00:01:39 bizzle has joined #bitcoin-wizards 00:05:12 [Global Notice] Happy new years to all those people following fST (or UTC) 00:12:13 jtimon has quit 00:14:58 nOgAn0o has joined #bitcoin-wizards 00:14:59 nOgAn0o has quit 00:17:15 nOgAn0o has joined #bitcoin-wizards 00:44:31 Is there any trustless way to pay someone in BTC to mine an altchain that is inherently worthless? (specifically I was wondering if you could subsidize merged mining of a votecoin)) 00:49:31 i suppose you could make some shitty system that bloats the fuck out of bitcoin because they wont merge mine a specialised votecoin 00:50:14 but i dont think we really know how reluctant the poolops are to merge mine something decent because no ones ever tried 00:50:14 adam3us has joined #bitcoin-wizards 00:51:01 Emcy: I don't really want to use the bitcoin blockchain. A new blockchain could be created cheaply and be disposable. 00:51:26 well thats a refreshing attitude 00:53:29 Emcy: anonymous voting would require many coinjoins and coinswaps. If there were millions of voters, the election could cost millions of dollars in bitcoins 00:54:07 with all the transaction costs. Not much of a point. 00:54:38 i wonder how much those shitty diebold contracts cost 00:54:59 did you work out how to issue votes anonymously 00:55:08 *issue ballots 00:56:13 Emcy: everyone gets a vote, everyone has a public bitcoin address associated with their name. 00:56:27 Coinswaps and coinjoins are used to anonymize the votes 00:56:48 then when everyone has sufficient anonymity, they to 1ALGORE or 1GEORGEBUSH 00:56:56 *they pay to 00:57:41 I just wish I could pay someone automatically in bitcoins for finding a block without a central authority 01:00:04 what about vote selling 01:00:34 justanotheruser: thats really dumb. sorry, it's often repeated enough you should have seen other people calling it out. 01:00:48 Bitcoin is not a jamming resistant network. Congrats you just let the miners decide the election outcomes. 01:01:15 gmaxwell: What do you mean by jamming resistant 01:01:43 Emcy: That is possible without decentralized voting (but I agree, this makes it easier) 01:02:05 oh yeah hes right 01:02:46 gmaxwell: timelock crypto can be used to circumvent miner censorship of votes in some conditions 01:02:56 i think when i first brought up some sort of votecoin was years ago back when i still thought every responsible citizen could have a miner in the cupboard 01:02:59 Blocks could be rejected if they didn't include a certain number of transactions 01:04:29 justanotheruser when youre talking about elections there are incentives which easily override money concerns 01:04:42 justanotheruser: now you've turned pow mining into a weird pow/proof-of-stake/proof-of-sacrifice combo, doesn't necessarily help re: elections 01:04:56 in the money/power chicken and egg game, power always came first 01:05:25 petertodd: What? How is there any prooof of stake/sacrifice? 01:05:48 justanotheruser: the transactions - how do you distinguish a "legit" tx from one the miner made? 01:06:39 petertodd: network rule that only allows a coin to be transacted a certain number of times 01:07:27 justanotheruser: right, so by including a transaction you have sacrificed someone, hence, it's proof-of-sacrifice 01:08:00 petertodd: how have a sacrificed someone? 01:08:28 justanotheruser: you sacrificed something, coinage, or coins, or whatever scheme you decide to use 01:09:20 petertodd: to get a block you have to have done a PoW with a certain number of transactions. The miners have no sacrifice 01:09:44 Emcy has quit 01:10:05 justanotheruser: something was sacrificed, or miners can stuff the block full of their own transactions at zero cost 01:10:27 Emcy has joined #bitcoin-wizards 01:10:27 Emcy has quit 01:10:27 Emcy has joined #bitcoin-wizards 01:10:48 justanotheruser: anyway, this works for voting: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03524.html 01:10:50 petertodd: The miners can only have a limited number of transactions 01:11:12 justanotheruser: limited how? 01:11:43 petertodd: because everyone only gets one votecoin and they only can be transacted 100 times from the coinbase 01:12:04 bizzle has quit 01:12:06 justanotheruser: dude, wtf. you are trying to employ bitcoin to do one of the things it doesn't really do at all— antijamming. If you can assign ballots to people the voting process is largely done, nothing hard remains. 01:12:32 gmaxwell: anonymizing remains 01:12:42 (well, except anti-coercion is basically impossible in a online voting context) 01:12:43 justanotheruser: there are much better ways to anonymize votes 01:13:04 anonymizing is kinda pointless if you don't generally have anti-coercion, but anonymizing is trivial, go look up "reencryption mix" 01:13:05 petertodd: anything other than zerocoin of a central authority? 01:13:12 electronic voting is a _very_ well studied subject. 01:13:16 justanotheruser: this has been a "sexy" problem in crypto for years, and people way smarter than any of us have spent whole phds on the subject 01:14:00 invoking bitcoin for it is just a redneck suggesting his trusty shotgun as a solution to multivariet calculus. :P 01:14:18 Bitcoin solves an entirely unrelated problem, and it doesn't solve the important problems in voting. 01:14:22 justanotheruser: if you need decentralized consensus about the results of a vote then blockchain's can make sense, but rarely do you need that 01:14:24 Is there another decentralized voting method? 01:14:40 adam3us has quit 01:14:51 justanotheruser: so why is this vote required to be "decentralized", and what do you mean by that term? 01:15:24 petertodd: I would like it to be decentralized because it prevents vote manipulation and what's happening in Russia. 01:15:27 justanotheruser: what you were suggesting didn't sound decenteralized. But assuming you get as far as somehow giving ballots to voters, there are systems which are no less decenteralized than bitcoin. 01:15:52 justanotheruser: how do you plan on giving each person one ballot without someone getting 500 in a decenteralized manner? 01:16:12 Emcy has quit 01:16:26 justanotheruser: right, so you're applying this voting scheme to a typical thing where the list of voters is already defined by a central authority, so you don't need blockchains - existing crypto works just fine 01:16:27 gmaxwell: That is centralized, but you can verify that someone isn't getting too many votes, no votes, or that imaginary people are getting votes. 01:16:49 justanotheruser: you can't with crypto - those are all human problems 01:16:52 Emcy has joined #bitcoin-wizards 01:16:54 okay if you can do that you can just apply the mountains of evoting lit. 01:17:34 petertodd: Yes it is 01:17:40 *Yes they are 01:17:52 Emcy has quit 01:17:56 justanotheruser: I mean, once you solve the problem of figuring out who the voter list is, you can start using crypto, but you already have a central authority so standard algorithms and techniques work - they don't use blockchains 01:18:31 Emcy has joined #bitcoin-wizards 01:18:33 and blockchains don't work, because you get crap like "a majority of hashpower can rig the election" which is undesirable to a high degree. 01:19:12 gmaxwell: yes, unless the voter list is defined in terms of hashing power :P 01:19:16 I do kinda like idea of using OWAS to create a jamming proof communications mesh, I don't think I've seen that proposed outside of #-wizards. 01:19:27 petertodd: yea okay, sure you can just leave out the voters list then... miners decide. :P 01:19:56 gmaxwell: more seriously, with my timelock thing you *can* do a vote with well-defined limits for how easy it is to rig the election 01:20:25 OWAS? 01:20:31 gmaxwell: yes, that was my original problem, I wanted to have the merged mining to be paid it bitcoin somehow. This would increase the number of miners and prevent 51% (hopefully) 01:20:41 fagmuffinz: One Way Aggregatable signatures. 01:20:49 donka 01:20:54 Emcy has quit 01:20:57 fagmuffinz: cryptographic signatures which you can merge and still validate, but you cannot unmerge. 01:21:33 Emcy has joined #bitcoin-wizards 01:21:45 fagmuffinz: so e.g. you give me your vote and I merge in the vote I have (which is a merge of petertodd and mine) and then we pass it on.. and someone can't later pick apart our votes to only includ yours in the election, unless they get a clean copy of yours from you. 01:22:13 I looked up your previous explanation =] 01:22:31 Would be decent for building the mesh 01:23:42 well my though is that politics often follow social lines, so you could still perhaps rig, but it would be highly detectable when virtually all of the votes for one candidate disappear. :P 01:24:01 petertodd: but how do you have a timelock system that isn't at the DoS-mercy of the person running the timelock? 01:24:19 Yea, still, it's not quite the long-term solution yet 01:24:48 There's probably no good way, without centralized trust, to resolve that issue 01:25:04 fagmuffinz: oh nah, in most cases the voting systems don't really need jamming free communication. what they do is make it easy to check what votes are included before the count, and then trust that if your vote is omitted you will scream from the hilltops. 01:25:30 Yea, that'd be sufficient 01:25:33 e.g. disencranchisement is detectable. 01:25:36 Assuming good citizenry 01:25:39 Yea 01:25:40 which works in democracy, but not automated consensus systems 01:25:55 maaku: read the paper, it's not a central timelock, just a sequantial hard algorithm 01:26:10 Yea, guaranteeing that your vote made it after the count is sufficnet 01:26:13 sufficient *** 01:26:14 maaku: obviously cracking the timelock is computationally intensive of course 01:26:47 petertodd: Is a timelock explanation above? 01:27:05 fagmuffinz: only if there is repercussions for cheating 01:27:18 if a citizen doesn't care if his vote is counted, it's not really disenfranchisement. 01:27:29 in some applications - PoS vote on validation rules, for example, it is useless to complain 01:27:54 Voting is a social system 01:28:17 Separate from guaranteeing existence in something 01:28:17 the votes drive some consensus process, and there's no way to back out other than to abondon the whole system, which would be a successful DoS outcome 01:29:07 DoS is a universal threat that you have to accept upon automating this shit 01:29:50 The only sure way of mitigating DoS is having enough infrastructure 01:30:00 fagmuffinz: not necessarily in a decentralized system 01:30:21 for example: Bitcoin is very difficult to DoS 01:30:43 petertodd: ok i understand, it just maks decrypting have a cost 01:30:55 Hence you're trying to use it for voting 01:31:12 Correct? 01:31:53 fagmuffinz: that's not the reason I want to use it for voting. It's more to verify that everyone who got a vote had their vote counted. 01:32:40 petertodd: if some joker puts a ballot in that is ill-formed, junk, or encrypted with different key, it would be nice to have a compact, quickly verified proof of that 01:35:24 maaku: yeah, that's a very interesting crypto problem actually, I suspect it may be incompatible with the sequential-hard scheme 01:36:21 justanotheruser: Are you just inquiring or do you have some partial plan? I'm thinknig about what gmaxwell put forward in terms of aggregating a single score for verification... 01:36:32 petertodd: i have a rather near term application if a jamming-resistant proof-of-stake voting scheme can be found 01:36:52 You could tell your vote made it into the list 01:37:04 maaku: of course the whole thing is dependent on the fact that the fastest sequential implementations of a lot of algorithms are reasonable close to each other in performance - off-the-shelf is basically the best you can get within an order of magnitude 01:37:08 maaku: oh yeah? 01:37:10 You'd need to take additional steps to ensure the list was properly counted 01:37:32 fagmuffinz: Is is possible to do that anonymously? 01:37:47 yeah, demurrage distribution - "repbulicoin". i forget if I've told you about it already 01:38:56 maaku: ah yeah, that'd work 01:38:58 demurrage distributed according to forced coinbase payments determined by a proof-of-stake vote on a jamming-free ledger 01:39:09 maaku: damn expensive those in terms of cpu-power 01:39:12 i got it worked out up to the jamming-free part :\ 01:39:26 s/those/though/ 01:39:45 yeah, hence the need for cheap verification.. 01:40:00 i'm okay with votes being expensive, but validating nodes that count the votes need to be cheap 01:40:01 yup, and I'm pretty sure that's been proven to be impossible 01:40:35 well you could do it with gmaxwell's ticking timelock pow for example 01:40:38 obviously you can easily pass around the decryption keys proving a vote exists, but not the other way around 01:40:42 so there's an existence proof 01:40:56 oh you mean the cheap validation 01:41:14 darn 01:41:30 well keep in mind that part of the reason why the scheme can work if embedded in otherwise-normal looking transactions is that miners would (in theory) find it too expensive to just block all transactions 01:42:07 the moment you have a "well-known" place where the vote would be recorded it becomes much easier for miners to rig the vote 01:43:05 MoALTz__ has joined #bitcoin-wizards 01:46:41 MoALTz_ has quit 01:48:34 yes it would have to be either steganographically encrypted, or taken out of the miners hands 01:50:09 justanotheruser: you could have people agree to some protocol that would operate the same way some central authority would, and if compliance with that protocol can be algorithmically guaranteed, then you could decentralize it 01:50:22 Thinking on that algorithm 01:55:21 I mean, you don't need a proof of work for it at all 01:55:28 If you actually count the vote right... 01:55:35 There's no incentive to keep recounting it 01:55:42 All you care about is verification 01:55:57 Which is easily agreeable in a shared protocol 01:56:05 fagmuffinz: how do you do this anonymously? 01:56:32 while verifying that everyone who started with a vote, and only those that started with a vote are counted 01:56:47 That's harder 01:56:54 First part is easy, just random key generation every time 01:57:05 Now you're asking about assigning people keys 01:57:25 Let's say... 01:57:33 Everyone agreed to do a shamir's secret sharing algo 01:57:47 And you could generate M keys... 01:57:55 fagmuffinz: If the central authority can make 10000000 votes for themselves, then it is no better than the current situation 01:58:53 The M keys could be applicable to use, then, for signing given enough length 01:59:23 Thinking about retooling shamir's 02:00:21 I think this would work... 02:00:44 When assigned keys, you either need to say who you gave them to, which would remove anonymity, or not say, which would allow them to make as many votes as they wanted 02:00:44 Is it important to outside parties to verify the result of an election? 02:00:56 No 02:00:59 I've already gotten past that 02:01:25 What, using shamir? 02:01:29 Yea 02:01:31 I've got it actually 02:01:37 As long as outside parties don't need to vote 02:01:43 Or verify 02:01:45 Whatever 02:01:52 How would you use shamirs for voting? 02:01:56 lmfao 02:02:01 God, that's gorgeous 02:02:02 Ok 02:02:12 Let's say there's a blockchain that starts with some initial seed 02:02:21 Everyone shamir's secrets that seed 02:02:27 And generates M keys to vote with 02:02:49 Encrypt this initial seed with the key Shamir's secret sharing generates 02:03:02 Save it as the next seed for the next "voting block" 02:03:10 Everyone who's in knows it 02:03:23 Those people then use their M keys to cast a vote 02:03:27 Moot after that point 02:04:22 You could add people potentially 02:04:31 Everyone agrees that each key also gets to elect one new person to join 02:05:38 Eh... 02:05:38 Fuck 02:05:39 Sec 02:06:38 fagmuffinz: Wouldn't everyone know everyone elses votes if there was a shared seed that was the other half of everyones secret? 02:06:54 Yea 02:06:59 But you can make that pseudononymous 02:07:44 So there are pseudonyms associated with the votes? Meaning the votes aren't guaranteed to be associated with a person? 02:07:51 Correct 02:07:59 The issue I'm running into right now mentally... 02:08:16 Is ensuring the keys generated that suffice shamir's secret sharing... 02:08:25 Can be isomorphic to a private/public key pair... 02:08:34 Or guarantee some private/public key pair 02:12:20 If p and q were your public/private key pair 02:12:25 You could do something like... 02:12:30 G = p^q 02:12:43 Then sign G with p 02:13:04 Or... 02:13:07 One of the M keys 02:13:11 Sign (G,p) 02:13:54 All of this modulo some N 02:21:23 K, scratch part of that. All that's necessary to ensure that whoever had the key actually cast the vote is signing off an (p,N) message with one of the shamir's keys, for a p/q mod N public/private key pair. I currently have no way of guaranteeing good behavior to those included in the vote, aside from the protocol penalizing them during the next voting round(s) 02:27:30 Is that sufficient? 02:30:12 brisque has joined #bitcoin-wizards 02:33:44 bizzle has joined #bitcoin-wizards 02:38:44 bizzle has quit 02:39:15 bizzle has joined #bitcoin-wizards 02:40:07 sorry, I was away, you still there fagmuffinz 02:40:48 yea 02:41:53 I don't really understand what you mean by penalizing them 02:42:40 brb 02:43:57 bizzle has quit 02:50:01 justanotheruser has quit 03:06:26 justanotheruser has joined #bitcoin-wizards 03:11:27 justanotheruser has quit 03:12:01 justanotheruser has joined #bitcoin-wizards 03:23:54 justanotheruser has quit 03:23:55 justanotheruser has joined #bitcoin-wizards 04:40:21 I'm not exactly sure what I mean either thinking about it 04:40:25 Or any good way of enforcing it 04:40:52 The issue is in verifying everyone else's key in the SSS (Shamir Secret Sharing), you could easily use any of their keys to vote 04:41:52 So you're assuming good behavior amongst the voting population 04:41:54 That's probably a no-no 05:13:57 nOgAn0o has quit 05:16:31 nOgAn0o has joined #bitcoin-wizards 05:17:52 nOgAn0o has quit 05:20:56 nOgAn0o has joined #bitcoin-wizards 05:20:57 nOgAn0o has quit 05:21:07 nOgAn0o has joined #bitcoin-wizards 05:21:08 nOgAn0o has quit 06:15:46 fagmuffinz: man you have a terrible nickname 06:18:42 fagmuffinz: I'm not sure what you're trying to accomplish, I missed the history. 06:19:47 gmaxwell: It was the voting thing again. 06:28:34 nOgAn0o has joined #bitcoin-wizards 06:35:21 midnightmagic, maybe he likes his muffinz with fags 06:35:31 although that sounds a bit gritty 10:26:57 <_ingsoc> _ingsoc has joined #bitcoin-wizards 10:27:49 iddo has quit 10:32:09 adam3us has joined #bitcoin-wizards 10:49:43 bizzle has joined #bitcoin-wizards 10:54:20 bizzle has quit 11:27:53 <_ingsoc> _ingsoc has quit 11:28:51 <_ingsoc> _ingsoc has joined #bitcoin-wizards 11:46:43 adam3us has quit 12:02:24 nOgAnOo has joined #bitcoin-wizards 12:04:21 nOgAn0o has quit 12:06:34 nOgAnOo has quit 12:06:39 nOgAn0o has joined #bitcoin-wizards 12:12:59 BlueMatt has quit 12:13:03 go11111111111 has quit 12:19:29 adam3us has joined #bitcoin-wizards 12:24:56 <_ingsoc> _ingsoc has quit 12:34:38 <_ingsoc> _ingsoc has joined #bitcoin-wizards 13:03:33 adam3us has quit 13:13:44 jtimon has joined #bitcoin-wizards 13:14:58 MoALTz__ has quit 13:15:23 MoALTz has joined #bitcoin-wizards 13:18:39 adam3us has joined #bitcoin-wizards 13:20:28 TD has joined #bitcoin-wizards 13:55:23 iddo has joined #bitcoin-wizards 14:05:47 jtimon has quit 14:49:44 hnz has quit 14:53:54 hnz has joined #bitcoin-wizards 14:59:49 iddo has quit 15:10:39 BlueMatt has joined #bitcoin-wizards 15:20:26 MoALTz has quit 16:09:02 hnz has quit 16:13:44 jtimon has joined #bitcoin-wizards 16:14:45 hnz has joined #bitcoin-wizards 16:23:28 brisque has quit 16:26:37 <_ingsoc> _ingsoc has quit 16:27:14 <_ingsoc> _ingsoc has joined #bitcoin-wizards 16:27:27 adam3us has quit 16:30:05 MoALTz has joined #bitcoin-wizards 16:52:18 bizzle has joined #bitcoin-wizards 16:56:39 bizzle has quit 17:17:06 jtimon_ has joined #bitcoin-wizards 17:18:28 jtimon has quit 17:19:36 bizzle has joined #bitcoin-wizards 18:22:50 jtimon_ has quit 18:44:11 bizzle has quit 18:44:44 bizzle has joined #bitcoin-wizards 18:49:15 bizzle has quit 18:50:15 jtimon has joined #bitcoin-wizards 19:11:07 bizzle has joined #bitcoin-wizards 19:11:59 iddo has joined #bitcoin-wizards 19:38:17 can Grover's algorithm be used for quantum mining? 19:39:23 sure, in theory, if there existed hardware that could run it. 19:40:39 it's only a sqrt speedup. It would unhinge the difficulty update somewhat. (though if it got far out of wack it would still have quadratic convergence) 19:40:59 <_ingsoc> _ingsoc has quit 19:41:25 <_ingsoc> _ingsoc has joined #bitcoin-wizards 19:44:47 Some FUD on lesswrong about quantum computing leading to centralization 19:45:39 No tech breakthroughs are needed for human behavior to cause centralization. 19:46:32 heh, yeah 19:49:46 I don't see where that conclusion comes from, unless it's just some assumption that only one party will have access to the faster miner. 19:50:01 gmaxwell: yes, that's the (rediculous) assumption 19:50:29 Not only that— Its quite likely that should someone successfully use Grover it'll be _slower_ for some time. Simply because the quantum machine runs at 100khz or whatever. 19:50:48 that someone will invent a quantum computer capable of doing more work than the entire bitcoin network 19:51:30 wump has joined #bitcoin-wizards 19:51:37 edulix_ has joined #bitcoin-wizards 19:51:47 isn't the "quadratic speedup" irrelevant when considering sha 256? 19:52:13 it's quadratic only for large enough problems 19:52:20 but the problem size is fixed in this case 19:53:00 rs0 has joined #bitcoin-wizards 19:54:04 maaku: lesswrong link? istm that any non-infinite speedup would be covered by the difficulty algo 19:54:16 Sybil successfully Sybil-attacked psychiatrics: http://www.npr.org/2011/10/20/141514464/real-sybil-admits-multiple-personalities-were-fake 19:54:20 Sangheil- has joined #bitcoin-wizards 19:54:48 Alanius: the quadratic speedup is about finding a preimage 19:55:17 ... isn't that what Grover's algorithm does? 19:55:29 yes 19:55:45 bizzle has quit 19:56:23 bizzle has joined #bitcoin-wizards 19:56:40 Graet has quit 19:57:03 K1773R_ has joined #bitcoin-wizards 19:57:08 andytoshi: http://lesswrong.com/r/lesswrong/lw/je7/a_proposed_inefficiency_in_the_bitcoin_markets/a8xl 19:57:16 Graet has joined #bitcoin-wizards 19:57:26 Alanius: right, it's only quadratic if you see the size of the hash output as variable 19:58:18 wumpus has quit 19:58:18 rs0_ has quit 19:58:18 K1773R has quit 19:58:18 edulix has quit 19:58:18 Sangheili has quit 19:58:55 sipa: is it correct to think of mining that way, 19:58:59 K1773R_ is now known as K1773R 19:59:36 "find a SHA16 preimage of 00", then a SHA32 preimage of 0000, and so on 20:00:41 I guess you could devise a variant of Grover's algorithm that finds a partial collision instead of a full one, and you'd probably see that quadratic speedup with regards to the inverse of the target :) 20:01:05 bizzle has quit 20:02:00 Alanius: yeah, that's what i'm trying to say 20:02:32 jtimon_ has joined #bitcoin-wizards 20:03:11 right, it's grover on truncated double sha256, with variable truncation length 20:07:30 Alanius: If you're saying that you're going to find complete preimages (size at maximum) than the work factor is still 2^128, which is infeasable. 20:09:04 jtimon has quit 20:24:39 andytoshi has quit 20:38:52 bizzle has joined #bitcoin-wizards 20:46:29 Dylan_ has quit 20:46:59 andytoshi has joined #bitcoin-wizards 20:48:52 harrow has quit 20:50:42 Furioshonen has joined #bitcoin-wizards 20:56:24 harrow has joined #bitcoin-wizards 21:54:33 mappum has joined #bitcoin-wizards 21:54:56 bizzle has quit 21:55:31 bizzle has joined #bitcoin-wizards 21:59:50 bizzle has quit 22:05:23 adam3us has joined #bitcoin-wizards 22:06:53 bizzle has joined #bitcoin-wizards 22:07:15 bizzle has quit 22:29:59 go11111111111 has joined #bitcoin-wizards 22:39:47 mappum has quit 23:02:29 <_ingsoc> _ingsoc has quit 23:22:04 TD has quit 23:23:15 adam3us has quit 23:52:11 go11111111111 has quit 23:52:55 go1111111 has joined #bitcoin-wizards