--- Log opened Fri Jan 02 00:00:08 2015 | ||
--- Day changed Fri Jan 02 2015 | ||
op_mul | someone might want to give botbot a prod though. | 00:00 |
---|---|---|
-!- koshii [~0@c-68-58-151-30.hsd1.in.comcast.net] has quit [Ping timeout: 250 seconds] | 00:09 | |
-!- koshii [~0@c-68-58-151-30.hsd1.in.comcast.net] has joined #bitcoin-wizards | 00:10 | |
-!- damethos [~damethos@unaffiliated/damethos] has joined #bitcoin-wizards | 00:24 | |
-!- CoinMuncher [~jannes@178.132.211.90] has joined #bitcoin-wizards | 00:25 | |
-!- bramc [~bram@99-75-88-206.lightspeed.sntcca.sbcglobal.net] has quit [Quit: Leaving] | 00:30 | |
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has quit [Quit: pgokeeffe] | 00:32 | |
-!- kgk_ [~kgk@76.14.85.43] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…] | 00:39 | |
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has joined #bitcoin-wizards | 00:40 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-uweidbluouduuyxn] has quit [Ping timeout: 265 seconds] | 00:43 | |
-!- damethos [~damethos@unaffiliated/damethos] has quit [Quit: Bye] | 00:43 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-kvzzcarituefmkjg] has joined #bitcoin-wizards | 00:45 | |
-!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #bitcoin-wizards | 00:48 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-kvzzcarituefmkjg] has quit [Ping timeout: 264 seconds] | 01:02 | |
-!- benten [~benten@unaffiliated/benten] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…] | 01:03 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-wrcivdxcnbvhftzl] has joined #bitcoin-wizards | 01:03 | |
-!- andy-logbot [~bitcoin--@wpsoftware.net] has quit [Remote host closed the connection] | 01:05 | |
-!- andy-logbot [~bitcoin--@wpsoftware.net] has joined #bitcoin-wizards | 01:05 | |
* andy-logbot is logging | 01:05 | |
-!- paveljanik [~paveljani@unaffiliated/paveljanik] has joined #bitcoin-wizards | 01:10 | |
-!- DougieBot5000 [~DougieBot@unaffiliated/dougiebot5000] has quit [Quit: Leaving] | 01:10 | |
-!- benten [~benten@unaffiliated/benten] has joined #bitcoin-wizards | 01:17 | |
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has quit [Quit: pgokeeffe] | 01:18 | |
-!- NewLiberty [~NewLibert@76-255-129-88.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 244 seconds] | 01:27 | |
-!- CoinMuncher [~jannes@178.132.211.90] has quit [Quit: Leaving.] | 01:35 | |
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has joined #bitcoin-wizards | 01:38 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-wrcivdxcnbvhftzl] has quit [Ping timeout: 245 seconds] | 01:41 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-jgkzzwtovrkodxhe] has joined #bitcoin-wizards | 01:43 | |
-!- Aquent1 [~Aquent@gateway/tor-sasl/aquent] has quit [Ping timeout: 250 seconds] | 01:44 | |
-!- damethos [~damethos@unaffiliated/damethos] has joined #bitcoin-wizards | 01:46 | |
-!- jtimon [~quassel@34.pool85-59-141.dynamic.orange.es] has joined #bitcoin-wizards | 02:15 | |
-!- damethos [~damethos@unaffiliated/damethos] has quit [Ping timeout: 265 seconds] | 02:15 | |
-!- damethos [~damethos@unaffiliated/damethos] has joined #bitcoin-wizards | 02:22 | |
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has quit [Ping timeout: 240 seconds] | 02:32 | |
-!- CoinMuncher [~jannes@178.132.211.90] has joined #bitcoin-wizards | 02:37 | |
-!- benten [~benten@unaffiliated/benten] has quit [Quit: ...] | 02:50 | |
-!- [d__d] [~d__d]@ec2-54-85-45-223.compute-1.amazonaws.com] has quit [Remote host closed the connection] | 03:09 | |
-!- [d__d] [~d__d]@ec2-54-85-45-223.compute-1.amazonaws.com] has joined #bitcoin-wizards | 03:11 | |
-!- Profreid [~Profreitt@gateway/vpn/privateinternetaccess/profreid] has joined #bitcoin-wizards | 03:14 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-jgkzzwtovrkodxhe] has quit [Ping timeout: 240 seconds] | 03:14 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-ygjveixpjpszmzvt] has joined #bitcoin-wizards | 03:16 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-ygjveixpjpszmzvt] has quit [Ping timeout: 255 seconds] | 04:04 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-xwwjlbfoiqpfvfof] has joined #bitcoin-wizards | 04:06 | |
-!- vmatekole [~vmatekole@f055192059.adsl.alicedsl.de] has joined #bitcoin-wizards | 04:37 | |
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has joined #bitcoin-wizards | 04:42 | |
-!- damethos [~damethos@unaffiliated/damethos] has quit [Ping timeout: 256 seconds] | 04:45 | |
-!- atgreen [~user@CPE687f74122463-CM84948c2e0610.cpe.net.cable.rogers.com] has joined #bitcoin-wizards | 04:54 | |
-!- belcher [~belcher-s@unaffiliated/belcher] has joined #bitcoin-wizards | 04:57 | |
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards | 05:14 | |
-!- jaekwon [~omni@75-101-96-71.dsl.static.fusionbroadband.com] has quit [Read error: Connection reset by peer] | 05:32 | |
-!- jaekwon [~omni@75-101-96-71.dsl.static.fusionbroadband.com] has joined #bitcoin-wizards | 05:33 | |
-!- damethos [~damethos@unaffiliated/damethos] has joined #bitcoin-wizards | 05:40 | |
-!- NewLiberty [~NewLibert@2602:304:cff8:1580:c48d:9701:fd15:192a] has joined #bitcoin-wizards | 06:09 | |
-!- optimator_ [~optimator@unaffiliated/optimator] has quit [Read error: Connection reset by peer] | 06:16 | |
-!- optimator [~optimator@ec2-54-205-93-122.compute-1.amazonaws.com] has joined #bitcoin-wizards | 06:17 | |
-!- optimator [~optimator@ec2-54-205-93-122.compute-1.amazonaws.com] has quit [Changing host] | 06:17 | |
-!- optimator [~optimator@unaffiliated/optimator] has joined #bitcoin-wizards | 06:17 | |
-!- sl01 [~sl01@li431-44.members.linode.com] has quit [Ping timeout: 240 seconds] | 06:20 | |
-!- sl01 [~sl01@li431-44.members.linode.com] has joined #bitcoin-wizards | 06:21 | |
-!- MoALTz_ [~no@user-46-112-49-198.play-internet.pl] has quit [Quit: Leaving] | 06:27 | |
-!- MoALTz [~no@user-46-112-49-198.play-internet.pl] has joined #bitcoin-wizards | 06:27 | |
-!- wallet421 [~wallet42@g226057074.adsl.alicedsl.de] has joined #bitcoin-wizards | 06:27 | |
-!- wallet421 [~wallet42@g226057074.adsl.alicedsl.de] has quit [Changing host] | 06:27 | |
-!- wallet421 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards | 06:27 | |
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Killed (kornbluth.freenode.net (Nickname regained by services))] | 06:27 | |
-!- wallet421 is now known as wallet42 | 06:27 | |
-!- llllllllll [~lllllllll@53-109.bbned.dsl.internl.net] has joined #bitcoin-wizards | 06:36 | |
-!- hearn [~mike@84-75-198-85.dclient.hispeed.ch] has joined #bitcoin-wizards | 06:42 | |
-!- copumpkin [~copumpkin@unaffiliated/copumpkin] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…] | 06:57 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-xwwjlbfoiqpfvfof] has quit [Ping timeout: 245 seconds] | 07:05 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-mwjfvsgidbpmugem] has joined #bitcoin-wizards | 07:07 | |
-!- Aquent1 [~Aquent@gateway/tor-sasl/aquent] has joined #bitcoin-wizards | 07:15 | |
-!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds] | 07:17 | |
-!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #bitcoin-wizards | 07:18 | |
-!- DougieBot5000 [~DougieBot@unaffiliated/dougiebot5000] has joined #bitcoin-wizards | 07:24 | |
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has quit [Quit: iang] | 07:24 | |
-!- fanquake [~anonymous@unaffiliated/fanquake] has quit [Quit: fanquake] | 07:31 | |
-!- stonecoldpat [~Paddy@janus-nat-128-240-225-56.ncl.ac.uk] has quit [Ping timeout: 250 seconds] | 07:32 | |
-!- stonecoldpat [~Paddy@janus-nat-128-240-225-56.ncl.ac.uk] has joined #bitcoin-wizards | 07:32 | |
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has joined #bitcoin-wizards | 07:36 | |
hearn | adam3us: all forks require flag days, including soft forks. | 07:36 |
-!- zooko [~user@c-75-70-204-109.hsd1.co.comcast.net] has joined #bitcoin-wizards | 07:38 | |
Luke-Jr | hearn: softforks can autodetect their own "flag day" though | 07:38 |
hearn | how do you mean? | 07:38 |
Luke-Jr | hearn: softforks only require miner action, so can measure adoption by block % | 07:40 |
Luke-Jr | and switch when it gets to 95% or whatever | 07:40 |
Luke-Jr | hardforks require action by all users, mining or not, so block % is not really useful to determine adoption | 07:41 |
Luke-Jr | so a human has to decide a date that hopefully everyone will have updated by | 07:41 |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-mwjfvsgidbpmugem] has quit [Ping timeout: 264 seconds] | 07:45 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-wdabhryceqvdwkox] has joined #bitcoin-wizards | 07:46 | |
-!- coiner [~linker@42.118.85.149] has joined #bitcoin-wizards | 07:48 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-wdabhryceqvdwkox] has quit [Ping timeout: 255 seconds] | 07:55 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-xfadnlovtrfgrenu] has joined #bitcoin-wizards | 07:56 | |
-!- roconnor [~roconnor@e120-pool-d89a63c0.brdbnd.voicenetwork.ca] has quit [Quit: Konversation terminated!] | 08:03 | |
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Quit: Leaving.] | 08:09 | |
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards | 08:10 | |
hearn | Luke-Jr: they require action by all users too | 08:12 |
hearn | Luke-Jr: if you don't upgrade, you're not really running a full node anymore, right? | 08:13 |
hearn | and presumably, you were doing that for a reason .... | 08:13 |
hearn | i mean they require less work if you assume that lots of people running full nodes are wasting resources and don't really care about checking all the rules | 08:13 |
hearn | but i don't think that's a safe assumption at all. this is why i see soft forks and hard forks as equivalent, except soft forks have a nasty silent failure mode where you think your node is operating in one way, but it actually isn't | 08:13 |
hearn | it's better avoided, to be serious about security. | 08:14 |
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Quit: Leaving.] | 08:21 | |
gmaxwell | hearn: I don't think thats true. To start; you never can know what possible extra requirements some majority of miners might be silently imposing on the network. They may keep them secret from you. A soft fork can only reduce the valididy of things. So they only produce type I errors (you conclude a transaction can make it into the history when really it cannot), but not type II errors (you conc | 08:22 |
gmaxwell | lude a transaction cannot make it into the history when it can). If a soft fork is, for example, limited to reducing the set of acceptable scriptSigs based on some explicit flag in a scriptPubKey. Then you would not be using that flag unless you knew about the soft fork. | 08:23 |
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards | 08:25 | |
gmaxwell | So while, sure, its not something to be taken lightly I really cannot agree with the equivilence you're drawing there. To the extent that a soft fork increases your risk over overestimating the survival of a transaction that same overestimate already can exist due to opacity in miner policy or even just network connectivity. (e.g. you might assume this block will stay in the chain, but really the | 08:25 |
gmaxwell | network is partitioned and it will not) | 08:25 |
-!- Grishnakh [~grishnakh@dsl-espbrasgw1-50dfb6-218.dhcp.inet.fi] has joined #bitcoin-wizards | 08:25 | |
gmaxwell | And you can't say either of those things about a hard fork. If a block violates the rules, it violates the rules. And no amount of miner additional policy or partitioning will make a block the violated the rules acceptable in the future. The only way for that to happen is a hard fork, and the only way for a hard fork to happen is for the users of bitcoin, in overwhelming number, to accept new so | 08:27 |
gmaxwell | ftware which increases the set of things which are valid. | 08:27 |
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Client Quit] | 08:27 | |
hearn | right, but trying to estimate if a transaction will survive is fundamental to accepting bitcoins. if a soft fork takes place and you are left behind, then this opens up a widely documented and easily abused way to exploit you, whereas it's otherwise very unlikely that you'll see a transaction make it into a block and then have it die permanently later | 08:30 |
gmaxwell | In terms of flag days, the hard fork case's safty criterion is not mechnically measurable either... for soft forks the change will not itself break consensus with high probablity so long as a majority of miners will enforce it... so it can be auto triggered based on the blockchain. | 08:30 |
hearn | yes, sure, the triggering mechanism is orthogonal. a hard fork could be triggered by measuring miner adoption too with an N month delay afterwards, like p2sh. the only question really is whether old nodes stop functioning entirely/go into some kind of safe mode, or whether they keep serving API requests and blocks to clients that are no longer considered valid by the majority | 08:31 |
gmaxwell | hearn: it's also very unlikely that you'll see a transaction make it into a block and die later. With the more modern (post bip16) procedure for a soft fork, it takes a improbably broken or explicitly malicious (and likely byzantine) miner to produce such a block. | 08:31 |
gmaxwell | hearn: "a hard fork could be triggered by measuring miner adoption" thats not measuring the right criteria in that case. Miners are 0.0001% of the parties that need to upgrade for the hard fork, and arguably the least important of them. (they just stop being miners if they produce a block inconsistent with the hardfork) | 08:32 |
-!- wallet42 [~wallet42@unaffiliated/wallet42] has joined #bitcoin-wizards | 08:33 | |
gmaxwell | hearn: also multiple blocks per day appear and fail to make it into the longest chain. So blocks that don't survive are already common, and inherently so. | 08:33 |
hearn | or a miner that just hasn't upgraded? yes, but if the rules of bitcoin form the social contract between its users then hard vs soft doesn't make much difference - measuring miner participation is just a convenient way to decide on the flag moment for a rule change. some kind of flag day is required either way, for people who want to check all the rules | 08:34 |
gmaxwell | So if you are betting on a block will not be conflicted, you'll already have your expectation violated constantly, no soft fork at all. As soft fork would make that bet even worse, but only iff there is a broken/byzantine miner. | 08:34 |
gmaxwell | hearn: not upgrading will not cause the miner to produce an invalid block. | 08:35 |
gmaxwell | hearn: thats what I mean by more modern (post BIP16) soft-forks. We won't do a softfork that results in rejecting a transaction that a non-upgraded miner would have added to a block itself. | 08:35 |
hearn | right, you mean because of the change to make the OP_NOPS considered non-standard | 08:36 |
gmaxwell | so the only way a non-upgraded miner loses a block due to a soft-fork is because they extended a chain from a byzantine miner. | 08:36 |
gmaxwell | hearn: that wasn't a change. There has not been a released version of Bitcoin since 2010 that had them as standard. (and not just the OP_NOPs, also version fields on transactions) | 08:37 |
-!- rfreeman_w [~rfreeman@gateway/tor-sasl/rfreemanw] has quit [Quit: Leaving] | 08:37 | |
gmaxwell | hearn: (it had temporarily been droped in git, but the NOPs were restored; specifically because of this reason) | 08:38 |
hearn | yeah, ok. still, the question remains - what does it mean to run a full node? to me it has always meant checking all the rules, or at least all the rules that are possible to check. it seems like that's one of the guarantees that a full node tries to give its users. that's why i worry about soft forks, it's undermining that guarantee. i agree that soft forks are less likely to cause problems in practice these days, if done carefully. | 08:40 |
hearn | i guess my concern is partly philosophical | 08:40 |
gmaxwell | Don't get me wrong, I am not discounting the existance of byzantine miners (there are clearly unethical people with control of large amounts of hashrate at times); it's just that the 1-confirm case is already iffy due to orphaning that must happen already due to non-synchrnonicity of the network... That you need to have a byzantine miner to start the surprise invalid fork keeps the risk in the sa | 08:41 |
gmaxwell | me kind of magnitude. | 08:41 |
-!- jps [~Jud@68.34.201.156] has joined #bitcoin-wizards | 08:41 | |
gmaxwell | hearn: Well, as I said before; if you have the _strongest_ version of that requirement then you are doomed from the start, because whatever rules the miners will enforce is inherently opaque to you. (worse, it's not even the miners in the past that matter: its miners in the future that matter). So I think that that goal of exactly all the rules all the time is perhaps a bit too agressive. | 08:42 |
hearn | yeah. in my ideal world miners would all somehow remotely attest what they're doing so the system is entirely predictable :) but that's not practical | 08:43 |
gmaxwell | From that philosophical perspective we would have been best off if bitcoin had been released complete and perfect and never changed at all, and if you altered even one rule then it wasn't bitcoin, it was something else. ... this is elegant with respect to people never having a change imposed on them against their will... sadly, thats not realistically within the realm of human engineering capabil | 08:44 |
gmaxwell | ity. | 08:44 |
gmaxwell | hearn: well sadly miner behavior can be hidden by prefiltering the communications to miners, so no amount of cryptographic (or TPM) remote attest could actually give that result. | 08:44 |
gmaxwell | (you'd have to have a consensus of their inputs, and thus we've just made the problem recursive.. we need a blockchain to decide what inputs the miners got. Yo dawg.) | 08:45 |
hearn | right | 08:45 |
hearn | though i guess if the p2p network had authentication+encryption, a miner could attest what it was connected to and if you knew those nodes were also running the same rules as you, you'd know there was no prefiltering. but now we're getting into star-trek bitcoin territory | 08:46 |
gmaxwell | well this is #bitcoin-wizards, I have no fear of entertaining what star-trek bitcoin could do. I'm not sure if even thats enough, since e.g. someone sends a input the miner wants to filter, you kill the connection. I suppose if the miner were implemented using indistinguishability obfscuation so that even its operator couldn't learn what inputs it was given that would be enough. (but requiring In | 08:48 |
gmaxwell | d-obf is double insane, not just star-trek. And andytoshi seems to have a proof that ind-obf requires trusted setup fundimentally, IIRC) | 08:48 |
-!- d1ggy [~d1ggy@f051248253.adsl.alicedsl.de] has joined #bitcoin-wizards | 08:48 | |
-!- d1ggy_ [~d1ggy@f051248253.adsl.alicedsl.de] has joined #bitcoin-wizards | 08:48 | |
-!- d1ggy_ [~d1ggy@f051248253.adsl.alicedsl.de] has quit [Remote host closed the connection] | 08:49 | |
hearn | TC allows you to create sealed worlds so you could set up an encrypted connection that the owner of the mining node couldn't actually read. but obtaining a machine that can do that is a PITA, i've been looking at it lately and none of the big server manufacturers want to document precisely what their boxes have and can do :( | 08:49 |
-!- eudoxia [~eudoxia@r167-56-18-190.dialup.adsl.anteldata.net.uy] has joined #bitcoin-wizards | 08:50 | |
gmaxwell | maybe if a miner attested to what it was connected to, and got each of those peers to blindly sign the block after creating it, thus proving they were still connected and dropped no inputs... but they could be dos attacked by peers that go up and down. I think. | 08:50 |
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has joined #bitcoin-wizards | 08:50 | |
gmaxwell | yea TPM, if you accept the tpm security tradeoff, is equal to Ind-Obf but it's pratical. | 08:50 |
gmaxwell | so okay, sure TPM miners who have state secret from their operators. who have encrypted connections to other such miners.. and so on. Security reduces to how strong the tpm strong box is and how much you can trust its creator to not make glass-walled versions of it for select parties. | 08:52 |
hearn | the biggest problem with getting a TPM setup up and running is quite a few TPM manufacturers don't publish their certificates, or claim they do but actually don't. | 08:52 |
hearn | and even then it's hard to find out who manufacturs a tpm for any given server model without (presumably) phoning up the sales staff and interrogating them | 08:52 |
hearn | i might try anyway at some point this year as it opens up quite a few useful things, but maybe not. | 08:53 |
gmaxwell | yes, well are any except IBM actually doing both: (1) advertising remote attest as a supported thing, and (2) actually protecting the memory so that the protection is worthwhile against logic probes and cold boot? Last I'd looked (which was a long while ago) intel failed (2). | 08:53 |
-!- ryanxcharles [~ryanxchar@2601:9:4680:dd0:f9a1:481:b103:444c] has quit [Ping timeout: 265 seconds] | 08:53 | |
hearn | cold boot is supposed to be fixed. RAM is wiped at reboot in TXT mode. RAM encryption is possible but AFAIK the only implementation is now owned by Facebook, as they bought the company that made it | 08:54 |
hearn | i'm hoping at some point they'll open source it. emailed the guy who did the company but didn't get a response yet. | 08:54 |
hearn | intel are working on something called SGX that is supposed to solve all the problems TC has. the design looks good but it's taking years for them to ship anything | 08:55 |
hearn | that said attaching logic probes to a modern memory bus is quite non-trivial. the xbox hackers who used that technique had to do weird things to slow the bus and cpu down massively, not sure it applies to intel/amd chips | 08:57 |
gmaxwell | wrt wipe, you can actually hot pull the ram. I've seen this demonstrated. There is some challenge because apparently many current boards implement 'scrambling' (in this case, xoring with a constant pad) so moving to another board make isn't always reliable. Keep in mind the threat model with the miners the attacker has physical access. | 08:59 |
-!- bitbumper [~bitbumper@161.47.143.24.cm.sunflower.com] has quit [Ping timeout: 244 seconds] | 08:59 | |
hearn | yeah, physical access is the hardest threat model | 08:59 |
hearn | all you can do is keep raising the bar, really. | 08:59 |
hearn | SGX is entirely on-die though. it assumes everything outside the CPU core is compromised. | 09:00 |
hearn | quite impressive, really | 09:00 |
hearn | or will be, if/when it ships | 09:00 |
hearn | they've also done a lot of work on allowing upgrade of the software without losing access to its sealed secrets, and on making remote attestation actually work | 09:00 |
gmaxwell | hearn: xbox hackers were somewhat limited by costs. one can acquire a multiple-ghz DSO, they're just expensive (I'd looked into renting one for testing libsecp256k1 against sidechannel attacks) :) but indeed. Well, thats the attraction of Ind-OBF because it gives you the same behavior through cryptography, but its far from realistic yet. | 09:03 |
gmaxwell | IBM cryptocards are a single sealed package... so I think they're the only thing existing (At least the only thing I know about) that really gives a particularly strong story for remote attest against an attacker with unfettered physical access. | 09:04 |
hearn | on a slightly different tack, did you see the geppetto paper? very impressive leap forward beyond what Ben-Sasson et al have been doing. and they say they'll actually open source it (though i'm getting more skeptical about hearing this from academic research groups) | 09:04 |
hearn | yes the IBM cards are cool, but seem to be about as easy to find as unicorn poop :) | 09:04 |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has joined #bitcoin-wizards | 09:05 | |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Excess Flood] | 09:05 | |
gmaxwell | hearn: so actually I have sha512 and sha256 proofs running and can now probably do a ZKCP for a large sodoku with a few more days work. | 09:05 |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has joined #bitcoin-wizards | 09:05 | |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Excess Flood] | 09:05 | |
hearn | with what? geppetto? | 09:05 |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has joined #bitcoin-wizards | 09:05 | |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Excess Flood] | 09:05 | |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has joined #bitcoin-wizards | 09:05 | |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Excess Flood] | 09:05 | |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has joined #bitcoin-wizards | 09:05 | |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Excess Flood] | 09:06 | |
gmaxwell | hearn: If you can find the devkit, I have three of the IBM 4764s (PCI-X version, with PPC cpus in it). Can't get IBM to respond to me. :-/ | 09:06 |
-!- CoinMuncher [~jannes@178.132.211.90] has quit [Quit: Leaving.] | 09:06 | |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has joined #bitcoin-wizards | 09:06 | |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Excess Flood] | 09:06 | |
gmaxwell | hearn: no with some layer on top of libsnark that someone recently published! | 09:06 |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has joined #bitcoin-wizards | 09:06 | |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Excess Flood] | 09:06 | |
hearn | oh, awesome! that's very cool | 09:06 |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has joined #bitcoin-wizards | 09:06 | |
-!- Harusame [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Excess Flood] | 09:06 | |
-!- HarusameNyanko [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Ping timeout: 250 seconds] | 09:06 | |
hearn | ah is that the code published by the microsoft guys? | 09:06 |
-!- HarusameNyanko [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has joined #bitcoin-wizards | 09:06 | |
-!- HarusameNyanko [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Excess Flood] | 09:06 | |
gmaxwell | hearn: https://github.com/jancarlsson/snarkfront | 09:06 |
-!- damethos [~damethos@unaffiliated/damethos] has quit [Ping timeout: 265 seconds] | 09:07 | |
-!- HarusameNyanko [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has joined #bitcoin-wizards | 09:07 | |
hearn | ah ha, i hadn't seen that, thanks | 09:07 |
-!- HarusameNyanko [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Excess Flood] | 09:07 | |
-!- HarusameNyanko [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has joined #bitcoin-wizards | 09:07 | |
-!- HarusameNyanko [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Excess Flood] | 09:07 | |
gmaxwell | needs a very recent GCC due to C++11 bleeding edge stuff in it. | 09:07 |
-!- HarusameNyanko [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has joined #bitcoin-wizards | 09:07 | |
-!- HarusameNyanko [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Excess Flood] | 09:07 | |
gmaxwell | e.g. 4.7 was no adequate. 4.8 worked for me. | 09:07 |
-!- HarusameNyanko [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has joined #bitcoin-wizards | 09:07 | |
-!- HarusameNyanko [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Excess Flood] | 09:07 | |
gmaxwell | s/no/not/ | 09:07 |
-!- HarusameNyanko [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has joined #bitcoin-wizards | 09:07 | |
-!- HarusameNyanko [~HarusameN@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp] has quit [Excess Flood] | 09:07 | |
-!- mode/#bitcoin-wizards [+o gmaxwell] by ChanServ | 09:08 | |
-!- mode/#bitcoin-wizards [+b *!*@nthrsm070252.hrsm.nt.ngn.ppp.infoweb.ne.jp$##fix_your_connection] by gmaxwell | 09:08 | |
@gmaxwell | hearn: I've been slowly trolling hardware surplus (hurray living in silicon valley) and have been able to pick up 3 seemingly working IBM 4764's for basically nothing... just cannot obtain the software now. Though I've considered this pretty low priority, too many other things in the air. Now that blockstream exists I can probably contact their sales, as a company, and maybe make some progress. | 09:10 |
@gmaxwell | But bleh, dealing with sales. | 09:10 |
-!- coiner [~linker@42.118.85.149] has quit [Ping timeout: 240 seconds] | 09:10 | |
hearn | thanks for the offer, i'll bear that in mind if doing stuff with TC gets to the top of my todo list :) | 09:10 |
hearn | i wonder if Hal used to have the dev kit? | 09:10 |
hearn | from the RPOW days | 09:11 |
hearn | seems an IBM card or SGX setup would be ideal for initialising the zkp key pairs | 09:12 |
@gmaxwell | I tried contacting hal about that ... alas, he didn't get back to me. But it was somewhat after the last communication I'd seen from him anywhere, so he may not have been able. Hal had the prior version that was x86 based, so his software would likely not have been useful; he might have had a useful contact though. | 09:12 |
@gmaxwell | hearn: yea, thats one of several things I'd like to use them for. | 09:12 |
hearn | perhaps his wife has an index of his stuff. | 09:13 |
hearn | huh wow jan carlsson rewrote libsnark from scratch! | 09:13 |
hearn | geppetto, if it's open sourced, would probably be easier than this though. they have a full blown backend to clang that compiles C down to "MultiQAPs" | 09:14 |
hearn | there's a very compelling bit of example code at the end that shows how to use it efficiently. the api seems quite straightforward. they got something crazy, like 8 orders of magnitude improvement in proving time | 09:14 |
-!- Aquent1 is now known as Aquent | 09:17 | |
-!- eudoxia [~eudoxia@r167-56-18-190.dialup.adsl.anteldata.net.uy] has quit [Quit: Leaving] | 09:18 | |
@gmaxwell | hearn: well it's not quite from scratch. But it reimplements all the circuit template stuff.. uses the crypto backends in libsnark. It's impressive in any case. | 09:20 |
-!- coiner [~linker@42.118.85.149] has joined #bitcoin-wizards | 09:22 | |
-!- ryanxcharles [~ryanxchar@162-245-22-162.v250d.PUBLIC.monkeybrains.net] has joined #bitcoin-wizards | 09:23 | |
-!- hashtag_ [~hashtag@69.23.213.3] has joined #bitcoin-wizards | 09:26 | |
hearn | gmaxwell: any idea why he claims the verification takes 8 seconds for sha2? i thought it was supposed to be measured in milliseconds to verify a pcp proof | 09:27 |
-!- vmatekol_ [~vmatekole@f048217193.adsl.alicedsl.de] has joined #bitcoin-wizards | 09:35 | |
-!- vmatekole [~vmatekole@f055192059.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] | 09:38 | |
-!- op_mul [~op_mul@178.62.78.122] has quit [Quit: Lost terminal] | 09:43 | |
-!- damethos [~damethos@unaffiliated/damethos] has joined #bitcoin-wizards | 09:47 | |
-!- hearn [~mike@84-75-198-85.dclient.hispeed.ch] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…] | 09:53 | |
-!- hearn [~mike@84-75-198-85.dclient.hispeed.ch] has joined #bitcoin-wizards | 09:53 | |
-!- hearn [~mike@84-75-198-85.dclient.hispeed.ch] has quit [Read error: Connection reset by peer] | 09:53 | |
-!- damethos [~damethos@unaffiliated/damethos] has quit [Ping timeout: 245 seconds] | 09:53 | |
-!- hearn [~mike@84-75-198-85.dclient.hispeed.ch] has joined #bitcoin-wizards | 09:54 | |
@gmaxwell | hearn: he means the proof for a verification of sha2. :) | 09:57 |
hearn | ah i see | 09:57 |
-!- Burrito [~Burrito@unaffiliated/burrito] has joined #bitcoin-wizards | 10:00 | |
-!- jps [~Jud@68.34.201.156] has quit [Quit: jps] | 10:04 | |
-!- zooko` [~user@184-96-122-66.hlrn.qwest.net] has joined #bitcoin-wizards | 10:15 | |
-!- zooko [~user@c-75-70-204-109.hsd1.co.comcast.net] has quit [Ping timeout: 256 seconds] | 10:17 | |
-!- damethos [~damethos@unaffiliated/damethos] has joined #bitcoin-wizards | 10:21 | |
-!- hearn [~mike@84-75-198-85.dclient.hispeed.ch] has quit [Quit: Textual IRC Client: www.textualapp.com] | 10:23 | |
-!- hearn [~mike@84-75-198-85.dclient.hispeed.ch] has joined #bitcoin-wizards | 10:25 | |
-!- benten [~benten@unaffiliated/benten] has joined #bitcoin-wizards | 10:38 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-xfadnlovtrfgrenu] has quit [Ping timeout: 256 seconds] | 10:44 | |
-!- damethos [~damethos@unaffiliated/damethos] has quit [Ping timeout: 240 seconds] | 10:45 | |
-!- e1782d11df4c9914 [~e1782d11d@cpe-66-68-54-206.austin.res.rr.com] has joined #bitcoin-wizards | 10:46 | |
@gmaxwell | [OT] The SP20 miners from spondoolies have a much 'nicer' noise than the SP10. Still not quiet with the fans cranked up but much lower pitch. | 10:47 |
-!- DougieBot5000 [~DougieBot@unaffiliated/dougiebot5000] has quit [Quit: Leaving] | 10:47 | |
-!- e1782d111f4c9914 [e1782d11df@gateway/vpn/mullvad/x-kemutuhcpbohlzvu] has joined #bitcoin-wizards | 10:56 | |
-!- e1782d11df4c9914 [~e1782d11d@cpe-66-68-54-206.austin.res.rr.com] has quit [Ping timeout: 244 seconds] | 10:57 | |
-!- damethos [~damethos@unaffiliated/damethos] has joined #bitcoin-wizards | 11:03 | |
-!- e1782d111f4c9914 [e1782d11df@gateway/vpn/mullvad/x-kemutuhcpbohlzvu] has quit [Ping timeout: 240 seconds] | 11:09 | |
-!- damethos [~damethos@unaffiliated/damethos] has quit [Ping timeout: 255 seconds] | 11:11 | |
-!- e1782d11df4c9914 [~e1782d11d@cpe-66-68-54-206.austin.res.rr.com] has joined #bitcoin-wizards | 11:11 | |
-!- e1782d11df4c9914 [~e1782d11d@cpe-66-68-54-206.austin.res.rr.com] has quit [Ping timeout: 255 seconds] | 11:17 | |
-!- Elio20 [~elio19@gateway/tor-sasl/elio19] has quit [Remote host closed the connection] | 11:18 | |
-!- Aquent1 [~Aquent@gateway/tor-sasl/aquent] has joined #bitcoin-wizards | 11:20 | |
-!- Aquent [~Aquent@gateway/tor-sasl/aquent] has quit [Ping timeout: 250 seconds] | 11:22 | |
-!- jtimon [~quassel@34.pool85-59-141.dynamic.orange.es] has quit [Ping timeout: 240 seconds] | 11:50 | |
-!- DougieBot5000 [~DougieBot@unaffiliated/dougiebot5000] has joined #bitcoin-wizards | 11:59 | |
-!- zooko` [~user@184-96-122-66.hlrn.qwest.net] has quit [Ping timeout: 244 seconds] | 12:15 | |
-!- mkarrer [~mkarrer@135.Red-83-52-38.dynamicIP.rima-tde.net] has quit [] | 12:18 | |
-!- benten [~benten@unaffiliated/benten] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…] | 12:21 | |
-!- e1782d11df4c9914 [~e1782d11d@cpe-66-68-54-206.austin.res.rr.com] has joined #bitcoin-wizards | 12:29 | |
-!- HaltingState [~HaltingSt@2605:e000:1318:c1d2:3423:3ea3:781:1d05] has joined #bitcoin-wizards | 12:34 | |
-!- HaltingState [~HaltingSt@2605:e000:1318:c1d2:3423:3ea3:781:1d05] has quit [Changing host] | 12:34 | |
-!- HaltingState [~HaltingSt@unaffiliated/haltingstate] has joined #bitcoin-wizards | 12:34 | |
-!- Aquent1 [~Aquent@gateway/tor-sasl/aquent] has quit [Ping timeout: 250 seconds] | 12:35 | |
-!- tacotime [~mashkeys@198.52.200.63] has quit [Ping timeout: 255 seconds] | 12:36 | |
-!- Aquent1 [~Aquent@gateway/tor-sasl/aquent] has joined #bitcoin-wizards | 12:37 | |
-!- benten [~benten@unaffiliated/benten] has joined #bitcoin-wizards | 12:39 | |
-!- Dizzle [~diesel@207.11.113.29] has joined #bitcoin-wizards | 12:42 | |
-!- user7779_ [user777907@gateway/vpn/mullvad/x-btcgkhnufhmyexzv] has joined #bitcoin-wizards | 12:54 | |
-!- HaltingState [~HaltingSt@unaffiliated/haltingstate] has quit [Quit: Leaving] | 12:55 | |
-!- moa [~kiwigb@opentransactions/dev/moa] has joined #bitcoin-wizards | 13:01 | |
-!- vmatekol_ [~vmatekole@f048217193.adsl.alicedsl.de] has quit [Remote host closed the connection] | 13:04 | |
-!- tacotime [~mashkeys@198.52.200.63] has joined #bitcoin-wizards | 13:06 | |
-!- zooko [~user@c-67-161-139-15.hsd1.co.comcast.net] has joined #bitcoin-wizards | 13:07 | |
-!- moa [~kiwigb@opentransactions/dev/moa] has quit [Ping timeout: 240 seconds] | 13:19 | |
-!- moa [~kiwigb@opentransactions/dev/moa] has joined #bitcoin-wizards | 13:20 | |
-!- eudoxia [~eudoxia@r179-25-157-154.dialup.adsl.anteldata.net.uy] has joined #bitcoin-wizards | 13:23 | |
-!- belcher [~belcher-s@unaffiliated/belcher] has quit [Quit: Leaving] | 13:51 | |
-!- jps [~Jud@68.34.201.156] has joined #bitcoin-wizards | 13:58 | |
-!- benten [~benten@unaffiliated/benten] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…] | 13:59 | |
-!- MoALTz_ [~no@user-46-112-49-198.play-internet.pl] has joined #bitcoin-wizards | 14:00 | |
-!- Dizzle__ [~diesel@70.114.207.41] has joined #bitcoin-wizards | 14:03 | |
-!- MoALTz [~no@user-46-112-49-198.play-internet.pl] has quit [Ping timeout: 240 seconds] | 14:03 | |
-!- belcher [~belcher-s@5ec1ab86.skybroadband.com] has joined #bitcoin-wizards | 14:03 | |
-!- belcher [~belcher-s@5ec1ab86.skybroadband.com] has quit [Changing host] | 14:03 | |
-!- belcher [~belcher-s@unaffiliated/belcher] has joined #bitcoin-wizards | 14:03 | |
-!- Dizzle [~diesel@207.11.113.29] has quit [Disconnected by services] | 14:04 | |
-!- Dizzle__ is now known as Dizzle | 14:04 | |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has joined #bitcoin-wizards | 14:05 | |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds] | 14:09 | |
-!- everettForth [~everett@c-69-181-97-171.hsd1.ca.comcast.net] has joined #bitcoin-wizards | 14:12 | |
-!- benten [~benten@unaffiliated/benten] has joined #bitcoin-wizards | 14:15 | |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has joined #bitcoin-wizards | 14:29 | |
-!- zooko [~user@c-67-161-139-15.hsd1.co.comcast.net] has quit [Remote host closed the connection] | 14:39 | |
-!- mortale [~mortale@gateway/tor-sasl/mortale] has quit [Remote host closed the connection] | 14:42 | |
-!- mortale [~mortale@gateway/tor-sasl/mortale] has joined #bitcoin-wizards | 14:45 | |
-!- fanquake [~anonymous@unaffiliated/fanquake] has joined #bitcoin-wizards | 14:54 | |
-!- paveljanik [~paveljani@unaffiliated/paveljanik] has quit [Quit: This computer has gone to sleep] | 15:02 | |
-!- narwh4l [~michael@unaffiliated/thesnark] has joined #bitcoin-wizards | 15:08 | |
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has quit [Remote host closed the connection] | 15:12 | |
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has quit [Quit: iang] | 15:18 | |
andytoshi | gmaxwell: i have an argument that snarks require trusted setup (but my personal feeling about it is that we are just defining "zero-knowledge" in an overly platonic way) (have not had the spare brain cycles in months to consider this) | 15:18 |
andytoshi | ind-obf i believe requires multilinear maps, which are currently only possible (and "approximately so") by graded encodings, which iirc involve a trusted setup, but i feel this is accidental | 15:19 |
-!- eudoxia [~eudoxia@r179-25-157-154.dialup.adsl.anteldata.net.uy] has quit [Quit: Leaving] | 15:20 | |
andytoshi | "requires multilinear maps" what i mean by this is that matiasevich's theorem (computable sets == diophantine sets) suggests an intuition "obfuscated general circuits is as hard as secure addition + multiplication", and the only framework we have for "secure ring operations" is multilinear maps. but the optimist in me thinks the next 5-10 maps will see some alternative to mlinear maps, something | 15:22 |
andytoshi | quantum hard and which doesn't have any trusted parties | 15:22 |
@gmaxwell | years not maps. yea, I've seen some of the multilinear maps systems and they're really pretty ugly. | 15:25 |
andytoshi | yes, years :) | 15:25 |
@gmaxwell | "oops sorry, your exection became too noisy and your ciphertext is not decodable, try again maybe?" | 15:26 |
andytoshi | i'm also kinda doubtful about the security of these graded encoding schemes, the early versions are broken now by what appear to be really ad-hoc attacks | 15:26 |
andytoshi | (but what do i know, i am way behind on my graded encoding reading) | 15:27 |
@gmaxwell | if only these systems were as pretty as bilinear maps, which are basically a realization of exactly what you would have wanted from an idealized construct. | 15:29 |
@gmaxwell | except, I suppose, in that they aren't quantum hard. | 15:29 |
andytoshi | yeah. it's a little surprising to me that there is no such thing, given how exhaustive our understanding of groups is these days.. | 15:29 |
andytoshi | mm, yeah, that's too bad. i really like DL for its simplicity :/ | 15:30 |
@gmaxwell | well nothing like it will be quantum hard. | 15:30 |
@gmaxwell | (I believe schor can be made to work for any finite cyclic group) | 15:32 |
andytoshi | that's also my recollection, tho to my shame i have not actually read his paper | 15:35 |
-!- user7779_ [user777907@gateway/vpn/mullvad/x-btcgkhnufhmyexzv] has quit [] | 15:52 | |
@gmaxwell | This is pretty cool: http://www.newae.com/ sort of a prefab tool kit for sidechannel analysis and glitching attacks. (mostly targeted at small microcontrollers/smartcards) | 15:58 |
-!- jps [~Jud@68.34.201.156] has quit [Quit: jps] | 15:58 | |
Luke-Jr | hearn: there's a difference between your node degrading, and your node breaking entirely | 16:04 |
hearn | i'm not so sure. by analogy to RNGs, a degraded RNG looks like it's operating correctly, but is often the same as a fully broken rng (i.e. giving you all zeros) | 16:07 |
hearn | but one is a lot more detectable than another | 16:08 |
hearn | and the issue for me is detectability. e.g. i'd be totally cool with an -spv switch that says to a full node "don't run scripts for now", and then if your node starts saying "I think I don't know about some rules used by the new majority" such as triggered by block version, it'd require a restart with that flag | 16:10 |
hearn | then the operator can reason about what impact that might have on their business, if any, and the node can stop serving the block chain to other peers, etc. | 16:11 |
hearn | anyway, in the end, i don't care all that much. we'll muddle through no matter what | 16:13 |
@gmaxwell | hearn: Detectability can be fully addressed though. E.g. transactions showing up with 'future' versions and using nopcodes are something you could notice... more formalism could be given to detection there. | 16:13 |
-!- s1w is now known as SomeoneWeird | 16:24 | |
-!- Starduster_ [~guest@unaffiliated/starduster] has quit [Read error: Connection reset by peer] | 16:29 | |
-!- NewLiberty [~NewLibert@2602:304:cff8:1580:c48d:9701:fd15:192a] has quit [Read error: Connection reset by peer] | 16:30 | |
-!- NewLiberty [~NewLibert@76-255-129-88.lightspeed.irvnca.sbcglobal.net] has joined #bitcoin-wizards | 16:31 | |
-!- everettForth [~everett@c-69-181-97-171.hsd1.ca.comcast.net] has quit [Ping timeout: 245 seconds] | 16:34 | |
-!- Profreid [~Profreitt@gateway/vpn/privateinternetaccess/profreid] has quit [Quit: Profreid] | 16:37 | |
-!- adam3us [~Adium@c31-67.i07-8.onvol.net] has quit [Quit: Leaving.] | 16:37 | |
-!- Dizzle [~diesel@70.114.207.41] has quit [Quit: Leaving...] | 16:38 | |
-!- SomeoneWeird is now known as s1w | 16:40 | |
-!- hearn [~mike@84-75-198-85.dclient.hispeed.ch] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…] | 16:42 | |
-!- benten [~benten@unaffiliated/benten] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…] | 16:44 | |
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has joined #bitcoin-wizards | 16:46 | |
-!- ryanxcharles [~ryanxchar@162-245-22-162.v250d.PUBLIC.monkeybrains.net] has quit [Ping timeout: 265 seconds] | 16:49 | |
-!- iang [~iang@cpc3-lewi16-2-0-cust561.2-4.cable.virginm.net] has quit [Quit: iang] | 16:57 | |
-!- hearn [~mike@84-75-198-85.dclient.hispeed.ch] has joined #bitcoin-wizards | 17:00 | |
-!- hearn [~mike@84-75-198-85.dclient.hispeed.ch] has quit [Client Quit] | 17:00 | |
-!- narwh4l [~michael@unaffiliated/thesnark] has quit [Remote host closed the connection] | 17:02 | |
tacotime | I'm just surprised broken RNGs like the one from blockchain even happen very often, as an easy spot check would be to call the RNG twice and generate a signature using the same data aside from what you called from the RNG, and then see if it ever outputs the same thing twice. | 17:14 |
tacotime | I imagine you could make it do this lots and lots of times in testing. | 17:14 |
tacotime | It would have caught the reused R-values, I would guess.. | 17:14 |
tacotime | (slightly digressive) | 17:16 |
-!- ryanxcharles [~ryanxchar@2601:9:4680:dd0:1467:fc91:dcff:425c] has joined #bitcoin-wizards | 17:22 | |
-!- llllllllll [~lllllllll@53-109.bbned.dsl.internl.net] has quit [] | 17:23 | |
-!- HaltingState [~HaltingSt@unaffiliated/haltingstate] has joined #bitcoin-wizards | 17:24 | |
-!- swap01 [~swap01@c-71-57-129-195.hsd1.fl.comcast.net] has joined #bitcoin-wizards | 17:25 | |
swap01 | 01swap.com - Make money by selling your files for Bitcoins! | 17:26 |
-!- mode/#bitcoin-wizards [+o andytoshi] by ChanServ | 17:27 | |
-!- mode/#bitcoin-wizards [+b *!*@*c-71-57-129-195.hsd1.fl.comcast.net] by andytoshi | 17:27 | |
-!- swap01 was kicked from #bitcoin-wizards by andytoshi [swap01] | 17:27 | |
-!- faraka [835eba0a@gateway/web/freenode/ip.131.94.186.10] has joined #bitcoin-wizards | 17:27 | |
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has joined #bitcoin-wizards | 17:28 | |
-!- mode/#bitcoin-wizards [-o andytoshi] by andytoshi | 17:28 | |
brand0 | tacotime, broken prngs aren't generally that easy to spot | 17:28 |
-!- Sub|afk is now known as SubCreative | 17:28 | |
-!- SubCreative [~SubCreati@c-76-121-19-166.hsd1.wa.comcast.net] has quit [Changing host] | 17:28 | |
-!- SubCreative [~SubCreati@unaffiliated/cannacoin] has joined #bitcoin-wizards | 17:28 | |
brand0 | they often look random, but if you can guess the seed value (often time) then you can eventually re-generate the privkey with a little luck | 17:29 |
andytoshi | tacotime: i bet you could come up with half a dozen rng failure modes on the same order of "obviously broken" as a constant output .. agreed that sanity checking wouldn't work, but i also think it's probably not worth the effort | 17:29 |
andytoshi | as brand0 says, no matter what you do it can break just as seriously in a way you didn't consider | 17:29 |
tacotime | yeah | 17:30 |
andytoshi | o.O s/wouldn't work/couldn't hurt/ | 17:30 |
tacotime | yeah i was wondering about that bit | 17:35 |
tacotime | but right, i feel like you should at least sanity check to vs simple mistakes | 17:36 |
tacotime | there's always stuff you can't control, but you should make sure that it meets some minimum sane behaviour. at least in terms of signature generation that people's money is relying on. :/ | 17:37 |
brand0 | yeah, that's the problem with prng | 17:37 |
brand0 | they can be difficult to audit | 17:38 |
brand0 | looking at the source is helpful, but you don't always get it | 17:38 |
-!- fanquake [~anonymous@unaffiliated/fanquake] has quit [Remote host closed the connection] | 17:39 | |
@gmaxwell | tacotime: that ssuggests software is tested. My expirence is that most software is not tested at all, most of what is ... is only tested lightly. | 17:39 |
* kanzure wrote +1000 lines of tests today | 17:40 | |
tacotime | maybe we should make a wiki page of Bad Things That Happen When You Don't Make Test Cases. | 17:40 |
-!- copumpkin [~copumpkin@unaffiliated/copumpkin] has joined #bitcoin-wizards | 17:40 | |
@gmaxwell | Writing software that can be tested in a meaningful way is a substantial increase in effort. And from from toolsets its not really reasonably possible to say that you've actually tested all of the execution space of the program. | 17:40 |
kanzure | (as of a few seconds ago, actually... what year is this? who are you people?) | 17:41 |
@gmaxwell | tacotime: but even those words are bad. right, unit testing isn't enough. Unit testing would have hapily passed the prior bc.i rng bug with webworkers... because the unit test doesn't run in an identical enviroment to the code. They're just one tool in the box. | 17:41 |
tacotime | Yeah, I know with btcd we have a lot of test coverage (100% in a lot of places), but a lot of it is just cursory testing to tell you if you've obviously broken something. | 17:42 |
kanzure | i wonder if abusing webworkers through webkitgtk+ gobject bindings still counts as a unit test | 17:42 |
@gmaxwell | tacotime: often coverage driving testing produces pretty meaningless tests that just happen to make the code go. Better than nothing, perhaps, though it lowers the usefulness of coverage analysis. | 17:43 |
-!- dgenr8 [~dgenr8@unaffiliated/dgenr8] has joined #bitcoin-wizards | 17:43 | |
brand0 | unit testing is mostly a defense against regression -- problems you | 17:43 |
brand0 | already know about | 17:43 |
kanzure | devising tests for scenarios i don't know about is definitely tricky :) | 17:44 |
@gmaxwell | In complex systems most tests are ineffective ... they're not going to tell you about race conditions, or about an attacker being able to drive the system into a state where a exception is thrown because you've run out of memory and doom results, etc. | 17:44 |
-!- coiner [~linker@42.118.85.149] has quit [Ping timeout: 255 seconds] | 17:44 | |
tacotime | Well. Golang has a race tester, though I'm not sure how effective it is. Though I have seen it catch races. | 17:45 |
@gmaxwell | tacotime: sure, it's somewhat similar to DRD. ... useful but it isn't sound. | 17:46 |
@gmaxwell | (I mean, it can tell you if there is a race that you're triggering, but it can't prove your software free of races.) | 17:46 |
@gmaxwell | For security we actually want soundness. | 17:46 |
brand0 | testing it one tool, nothing can replace careful programming practices and auditing | 17:47 |
brand0 | s/it/is | 17:47 |
@gmaxwell | kanzure: well I know how to do it. You use mutation testing: Once the tests are complete enough, you start adding bugs in the software (including randomly). | 17:47 |
kanzure | and then there's things like internal consistency vs consistency against your local bitcoind node's knowledge of the current blockchain | 17:49 |
kanzure | (for which i think i can probably safely steal bitcoind-related tests) | 17:49 |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has quit [Remote host closed the connection] | 17:49 | |
-!- hashtag_ [~hashtag@69.23.213.3] has quit [Ping timeout: 255 seconds] | 18:02 | |
-!- zooko [~user@c-75-70-204-109.hsd1.co.comcast.net] has joined #bitcoin-wizards | 18:07 | |
-!- belcher [~belcher-s@unaffiliated/belcher] has quit [Quit: Leaving] | 18:08 | |
-!- jtimon [~quassel@34.pool85-59-141.dynamic.orange.es] has joined #bitcoin-wizards | 18:13 | |
-!- Keefe_ is now known as Keefe | 18:13 | |
-!- Aquent1 [~Aquent@gateway/tor-sasl/aquent] has quit [Ping timeout: 250 seconds] | 18:14 | |
-!- hashtag_ [~hashtag@CPE-69-23-213-3.wi.res.rr.com] has joined #bitcoin-wizards | 18:19 | |
-!- hashtag_ [~hashtag@CPE-69-23-213-3.wi.res.rr.com] has quit [Ping timeout: 240 seconds] | 18:23 | |
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has quit [Quit: pgokeeffe] | 18:23 | |
-!- hashtag_ [~hashtag@CPE-69-23-213-3.wi.res.rr.com] has joined #bitcoin-wizards | 18:26 | |
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has joined #bitcoin-wizards | 18:27 | |
-!- op_mul [~op_mul@178.62.78.122] has joined #bitcoin-wizards | 18:28 | |
op_mul | gmaxwell: although automated testing wouldn't have caught the webworkers bug with bc.i, or the bug where msCrypto wasn't being used, or the bug where window.crypto wasn't being used, a codebase with tests at least suggests that there's some oversight of your codebase. | 18:30 |
@gmaxwell | no disagreement. | 18:30 |
-!- wallet42 [~wallet42@unaffiliated/wallet42] has quit [Quit: Leaving.] | 18:33 | |
sipa | to generalize what greg said earlier: the problem often seems to be not realizing what types of errors could exist | 18:33 |
sipa | not testing those is just a symptom of that | 18:33 |
sipa | especially in security-critical systems there are many more classes of mistakes that are relevant | 18:34 |
@gmaxwell | op_mul: to be fare, for propritary systems there may be substantial testing thats just not visible to the public. (not that I'd recommend depending on that...) | 18:34 |
-!- Starduster [~guest@5ED11658.cm-7-2a.dynamic.ziggo.nl] has joined #bitcoin-wizards | 18:34 | |
-!- Starduster [~guest@5ED11658.cm-7-2a.dynamic.ziggo.nl] has quit [Changing host] | 18:34 | |
-!- Starduster [~guest@unaffiliated/starduster] has joined #bitcoin-wizards | 18:34 | |
tacotime | well; the bc.i problem could have been tested for if the testing came shipped in the code and was performed before publishing the generated sig to the user (e.g. make 256 signatures first to verify that even in this environment R values are not being reused). | 18:34 |
-!- roconnor [~roconnor@e120-pool-d89a63c0.brdbnd.voicenetwork.ca] has joined #bitcoin-wizards | 18:35 | |
@gmaxwell | roconnor: hi! | 18:35 |
tacotime | but maybe having your code self-slowing that much is a problem to the end user. | 18:35 |
sipa | tacotime: that requires 1) realizing that the RNG is a relevant part of the cryptographic system and 2) that reusing R is dangerous | 18:35 |
tacotime | heh | 18:36 |
sipa | tacotime: if they would have realized those two things, they 1) wouldn't have written the same code and 2) likely have tests for it | 18:36 |
op_mul | tacotime: that's not even the problem. having a weak k is just as dangerous as duplicating R. if they had say, a 64 bit RNG rather than an 8 bit one, people would still have lost money and that test would have passed. | 18:36 |
@gmaxwell | that predicatable R is dangerous. (arguably that it was predictable was much worse; and a lot of people mistakingly believe that reuse is required for key leaking) | 18:36 |
sipa | but saying "testing this is easy!" is not relevant - the problem wasn't that this is hard, the problem is not knowing it could be wrong | 18:37 |
@gmaxwell | yea, "For knowing where to put the chalk mark, $9,999." | 18:38 |
sipa | Yup. | 18:38 |
tacotime | yeah. i guess comprehension of the signing algos is not always a requirement for using them. | 18:38 |
@gmaxwell | ( for context http://web.mit.edu/president/communications/com99.html ) | 18:38 |
tacotime | sony has proven that too. | 18:38 |
op_mul | I don't know how sony managed that. gross misreading of the docs? | 18:39 |
@gmaxwell | tacotime: not even implementing them. Virtually none of the people writing software for this stuff have even the foggiest clue what they're doing, they follow tutorials (often also written by people learning the subject) | 18:39 |
sipa | tacotime: you don't need to know algorothms, implementation or security prpofs for cryptpgraphic systems | 18:39 |
sipa | tacotime: but you do need to know under what conditions they are safe to use, and for what purpose and against what attacks | 18:40 |
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has quit [Quit: pgokeeffe] | 18:41 | |
tacotime | yeah. i'll probably ask questions about stealth addresses once i get to playing with coding for that. and the chaumian blinding stuff from oleg, i meant to turn that code snippet into something useful. though i'm not sure it's implemented 100% correctly, i'm just going by the snippet posted to gist. | 18:42 |
@gmaxwell | This is part of the reason that all these straight into the weeds tutorials on ECC make me sad. They dive straight into a blow by blow implementation written in english and fail to convey any overarching understanding. The reader walks away able to implement but maybe not safely use, or implement correctly. | 18:42 |
tacotime | is there an ECC list of "Things To Look Out For" somewhere? | 18:43 |
op_mul | doubt it. | 18:43 |
@gmaxwell | Cryptography list of things to look out for: look out for lists of thing to look out for. | 18:43 |
tacotime | Heh. | 18:43 |
@gmaxwell | I'm not actually sure that lists are counterproductive, but they're less helpful than they can appear, because every darn part matters... and no formula can make things right. Certantly if you _only_ apply the checklist you're in trouble. | 18:45 |
op_mul | a little bit of knowledge about ECC is quite dangerous too, there's a number of people on reddit running around telling people not to reuse addresses because it saves you from RNG problems. | 18:45 |
-!- Tjopper1 [~Jop@dhcp-077-249-237-229.chello.nl] has quit [Read error: Connection reset by peer] | 18:45 | |
op_mul | if you only use the address once, dup R can't hurt you right? right? | 18:45 |
op_mul | even if that were true, signing two outputs would reveal your private key and then it would just be a double spend race. | 18:46 |
tacotime | gmaxwell: Well, maybe a list of "bad things that happened when someone did something they thought did something else, and here's why it didn't work the way they thought it did." | 18:47 |
@gmaxwell | tacotime: common failure modes are not handling the group vs field order quite right or tracking what values are what. Everyone that gives 101 tutorials gives people group law which has special cases which must be implemented right, involving comparisons you can get wrong. Most academic discussions ignore details like having to multiply points by the cofactor to avoid subgroup confinement attack | 18:47 |
tacotime | It would be kind of an interesting read at least. | 18:47 |
@gmaxwell | s (fortunately not an issue for secp256k1), or having to verify that points recieved from the network are actually on the curve. | 18:47 |
@gmaxwell | A lot of crypto code has fallen due to seralization bugs or interactions with seralization and the crypto. | 18:48 |
tacotime | That makes sense. | 18:48 |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has joined #bitcoin-wizards | 18:50 | |
@gmaxwell | Similar to the group law stuff that everyone describes in a way that is harder to implement correctly, the tutorial grade explinations of this stuff have huge timing sidechannels, which maybe more things should worry more about. | 18:51 |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] | 18:55 | |
-!- zooko [~user@c-75-70-204-109.hsd1.co.comcast.net] has quit [Ping timeout: 244 seconds] | 19:07 | |
-!- zooko [~user@c-75-70-204-109.hsd1.co.comcast.net] has joined #bitcoin-wizards | 19:08 | |
-!- ahmed_ is now known as ahmed_bodi | 19:17 | |
-!- ahmed_bodi is now known as ahmedbodi | 19:17 | |
-!- Burrito [~Burrito@unaffiliated/burrito] has quit [Quit: Leaving] | 19:25 | |
-!- Emcy [~MC@unaffiliated/mc1984] has quit [Ping timeout: 240 seconds] | 19:39 | |
-!- eslbaer_ [~eslbaer@p57BCE811.dip0.t-ipconnect.de] has joined #bitcoin-wizards | 19:48 | |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has joined #bitcoin-wizards | 19:51 | |
-!- eslbaer__ [~eslbaer@p57BCE1FC.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds] | 19:51 | |
-!- Dizzle [~Dizzle@2605:6000:1018:c0f5:d47d:a3ed:3037:30f5] has joined #bitcoin-wizards | 19:52 | |
-!- Adlai` is now known as adlai | 19:53 | |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] | 19:56 | |
-!- Emcy [~MC@cpc3-swan1-0-0-cust570.7-3.cable.virginm.net] has joined #bitcoin-wizards | 20:01 | |
-!- Emcy [~MC@cpc3-swan1-0-0-cust570.7-3.cable.virginm.net] has quit [Changing host] | 20:01 | |
-!- Emcy [~MC@unaffiliated/mc1984] has joined #bitcoin-wizards | 20:01 | |
-!- HaltingState [~HaltingSt@unaffiliated/haltingstate] has quit [Quit: Leaving] | 20:17 | |
-!- catlasshrugged [~satoshi-u@63.142.161.19] has joined #bitcoin-wizards | 20:18 | |
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has quit [Ping timeout: 244 seconds] | 20:20 | |
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has joined #bitcoin-wizards | 20:21 | |
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has joined #bitcoin-wizards | 20:25 | |
-!- faraka [835eba0a@gateway/web/freenode/ip.131.94.186.10] has quit [Ping timeout: 246 seconds] | 20:29 | |
-!- Dizzle [~Dizzle@2605:6000:1018:c0f5:d47d:a3ed:3037:30f5] has quit [Quit: parteh tiem] | 20:30 | |
-!- hashtag_ [~hashtag@CPE-69-23-213-3.wi.res.rr.com] has quit [Ping timeout: 244 seconds] | 20:52 | |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has joined #bitcoin-wizards | 20:52 | |
-!- d1ggy_ [~d1ggy@f051249174.adsl.alicedsl.de] has joined #bitcoin-wizards | 20:53 | |
-!- maaku [~quassel@173-228-107-141.dsl.static.fusionbroadband.com] has quit [Ping timeout: 245 seconds] | 20:53 | |
-!- pgokeeffe [~pgokeeffe@101.165.93.194] has quit [Quit: pgokeeffe] | 20:54 | |
-!- d1ggy [~d1ggy@f051248253.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] | 20:56 | |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has quit [Ping timeout: 244 seconds] | 20:57 | |
-!- jps [~Jud@68.34.201.156] has joined #bitcoin-wizards | 20:59 | |
-!- NewLiberty [~NewLibert@76-255-129-88.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 255 seconds] | 21:17 | |
-!- NewLiberty [~NewLibert@2602:304:cff8:1580:c48d:9701:fd15:192a] has joined #bitcoin-wizards | 21:34 | |
-!- HaltingState [~HaltingSt@unaffiliated/haltingstate] has joined #bitcoin-wizards | 21:52 | |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has joined #bitcoin-wizards | 21:53 | |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has quit [Ping timeout: 244 seconds] | 21:58 | |
-!- d1ggy_ [~d1ggy@f051249174.adsl.alicedsl.de] has quit [Quit: Leaving] | 22:04 | |
roconnor | gmaxwell: h | 22:04 |
roconnor | i | 22:04 |
roconnor | hi | 22:04 |
-!- Grishnakh [~grishnakh@dsl-espbrasgw1-50dfb6-218.dhcp.inet.fi] has quit [Read error: Connection reset by peer] | 22:28 | |
-!- jps [~Jud@68.34.201.156] has quit [Quit: jps] | 22:29 | |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has joined #bitcoin-wizards | 22:54 | |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has quit [Ping timeout: 264 seconds] | 23:00 | |
-!- HaltingState [~HaltingSt@unaffiliated/haltingstate] has quit [Quit: Leaving] | 23:00 | |
-!- moa [~kiwigb@opentransactions/dev/moa] has quit [Ping timeout: 244 seconds] | 23:01 | |
-!- vmatekole [~vmatekole@f048217193.adsl.alicedsl.de] has joined #bitcoin-wizards | 23:07 | |
-!- jtimon [~quassel@34.pool85-59-141.dynamic.orange.es] has quit [Ping timeout: 245 seconds] | 23:10 | |
-!- maaku [~quassel@173-228-107-141.dsl.static.fusionbroadband.com] has joined #bitcoin-wizards | 23:12 | |
-!- maaku is now known as Guest17958 | 23:13 | |
-!- Guest17958 is now known as maaku | 23:16 | |
-!- zooko` [~user@c-75-70-204-109.hsd1.co.comcast.net] has joined #bitcoin-wizards | 23:22 | |
-!- zooko [~user@c-75-70-204-109.hsd1.co.comcast.net] has quit [Ping timeout: 244 seconds] | 23:23 | |
-!- e1782d11df4c9914 [~e1782d11d@cpe-66-68-54-206.austin.res.rr.com] has quit [Ping timeout: 255 seconds] | 23:31 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-daaiswjpjhaprayq] has joined #bitcoin-wizards | 23:32 | |
-!- orwx [~orw@bzq-148-168-31-177.red.bezeqint.net] has quit [Ping timeout: 240 seconds] | 23:44 | |
-!- o3u is now known as Fistful_of_Coins | 23:55 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-daaiswjpjhaprayq] has quit [Ping timeout: 264 seconds] | 23:57 | |
-!- e1782d11df4c9914 [e1782d11df@gateway/vpn/mullvad/x-szilpzofdfehfhzm] has joined #bitcoin-wizards | 23:58 | |
--- Log closed Sat Jan 03 00:00:11 2015 |
Generated by irclog2html.py 2.15.0.dev0 by Marius Gedminas - find it at mg.pov.lt!