxwell	(and of course that same idea expands to whatever level of parallelism I have available)	22:04
bramc	gmaxwell, yes that's what I'm working through now. If you make it so that the sequential-pow is done on the 50th best proof of storage that attack doesn't work very well	22:05
gmaxwell	bramc: the surface comment just meant that if someone had a N times faster sequential processor they would need less storage (not n times less, there is a sqrt somewhere in the formula, but I haven't bothered to figure it out)	22:06
bramc	Oh, yeah, of course you can mine faster if you have a faster sequential-pow. The idea is (a) the sequential-pow will be one which is hard to beat, and (b) to the extent that multiple counterparties all beat it, they wind up screwing each other in mutually assured destruction	22:07
gmaxwell	As far as publishing, well you can't guarentee that an adversarial party will publish anything, esp if it might not be in their interest to do so.	22:07
bramc	because whoever has the next-fastest sequential-pow publishes it as soon as they can to stop there being an advantage to the fastest sequential-pow	22:08
bramc	Sort of like all those VCs thinking they're going to make custom ASICs and get 60% of all mining capacity :-)	22:08
gmaxwell	as an aside this 'helpfully' incentivizes the construction of industrial scale capacity for cracking the public key cryptosystem.	22:09
bramc	Let's assume that the public key cryptosystem is secure	22:09
gmaxwell	assuming they use the capacity to publish instead of instead using it to explore alternative forks to find better hits on their own pubkeys.	22:09
-!- SDCDev [~quassel@unaffiliated/sdcdev] has joined #bitcoin-wizards		22:10
bramc	They lose more from somebody else getting hits faster than they gain from finding faster hits themselves. At least I think that's how it works. I haven't finished analyzing this whole thing	22:10
bramc	I'm a little more concerned with attacks where somebody takes the nth best pubkey they have and uses that because it results in a much better next generation pubkey for themselves, hence my comment about the 50th best pubkey setting the work factor	22:11
gmaxwell	I thought your goal there was to achieve a state where basically anyone could run the sequential part about equally fast thus ensuring that basically no one runs it. Oh I see you want to advertise your hit as fast as possible to get other sequential parties working for you.	22:12
gmaxwell	yea, that was my comment about exploring multiple paths. I think you can use parallel lookahead to get an unbounded speedup in the overall game.	22:13
bramc	Yes the sequential part is designed to try to be asic resistant as well, although that of course has some level of attackability	22:13
bramc	I think I can get parallel lookahead to not work very well, and yeah the idea is that everybody should be incented to blast out their hits both on proof of storage and sequential proof of work as quickly as possible	22:14
bramc	I think if you use the nth best then someone who only has a fraction of the storage capacity loses fairly quickly	22:14
gmaxwell	e.g. say I'm an attacker divorced from the public system, for the moment, and I can run the sequential program just as fast as anyone else, and my storage is typical; but I also can run the sequential 10,000x in parallel, so I just keep exploring the top 10000 total cumulative work paths, hoping to find a very lucky enumeration that takes me further ahead of the network.	22:14
gmaxwell	I don't follow how you would enforce the Nth best?	22:15
op_mul	gmaxwell: I thought that might be possible for burst coin too. same sort of thing as stake grinding, in effect.	22:16
maaku	what are the supposed benefits of this scheme?	22:16
maaku	i thought it was supposed to avoid energy wastage, but we're down in the weeds talking about grinding strategies here	22:16
bramc	In addition to screaming out the very best storage hit, I co-sign it with my n-1 best matches, unless there are some better matches out there which have been sent to me, in which case I send those out. The work factor is determined by the value of the nth best	22:17
gmaxwell	it's energy efficient. The scheme rewards you according to the storage*time you have. ... at least if it prevented grinding strategies.	22:17
bramc	gmaxwell, Yes exactly, and I think I can block grinding strategies	22:17
bramc	if only the very best one is used then grinding works well, if the 50 best are used grinding just fails, because the 50th best match across one's own storage will always be roughly the same	22:19
gmaxwell	okay, but instead of my N-1 I skip every other one. and that allows me two solutions, one with my best and one with my second best, and one where the work factor is the 100th and one where it's the 101st. The fall-off is linear. I don't think it cancels out, because at the end you end up with four new solutiosn not two.	22:19
bramc	Now I'm really not following you	22:20
-!- atgreen [~user@CPE687f74122463-CM84948c2e0610.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]		22:21
gmaxwell	bramc: I generate two solutions, one with (1,3,5...100) and one with (2,4,6,..101). ~100 is half as good as 50, but I can double my storage and be exactly back where I started in terms of sequential throughput, but now I get an alternative history that might be better for me.	22:21
-!- benten [~benten@unaffiliated/benten] has joined #bitcoin-wizards		22:21
bramc	I don't think I've made my 50th best idea clear	22:22
gmaxwell	I think you have? you don't just give your best, you give 50 monotonically worsening solutions, and the 50th is used for the difficulty of the next step.	22:23
-!- kgk_ [~kgk@76.14.85.43] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]		22:23
bramc	The idea is that a proof of storage consists of a single very well matching key signing a transaction log, followed by 49 other not quite so well matching keys signing the same transaction log, and the amount of time which must be spent on the sequential-pow is based on the worst of those keys	22:24
gmaxwell	And I show that you can split your deck, taking the 100 top solutions and partitioning in two, to get two answers. And if your storage is doubled your 100th solution is as good as the 50th would have been, but now you get the parallel lookahead advantage.	22:24
bramc	Oh you don't need to partition them that way, you can just make one by 1, 2, 3 ... 50 and the other by 1, 2, 3 ... 48, 49, 51. You can then run lots of small variants in parallel to see which one is best for your own storage	22:25
gmaxwell	I don't think what they sign matters at all, why would you even bother signing with anything but the first? or the 50th? The matching formula has a strong one way function in it.	22:25
gmaxwell	bramc: ah, indeed, I was bogusly assuming that they needed to be disjoint.	22:26
bramc	The problem is that with the 50th best none of them will be a big standout. If you have a small fraction of the total storage capacity the chances of getting lucky with a major standout are like one in a trillion	22:27
bramc	I made up that one in a trillion. I'm running some simulations and really need to do some math at some point	22:27
gmaxwell	Oh I wasn't assuming a gain from the raw luck, I was assuming a gain from parallelism.	22:27
gmaxwell	E.g. what I was suggesting was a way to convert parallel computation into profit for your presumably sequential system.	22:28
bramc	The gain from parallelism has to do with what your chances of getting lucky are.	22:28
bramc	Yes and with the simple single best formula that approach wrecks everything. But with the nth best the parallelism only buys you a very modest advantage unless you almost have a majority to begin with	22:29
-!- SDCDev [~quassel@unaffiliated/sdcdev] has quit [Read error: Connection reset by peer]		22:29
gmaxwell	in any case wrt luck the density of values withing distance X of something is a linear ramp. (it's (2*x)/N)	22:30
bramc	Yes, so if you have 10 times as much storage you expect it to be on average a tenth the value, what you get from the parallelism is the ability to pull out the best outlier for yourself. If it's enough samples in the outliers don't outly very much.	22:31
-!- atgreen [~user@CPE687f74122463-CM84948c2e0610.cpe.net.cable.rogers.com] has joined #bitcoin-wizards		22:31
bramc	unless i make all my stored pubkeys be clustered... that might throw a spanner in the works	22:32
gmaxwell	yea, thats an interesting point. Make your pubkeys non-uniform. Well it's even worse, because you can probably build something that looks like a rainbow table spanning subspaces of pubkeys. E.g. disk index X begins a chain of pubkeys which are super rich in solutions near x. You need to do a bunch more computation for this but computation is cheap.	22:34
bramc	That would of course require a lot more generation time to fill my storage, but that doesn't sound terribly hard to deal with	22:34
gmaxwell	e.g. you start a key X and you determinstically step from one key to the next. And after some number of steps (say 100ms worth) you compute the centroid of the chainlet. and you store that chain root under that value.	22:35
gmaxwell	you might perform a K medians clustering and store multiple heads to it as well.	22:35
gmaxwell	e.g. this chunk of computation has good solutions for values near X, Y, or Z.	22:35
-!- atgreen [~user@CPE687f74122463-CM84948c2e0610.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]		22:37
gmaxwell	and you do the lookup, repeat the computation, and tada, you get lots of solutions near your target, also this expensive computation is embarassingly parallel, since you can be grinding on many chunks at once.	22:37
bramc	Not sure what you mean, but the attacks are straightforward. If I spend as much cpu filling my storage as would be necessary to fill everybody else's storage, I can cluster my pubkeys well enough to do parallelism to find good matches for myself	22:37
gmaxwell	And you can update your storage over time with increasingly more optimized chainlet nodes.	22:37
gmaxwell	bramc: I'm explaining another kind of tradeoff that lets you do more computation to get a superlinear gain from your storage.	22:38
bramc	oh I'm not following. I'm worrying about the one I said because it seems fairly devastating but would like to know yours as well	22:38
gmaxwell	That instead of storing a map of hash->pubkey you store a map of hash->{family of pubkeys that are more near to hash than you'd expect}.	22:38
-!- HaltingState [~HaltingSt@2605:e000:1318:c1d2:3171:3db5:e035:7037] has joined #bitcoin-wizards		22:39
gmaxwell	What I'm thinking about is kind of inspired by what you are thinking about (assuming I understood it)	22:39
-!- HaltingState [~HaltingSt@2605:e000:1318:c1d2:3171:3db5:e035:7037] has quit [Changing host]		22:39
-!- HaltingState [~HaltingSt@unaffiliated/haltingstate] has joined #bitcoin-wizards		22:39
bramc	Oh you keep everything sorted, the assumption is that everybody does that. You also do the optimization that instead of storing the whole public key, you have some personal secret salt which is used in your keygen, and what's stored is the four bytes which are combined with the salt to generate the pubkey	22:40
gmaxwell	no I don't. I'm not even storing the family.	22:40
bramc	I'm not following. I'm thinking you basically bucket sort and then look up your best match by going to the location, generating the pubkey, and seeing how good it is	22:41
bramc	Oh I know, the last hash can generate 50 points which you need to be close to instead of a single one	22:44
gmaxwell	E.g. a narrower version that might be easier to explain. I compute pubkeys, I pick a random pubkey and check its hash, then I use that first pubkey as a PRNG seed and generate many more pubkeys (perhaps a million of them) and I sort the set, and if position 50 is sufficiently near position 1, I accept this chainlet and store hash->pubkey in my database.	22:44
gmaxwell	or a million points where you require the best 50 to be close.	22:45
-!- atgreen [~user@CPE687f74122463-CM84948c2e0610.cpe.net.cable.rogers.com] has joined #bitcoin-wizards		22:45
gmaxwell	and you can constantly refine your storage by running this process and once you're full replacing the nearest match to pubkey1's hash with your new chainlet if your new chainlet is better.	22:45
gmaxwell	kind of a beautiful algorithim. Wish I had a use for it. You should go deploy this system so I can profit from this optimization. :P	22:46
-!- HaltingState [~HaltingSt@unaffiliated/haltingstate] has quit [Quit: Leaving]		22:46
bramc	Here's the thing: position 50 is never near position 1	22:46
gmaxwell	and it's no worse than the boring way of doing it, since you can just try the 50 nearest tips too.	22:46
bramc	you basically never get particularly good outliers	22:47
gmaxwell	the only thing extra is the extra computation for the million derrived points which is just grinding. Also if the derriviation structure is right you get a sqrt() gain because every internal step can be P1 of a new chainlet.	22:47
bramc	and let's move on to my new idea: that the old sequential-pow specifies 50 positions, and you have to find a nearest match for those 50, and value is based on the worst one	22:48
bramc	The thing you're saying doesn't work, I was just running simulations of basically the same thing and position 50 is always way off.	22:49
gmaxwell	lol	22:49
gmaxwell	go ahead, deploy it then.	22:49
bramc	No I want to understand what you're saying	22:49
gmaxwell	It really does work. And it is strictly no worse for a given amount of computation.	22:49
gmaxwell	Think of if this way, say you have an already computed storage table.	22:50
bramc	A storage table being a sorted list of compressed pubkeys	22:50
-!- atgreen [~user@CPE687f74122463-CM84948c2e0610.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]		22:50
gmaxwell	You're out of space. Then you do some more computation and find a new pubkey for slot X in your storage table. You ask yourself, "is this pubkey the head of a family of pubkeys which is closer to slot X than the one there now?" If so, you replace it. If not you don't.	22:51
gmaxwell	When you do a lookup you don't just look at the nearest and its 50 neighbors, you also expand out (using parallel computation) the neighbors which have, over time, been refined to be closer to their named positions.	22:52
bramc	Yeah that doesn't work: the chances of the family being closer are basically nil. But also I decided to change from the '50th closest' approach because of the other attack I said, so now I'm thinking of using 50 separate points	22:53
gmaxwell	when you sort that list, it has the same 50 members the plain solution would have had, but it also has some additional close members from the process of refinement.	22:53
gmaxwell	it's only basically nil for a single computation run, but it increases the more computation you do for the exact same reason your storage increases. And the computation can be amortized, because each pubkey you generate in the family is another potential root.	22:54
bramc	That said, you might be onto something which makes for a reasonable constant factor improvement in your storage effectiveness, if you really are willing to grind a lot	22:54
gmaxwell	Yes, it's a constant factor related to your additional cumulative grinding time.	22:54
gmaxwell	it's like a rainbow table.	22:54
bramc	Let's forget about the clustering thing now and think about it just as points	22:54
bramc	Because I'm not going to use clustering, because of a much more devastating attack	22:55
bramc	At point k in my table I can either just put something which starts with k there, or I can put something which starts with k and has a hash which is also close to k	22:55
bramc	I mean, one of its near descendants is close to k	22:56
gmaxwell	so okay, what, your squential proof of work selects now 50 points for which you return the nearnest for each and sum their work to get the work of the next sequential?	22:56
bramc	not exactly, the sequential proof selects 50 points which then have to be paired to 50 public keys, where the amount of time for the next sequential is based on the worst match of the 50	22:57
gmaxwell	If so, thats easy to break, becauase you can swap out each of the 50 with the next nearest one at a time and get 50 solutions with approximately the same goodness.	22:57
gmaxwell	okay so I take the worst and then replace it with the second best for that worst position, and get two solutions which are almost equally as hard, that I can explore in parallel.	22:58
bramc	my contention is that that won't particularly help you attack.	22:58
gmaxwell	getting another set of 50 points is like doubling my storage.	22:58
bramc	Right but you can only explore them in parallel on your own storage. I think the kind of attack you're describing is one which improves how much you're getting out of your own storage but doesn't particularly benefit from trying to make a fork	22:58
-!- atgreen [~user@CPE687f74122463-CM84948c2e0610.cpe.net.cable.rogers.com] has joined #bitcoin-wizards		22:59
gmaxwell	bramc: your whole scheme is supposted to give authority proportional to storage, so if I can play stretegically using parallel computation, I get more authority in my alternative universe.	22:59
bramc	I believe what you're saying is basically at each point get double your utility by storing a value which when used to make multiple derived values has two of them which are very close to the desired value	23:00
gmaxwell	I've left that attack and I'm now talking about your 50 non-clustered points.	23:00
-!- jps [~Jud@68.34.201.156] has quit [Quit: jps]		23:01
-!- atgreen [~user@CPE687f74122463-CM84948c2e0610.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]		23:01
gmaxwell	I'm not talking about any 'rainbow table gain' at this point (though I suppose that still remains)	23:01
bramc	Sorry I was just dealing with a kid having a meltdown, back again	23:02
gmaxwell	you have many instances of the fast sequential process running. when one yeids an answer you use your storage to produce many candidate solutions (by computing the 50 answers, finding the worst and then finding the next best around that wost which is only slightly worst than your prior worst)... you take all these and sort them, and update your parallel processor setup running the SPOW to continu	23:03
gmaxwell	e exploring the N best paths found so far.	23:04
bramc	I'm not sure what your attack is. I'm sure there's some amount of an 'attack' using the stuff I was just talking about, but whether that's a real attack or just reasonable best practices I don't know	23:04
gmaxwell	What I'm describing is somethign that lets someone who can run many copies of the SPOW in parallel gain a potential advantage. Perhaps one copy they'd use publically to keep partitipcating the the honest network, but they keep the others going privately. Maybe this is a "best practice" but then I think the scheme just reduces to convoluted POW.	23:05
bramc	Yes, so for some amount of running in parallel you can get some factor better than what your storage 'should' get based on its size	23:05
bramc	The thing I was just talking about is totally unrelated to running the spow	23:07
bramc	Let's say we take the most effective case for running parallel spows. There's some public thing which has just happened, giving 50 public keys, I can substitute any of those with my own next nearest, which might not be so far off (although if I only have a small fraction of storage it will be). I can use those small variants to get a whole bunch of spow outputs and see how well they'll work for me.	23:09
bramc	The problem is that those spow outputs aren't going to be good for me at all. If I have 1/10 the storage capacity, then my worst of 50 will essentially always be fairly close to 10 times worse than what the public network will generate	23:10
gmaxwell	forget 1/10th the storage. lets assume everyone is equal. equal storage. equal computation. equal spow speed. Except you have multiple spow processors and can run the spow in parallel.	23:11
bramc	so you have like 1/1000 of all storage	23:11
bramc	I understand what you just said, but don't see an attack under those circumstances	23:12
gmaxwell	I say you get a substantial benefit relative to other people from doing so. In fact, I think you get benefit linearly proportional to your spow parallelism. Lets make your parallelism unbounded. You have N entries in storage. When the network steps you compute the best solution and make it public, you then compute N-50 SPOWs. When any spow (network or local completes) you compute N-50 more candi	23:15
gmaxwell	date starting solutions, and you terminate replace any of your N-50 parallel processes that have lower expected returns than your new fodder.	23:15
bramc	Having an edge from a historical starting point doesn't really help. Everybody's ahead of you	23:16
gmaxwell	in the limit (assuming storage goes to infinity) your speedup from this strategy is infinite after one additional step (depth 1 reorg).	23:16
gmaxwell	because some lucky draw will be a BAD step, then a bunch of awesome steps, and you reorg the network.	23:17
bramc	Oh, ummm, an important point here: the SPOW is based on the hash of the previous proof of storage, you can't have them sitting around for use later	23:18
gmaxwell	I do agree that the storage in practice bounds your parallism but it means that parties with big cpu farms would have an advantage, and worse, part of that advantage can only be used for attacks, because it'll be late to the party.	23:18
gmaxwell	I know, thats why you're exploring many possibile futures. e.g. one where the step was X, one where it was the slightly worse solution Y, one where it was the slightly worse solution Z, and so on.	23:19
gmaxwell	Maybe unlucky Z's answer turns out to be a really lucky draw that yealds a very cheap SPOW for the step after that. Won't know unless you try it.	23:20
bramc	Yeah so you find those and they're all worse than what the public network has found, so if you're doing a spow yourself for the follow-on generation, and the network has already gotten ahead of you...	23:21
gmaxwell	if they're worse than what the network as found, thats okay. when the network finds something you check each of your brewing SPOWs and ask if network_next_work < work_left_on_this_one+average_work and if so replace it with a next step based on the network.	23:22
bramc	Even after the very first iteration of parallel spows every single one of those will finish behind the public network (unless you find one that's a bit ahead and give up your share of public mining rewards to play this little game)	23:22
gmaxwell	so yes, you'll often be replacing most of your parallel processes with work based on the network.	23:22
-!- kgk_ [~kgk@76.14.85.43] has joined #bitcoin-wizards		23:24
bramc	That can only be done if you've hardly forked at all. Are you suggesting an attack where when the network is at generation X, you figure out a slightly worse version of generation X, which makes you personally able to do generation X+1 faster, and then you introduce that to the network?	23:24
gmaxwell	Yes, and then you make it to generation X+1 faster than the network, and so it reorgs onto your state... but not just X+1 you have many parallel processors and with exponenitally decreasing probablity you may be the network at X+2, or X+3 or so on.	23:25
-!- bit2017 [~linker@42.116.152.78] has quit [Ping timeout: 240 seconds]		23:25
gmaxwell	Your goal: increase my density of blocks in the longest chain, at any cost. Your resources: fixed storage, same as anyone else, and the ability to buy as much parallel SPOW as you like.	23:26
bramc	There's some tradeoff here where based on what fraction of all mining capacity you have and how many parallel operations you have and what the N is which we've been discussing as 50 for arguments sake you can get some amount of advantage, but running the numbers myself the effect seems extremely weak	23:26
gmaxwell	What is the optimal strategy? I argue that its one that incentivizes producing reorgs (potentially long ones) based on using the parallel processing to consider alternative histories beyond the 'best' one that you and the network are also working on.	23:27
bramc	If I have 1/x of the total storage, and I run just 1 extra SPOW, it will result in me taking on average x times as long to do the next spow if I do everything based on my own storage	23:29
bramc	So the question becomes, how much more favorable does that get with using lots of extra parallel SPOW? And I think the answer is not very much	23:30
bramc	It certainly isn't the case that doubling the amount of parallel SPOW halves the amount of expected work. That would be the case if you were only using one point, hence using more points	23:32
gmaxwell	I think with infinite parallel spow the benefit is actually infinite at least when everone's storage is also infinite. Basically you lose this round, but one of your next steps which takes episilon longer than the honest network, ends up with a perfect match, and then do the next set of SPOW in time 0 and end up producing infinite blocks before the honest network has produces two.	23:34
gmaxwell	But perhaps thats the kind of crazy result when you look at the limits at infinity. :P	23:34
bramc	A rough example calculation is that the chances of getting less than half of your own expected difficulty of spow for the next generation is 1/2 for getting under the limit for each separate point, so that's 1/2**50 for even a speedup of 2, over your own expected difficulty much less the difficulty of everybody else	23:35
bramc	Yes infinite parallel spow yields infinite advantage, but you can't have infinite parallel spow, that requires resources	23:35
gmaxwell	Well the point of the infinite is to say that this process (at least when storage is sufficiently large) reduces to plain POW.	23:36
bramc	So we can guess that you don't have, say 2 64 spow, and even that is completely ridiculous, you probably don't even have 232 parallel spow	23:36
bramc	It doesn't reduce to plain pow because the costs are such that you're burning more on spow than the value you're gaining from it. If a linear relationship held up that would be true, but it's set up so that running parallel spow is mostly just wasting resources unless you already have a majority of storage capacity	23:39
bramc	This part I can work out some more math on and justify straightforwardly. I need to do some serious thinking about cpu tradeoffs for getting more out of storage though.	23:39
-!- zooko [~user@c-75-70-204-109.hsd1.co.comcast.net] has quit [Remote host closed the connection]		23:41
-!- rasengan [rasengan@pdpc/corporate-sponsor/privateinternetaccess.com/rasengan] has joined #bitcoin-wizards		23:50
bramc	Well, I have some tweaks to make and things to work through, thanks for the feedback	23:51
gmaxwell	Interesting discussion. I do think this class of algorithims gives me a useful solution to a different problem that I've been working on for some time. And that is creating an anonymous cumulative work hashcash. E.g. a hashcash which you can use up to N times concurrently, and infinite times sequentially; without anyone being able to link the work togeather (so long as you don't break the concur	23:51
gmaxwell	rency bound). I have a couple constuctions that achieve this to different levels, though the best are kinda ugly and require snarks.	23:51
gmaxwell	from this general class of ideas I can extract some better ones, though they do have unfriendly TMTO tradeoffs.	23:51
bramc	I'm not sure what you're describing, but it sounds interesting, and I'm happy if my thoughts help	23:52
gmaxwell	No problem on the feedback, good luck.	23:53
go1111111	FYI, the last logs from this channel are from over 36 hours ago, at https://botbot.me/freenode/bitcoin-wizards/ (was thinking it'd be nice if the above discussion was logged)	23:59
op_mul	go1111111: https://download.wpsoftware.net/bitcoin/wizards/2015-01-02.html	23:59
--- Log closed Fri Jan 02 00:00:08 2015

Generated by irclog2html.py 2.15.0.dev0 by Marius Gedminas - find it at mg.pov.lt!