01:28:01 maaku is now known as Guest58076 03:52:30 Guest58076 is now known as maaku 13:46:48 nsh- is now known as nsh 19:14:15 nxt yet another big-claim-alt? 100% proof of stake in their case and its own block chain, no source code so far. all very confusing. claimed market cap > mastercoin already $100mil http://coinmarketcap.com/ i guess those market caps could do with some market depth caveats really 19:15:06 for the solidcoin spectators https://nextcoin.org/index.php/topic,104.0.html 19:15:17 adam3us: it's pre-listed on a regular old web exchange 19:15:59 yes its unclear what if anything the price on dgex.com means - could be manipulated and controlled by nxt devs with ~0 mkt depth 19:16:03 presumably with withdrawls eventually being handled via a premine 19:16:57 maaku: 71 "investors" donated a total of 21 btc < 1month ago and yet the claim it has a market cap of $100m... ha ha 19:17:01 personally, I never understood the utility of proof-of-stake mining in any fraction 19:17:29 especially when subsidies are involved ... all sorts of bad incentives 19:17:45 about all its done is distract people from the real utility of PoS 19:18:17 maaku: well superficially it sounds interesting that eg ppcoin claim that for self interest someone holding 10% of stake would not want to double spend or he'd damage value of his own holdings however, then there is an unfair mining advantage to the stake holders which is a diff problem 19:19:12 adam3us: yes, but the way to achieve that control is to allow the PoS participant to vote on something akin to a checkpoint 19:19:53 not to have some sort of protocol-level conversion metric between stake and hashpower 19:19:59 maaku: i presume u mean effectively different votes for validity vs reward 19:20:56 adam3us: i mean a different protocol for considering best block which takes into account out-of-band stakeholder votes 19:21:11 maaku: well nxt is 100% stake.. not sure if that even quite makes sense. the stake was bought for 21 btc in the last month! 19:23:24 I thought this was um, interesting or funny or weird or dangerous or something, "Moreover, the developers have purposefully introduced three security flaws into the source code that they will be releasing, as a means of encouraging the community to scrutinize the code and to prevent people from creating copies of Nxt by simply taking the source code and re-using it. People who discover the security holes will be able to claim rewards for fin 19:23:30 http://nxtcrypto.wikia.com/wiki/FAQ 19:24:45 maaku: i was thinking maybe one could have a trusted server for simulating alts. rent virtual "VPS" resources. buy virtual "ASICs" and so on, the actual money goes to charity or btc QA or something. then its green. and it doesnt matter if its centralized because dogecoin grade alts have largely no tx anyway. 19:25:13 there was a game that did that, but its gone now 19:25:58 it had an internal exchange and you could make your own coins too etc and "virtually" mine them without really mining or using electricity 19:27:50 pigeons: seems like a lower energy sandbox for dogecoin, shitcoin et al play in, pity it died 19:28:47 yeah it added simulated pools when they came along and you culd run your own mining pool without having to get ddossed 19:29:04 you could virtually pre-order your asics and virtually never get them 19:30:02 pigeons: fantastic 19:31:35 he sold the code before he closed to a guy who was in over his head and couldnt keep it running but i think at this point it wouldnt really help, best to just start with your own bugs instead of someone else's 19:32:14 $1k by end of year ;) 19:32:17 ? 19:36:42 heh hash rate went over 10 PH and now the format is confused 1.045E7 https://blockchain.info/q/hashrate 19:42:23 EasyClaus is now known as EasyAt 20:17:33 someone asks in ##crypto why ripemd-160 is used for addresses rather than just a truncation of sha-256 output 20:17:37 i'm not sure how to answer... 20:20:24 because the great satoshi said so 20:21:24 retroactive reason: because breaking sha-256 doesn't mean a break of the address format, meaning coins would still be secure 20:21:29 * nsh prostrates before the ceremonial altar 20:21:40 mmm 20:21:48 obviously lots of other things would have to change if sha256 was broken, but you could still keep the same ledger 20:22:18 right 20:28:22 Zerith has left #bitcoin-wizards 20:34:41 maaku: thats not so clear, if you can do sha256 collisions then you also have collisions for Bitcoin addresses (though i'm not sure how to use it to attack), and if you can do 2nd-preimage attack on sha256 then you can steal coins if someone re-uses an address 20:37:19 an answer on stackexchange says that it's just "belt and suspenders" approach: http://bitcoin.stackexchange.com/questions/9202/why-does-bitcoin-use-two-hash-functions-sha-256-and-ripemd-160-to-create-an-ad 20:39:00 gmax suggested that using a second hash function would guarantee that addresses still have a uniform distribution, while truncated-sha is not proven to have this property 20:39:28 well, not just the distribution, preimage resistance as well 20:40:44 hmm not sure what you mean by proven, there are no rigorous proofs for heuristic constructions like sha2 20:41:19 true, i guess what i mean is "commonly believed" 20:41:25 if sha2 is computationally indistinguishable from a random oracle, then truncated-sha2 is fine 20:42:04 sure, but this isn't true because eg there are length extension attacks 20:42:09 which distinguish it from a random oracle 20:42:28 not for sha256d 20:43:17 yeah -- and mining even depends on sha256d looking like a random oracle 20:43:33 so tbh i am just as confused by the ripemd usage as anybody 20:46:27 andytoshi: as I said, if a weakness is found in sha256, it is more likely to be able to be applied to sha256^2 than ripemd160(sha256()) 20:47:08 another question is why not just use the full 256 bits of sha256d, then you get an even better benefit of 256 bits of security if you don't re-use addresses, instead of 160 bits... the drawbacks are more bloat on the blockchain, and longer addresses for people to use 20:47:15 so therefore, it's more likely that the current setup would protect users even in a catastrophic break of sha256 20:47:55 iddo: even 160 bits is excessive. the birthday paradox doesn't apply here 20:47:57 maaku: but what if a weakness is found in ripemd-160 ... ? 20:48:32 iddo: nothing happens unless a weakness is found in ripemd-160 AND sha-256 20:48:43 its additive security 20:50:55 maaku: no, if you have 2nd-preimage attack on ripemd-160, then just create fresh ECDSA keypairs + sha256 hash, in a way that you get the same image (i.e. the 2nd-preimage attack) as someone elses Bitcoin address, and then steal his coins 20:52:02 well actually it's not clear, depends how the 2nd-preimage attack works 20:52:03 you'd have to get a preimage for the sha256 as well 20:52:30 if you can 2nd-preimage SHA256 then i think you've got a problem, because if you can get the same SHA256 hash, it won't matter that you apply RIPEMD-160 on top of it 20:52:40 but this is only a concern if you know the pubkey that you are trying to preimage 20:53:16 pubkey whose image you are trying to duplicate* 20:54:04 but until you spend a coin with a certain address, you don't expose the pubkey (or even its SHA256 hash), so you're ok in the case of no address reuse 20:54:21 if you just find 2nd-preimage of random pubkey, then it wouldn't help you because you wouldn't know the corresponding privkey 20:55:16 oh, right, derp 20:57:52 i actually don't really see how either sha2 or ripemd 2nd-preimage attacks can be done in this context (i.e. in the context where you create random-looking pubkeys that are supposed to be the preimage, by invoking the ECDSA keygen) 22:20:38 EasyAt is now known as EasyBaubles 22:59:31 EasyBaubles is now known as EasyNog