00:02:06 DougieBot5000 has quit 00:02:22 eristisk has quit 00:02:49 eristisk has joined #bitcoin-wizards 00:03:46 orperelman has quit 00:08:19 eristisk has quit 00:08:58 eristisk has joined #bitcoin-wizards 00:14:16 eristisk has quit 00:14:47 eristisk has joined #bitcoin-wizards 00:17:04 shesek has quit 00:17:48 shesek has joined #bitcoin-wizards 00:18:49 eristisk has quit 00:19:19 eristisk has joined #bitcoin-wizards 00:49:32 adam3us1 has quit 00:50:02 adam3us1 has joined #bitcoin-wizards 00:51:01 eristisk has quit 00:51:37 eristisk has joined #bitcoin-wizards 00:56:38 adam3us has quit 00:59:25 eristisk has quit 00:59:31 adam3us1 has quit 00:59:55 eristisk has joined #bitcoin-wizards 01:02:15 Taek42 has joined #bitcoin-wizards 01:03:58 eristisk has quit 01:04:39 eristisk has joined #bitcoin-wizards 01:08:52 eristisk has quit 01:09:23 eristisk has joined #bitcoin-wizards 01:09:59 adam3us has joined #bitcoin-wizards 01:14:45 spinza has quit 01:17:02 jtimon has quit 01:22:59 spinza has joined #bitcoin-wizards 01:31:12 eristisk has quit 01:31:13 blumenkraft has joined #bitcoin-wizards 01:45:58 blumenkraft has quit 01:46:42 blumenkraft has joined #bitcoin-wizards 01:50:52 blumenkraft has quit 02:07:33 ielo has joined #bitcoin-wizards 02:21:12 blumenkraft has joined #bitcoin-wizards 02:25:52 blumenkraft has quit 02:27:34 blumenkraft has joined #bitcoin-wizards 02:31:49 blumenkraft has quit 02:32:20 blumenkraft has joined #bitcoin-wizards 02:36:22 blumenkraft has quit 02:36:53 blumenkraft has joined #bitcoin-wizards 03:09:50 bitcoin's scripts are "written in a programming language called Script" 03:09:52 http://theumlaut.com/2014/01/08/bitcoin-internet-of-money/ 03:10:04 pretty good article though 03:18:20 nessence has joined #bitcoin-wizards 03:23:29 wumpus has quit 03:32:53 jgarzik: I'd concur with that statement.. :P 03:34:28 blumenkraft has quit 03:46:16 adam3us1 has joined #bitcoin-wizards 04:03:47 mappum has quit 04:05:58 adam3us1 has quit 04:14:06 adam3us1 has joined #bitcoin-wizards 04:34:17 mappum has joined #bitcoin-wizards 04:41:02 mappum has quit 04:53:45 jgarzik: if that's the grossest error they made, i'd say that's doing pretty well :) 04:59:23 lol 05:02:50 maaku_: what error? 05:03:25 that statement quoted is essentially correct 05:04:31 which is why i said it's pretty minor 05:04:50 more like bytecode than a programming language (which implies compilation) 05:05:03 and i don't know anyone who calls it Script with a capital S 05:05:07 meh, we have an assembly-like form :P 05:05:14 maaku_: it's not that uncommon 05:13:28 What do you guys recommend as a proof of sacrifice? Hashcash is more anonymous, but it doesn't work well (someone with a powerful hashing maching/GPU could make a ton of messages) and OP_RETURN associates the sacrifice with you to some extent and remove anonymity. Is there anyway I can get the best of both worlds? 05:14:34 ielo has quit 05:16:36 justanotheruser: depends on the application, if you'd really be willing to use hashcash, perhaps mine. 05:18:09 gmaxwell: perhaps mine? What do you mean by that. I wouldn't want to use hashcash if it allowed people with special hardware to spam the network with as much electricity spent as a regular CPU user. 05:18:36 Application is bitmessage fork that isn't vulnerable to the problem I just described 05:20:28 justanotheruser: zero knoweldge proof of a bitcoin sacrifice using pinocchio. 05:21:43 gmaxwell: is that bleeding edge crypto? 05:22:11 yea? so. and a flooding messaging system isn't? the harm of someone breaking it is they can flood your system, whoopiedo. 05:23:14 gmaxwell: I was just curious if there were any other applications in use, or if it was just knowledge from research papers 05:23:35 justanotheruser: I suggested pinocchio because you can go download an implementation. 05:25:19 gmaxwell: where would I find this? Every top google result is research papers and news 05:26:13 https://vc.codeplex.com/ 05:26:20 gmaxwell: thanks a lot 05:26:44 They've annoying ripped out the pairing library so one will need to be pached back in. 05:27:28 justanotheruser: in any case, I think bitmessage pow would be a great application for this. 05:30:11 gmaxwell: ofcourse your anonymity is limited to the recent proof of burns 05:30:17 right? 05:32:11 you make a sacrifice that contains X=H(random_value) and then to send a message you prove X is in a sacrifice of value >= Z in bitcoin (by evaluating a SPV proof for the transaction), and random_value is the preimage of X, and that Q=H(random_value||date||hour), and that R=H(random_value||pubkey). And you show the network the proof and Q,R,pubkey and sign your message with the pubkey. 05:32:54 you basically can get a new anonymous identity from each of your sacrifices once an hour, and then send however many messages the network will let you per identity (maybe just 1) 05:33:19 next hour you redo the proof with a new pubkey, and you have a new anonymous identity. 05:33:42 and you don't have to keep redoing sacrifices. 05:34:00 (unless you wanted to require that) 05:34:36 pubkey is separate from the pubkey I used to make the PoB right? 05:35:04 you wouldn't even need a ecdsa pubkey in the PoB, effectively H(random_value) is a pubkey in the proof of burn. 05:35:17 oh 05:35:25 You don't want to run ecdsa inside the zkp because its @#$@ expensive. Where running a hash inside the proof is more realistic. 05:35:42 what I mean by that is I use a pubkey to spend the output to OP_RETURN 05:36:24 yea, thats irrelevant. youd put H(random_value) in the OP_RETURN and the only thing the proof would look at is the txout value and H(random_value). 05:36:25 if that is the correct terminology, not sure what else you would call spending a transaction to something that always returns false 05:37:10 gmaxwell: I will be able to write stuff in OP_RETURN in v.9 right? 05:37:28 I'd say that even better than a scarifice would just be proving that you have possession of a bitcoin, but to do that you'd have to do a ecdsa signature inside the proof, and that would kinda suck. 05:37:57 justanotheruser: no 05:38:02 gmaxwell: I don't see how proving you have bitcoins would help in the future when everyone might be transacting bitcoins 05:38:10 Luke-Jr: whenever the miners vote on it? 05:38:15 justanotheruser: hopefully never 05:38:22 wtf. there is no "miners vote on it" 05:38:39 and there will never be an interface to do it in any sane client 05:38:49 as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out. 05:39:20 or at least cut it back to 32 bytes. 05:39:23 gmaxwell: I thought miners voted on whether or not they would mine a certain tx type and if a certain amount said yes it would be implemented and the miners would start mining it 05:39:29 Taek42 has quit 05:39:30 justanotheruser: no. 05:39:42 dunno where the heck you got that idea! 05:39:55 gmaxwell: some other fork I remember miners including their votes in their blocks 05:40:03 maybe it's because that was a hardfork? 05:40:05 there's no fork going on 05:40:09 at all 05:40:11 why are you talking about forks? 05:40:23 gmaxwell: Well isn't OP_RETURN an invalid tx? 05:40:29 no 05:40:30 No. 05:40:39 just a useless, spam tx 05:40:39 oh, well that's where I was getting that idea from 05:40:45 it's just not IsStandard 05:42:24 "So, with some reluctance, I recently merged pull request #2738 : “Relay OP_RETURN data TxOut as standard transaction type.”" - gavin andresen 05:42:36 So will it be standard in .9? 05:42:52 hopefully not 05:43:03 gmaxwell: also, how is it a sacrifice to prove you possess bitcoins? 05:43:04 21:38 < gmaxwell> as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out. 05:43:21 gmaxwell: oh, I missed that 05:44:26 justanotheruser: it's not, but what you want is a resource rate limiter. You want to give each user 1/Nth of the capacity, but since users are anonymous you need a way of to prevent a user from claiming that they are 100 users and gobbling it all 05:44:53 holding bitcoin at a particular instance of time is something that prevents unlimited cloning. 05:46:29 gmaxwell: I suppose an attack on the network would cost as much as in a system with PoB because they would have to create a large number of new addresses with coins and pay the tx fee for all those just like if they were doing a large number of burns 05:47:33 yea, well I think a real sacrifice is stronger, but it's not clear to me that something bitmessage like would need a real one, and just showing you were holding coins as of a daily txoutset snapshot would be easier to accept for users, I suspect. 05:48:03 in any case, I also think that because of the aformentioned ecdsa an actual sacrifice would be easier to implement. 05:48:57 gmaxwell: funny to see you promoting proof of stake btw :D 05:49:24 justanotheruser: PoS is fine, so long as you're not expecting it to operate its own consensus. 05:49:30 yeah 05:49:46 you could mine a PoS altcoin based on bitcoin holdings, you just can't the chain itself. :P 06:14:09 nOgAn0o has quit 06:54:56 nessence_ has joined #bitcoin-wizards 06:55:11 nessence has quit 07:39:08 roidster has quit 07:43:22 gribble has quit 07:55:15 gribble has joined #bitcoin-wizards 08:33:11 jron has quit 08:38:47 <_ingsoc> _ingsoc has joined #bitcoin-wizards 08:45:16 mappum has joined #bitcoin-wizards 08:45:42 <_ingsoc> _ingsoc has quit 08:46:21 <_ingsoc> _ingsoc has joined #bitcoin-wizards 08:50:41 nOgAnOo has joined #bitcoin-wizards 08:59:28 Taek42 has joined #bitcoin-wizards 09:09:56 Luke-Jr has quit 09:10:35 nOgAnOo has quit 09:10:46 Luke-Jr has joined #bitcoin-wizards 09:44:07 <_ingsoc> _ingsoc has quit 09:46:09 jtimon has joined #bitcoin-wizards 09:51:03 Luke-Jr has quit 09:51:23 Luke-Jr has joined #bitcoin-wizards 10:06:23 hnz has quit 10:11:41 hnz has joined #bitcoin-wizards 10:15:10 mappum has quit 10:42:04 nOgAnOo has joined #bitcoin-wizards 10:45:39 mappum has joined #bitcoin-wizards 10:50:27 <_ingsoc> _ingsoc has joined #bitcoin-wizards 10:52:11 mappum has quit 10:54:53 orperelman has joined #bitcoin-wizards 11:01:02 <_ingsoc> _ingsoc has quit 11:35:45 Manfred_Karrer has joined #bitcoin-wizards 11:37:12 Manfred_Karrer has quit 12:03:07 go1111111 has quit 12:12:54 kcla05 has joined #bitcoin-wizards 12:13:26 orperelman has quit 12:18:13 orperelman has joined #bitcoin-wizards 12:35:57 wumpus has joined #bitcoin-wizards 12:35:57 wumpus has quit 12:35:57 wumpus has joined #bitcoin-wizards 12:40:20 kcla05 has left #bitcoin-wizards 12:43:28 orperelman has quit 13:08:58 orperelman has joined #bitcoin-wizards 13:09:33 <_ingsoc> _ingsoc has joined #bitcoin-wizards 13:37:51 orperelman has quit 14:34:02 wumpus has quit 14:34:21 wumpus has joined #bitcoin-wizards 14:34:22 wumpus has quit 14:34:22 wumpus has joined #bitcoin-wizards 15:02:13 nsh has quit 15:22:16 roidster has joined #bitcoin-wizards 15:24:26 nsh has joined #bitcoin-wizards 15:27:37 DougieBot5000 has joined #bitcoin-wizards 15:38:31 nsh has quit 15:41:31 <_ingsoc> _ingsoc has left #bitcoin-wizards 17:03:59 spinza has quit 17:04:00 spin123456 has joined #bitcoin-wizards 17:08:13 spin123456 has quit 17:08:40 petertodd why does litecoin need a softfork? 17:08:47 spinza has joined #bitcoin-wizards 17:12:38 <_ingsoc> _ingsoc has joined #bitcoin-wizards 17:18:51 TD is now known as TD[gone] 17:21:11 spinza has quit 17:23:56 spinza has joined #bitcoin-wizards 17:29:19 spinza has quit 17:39:44 spinza has joined #bitcoin-wizards 17:45:21 spinza has quit 17:45:59 jtimon: to implement height in coinbase, and warren wants to see single-satoshi dust made unspendable 17:46:22 thanks 17:46:37 <_ingsoc> _ingsoc has left #bitcoin-wizards 17:46:43 so are they making a protocol antidust rule? 17:47:14 jtimon: yup, if nValue == 1 satoshi treat the output like a provably unspendable OP_RETURN 17:47:15 spinza has joined #bitcoin-wizards 17:47:32 is not only in isStandard, interesting 17:47:49 petertodd: why not 0 satoshi? 17:47:54 what makes 1 special? 17:48:34 jtimon: Note that this *isn't* because doing so will actually have a big impact on anything, but rather the argument is to do it "symbolicly" for future, more invasive, anti-dust efforts. 17:49:00 sipa: Litecoin had a bunch of 1 satoshi dust spam a while back, and it's conceivable that a future soft-fork feature might want to use 0-value outputs for something. 17:49:05 we haven't even make sub satoshi (sub-kria) outputs unspendable in freicoin. Yes, demurrage still applies to a single satoshi so you won't be able to spend it, but you may want to spend 0 coins? 17:49:26 adam3us1 has quit 17:50:23 Indeed, zero-output txouts could be used to implement a increased divisibility soft-fork for instance. 17:50:27 well, maaku was reluctanct to have any form of escheatment 17:50:53 yes, and we also plan to increase divisibility on freimarkets so... 17:51:55 Add nNewValue to transactions and define nSumValue = nNewValue + nValue, then do divisibility by moving value from nValue to nNewValue, which means you can re-combine sub-satoshi outputs, it's just that old clients can't see the fact you've done so. 17:52:12 spinza has quit 17:52:51 Note how this depends on the fact that miners can destroy coins forever rather than taking them as fees. 17:53:58 I think that's what we have in freimarkets 17:53:59 nValue :: int64 17:54:00 dValue :: decimal64 17:54:00 dValue = nValue * 10^369 17:54:08 Oh, interesting! 17:54:25 adam3us1 has joined #bitcoin-wizards 17:54:35 but maaku told me that gmaxwell told him we're not using nVersion as it was intended 17:54:40 how so? 17:54:51 I'm not sure I did understood that 17:54:58 how are you using it? 17:55:17 spinza has joined #bitcoin-wizards 17:55:29 for us version 2 are transaction with an additional refHeight, necessary for calculating demurrage 17:55:44 so all freicoin transactions are v2 17:55:55 is refHeight actually a different binary format? 17:56:01 and freimarkets introduces v3 with more modifications 17:56:13 it's an additional field 17:56:36 right, nVersion was meant to signify to *interpret* a otherwise backwards-compatible transaction differently 17:56:53 so if bitcoin were to adopt freimarkets, interest bearing assets could be moved with v2 transactions 17:57:39 ours aren't backward compatible, are hardfork changes 17:59:38 here's the commit that adds nRefHeight: https://github.com/freicoin/freicoin/commit/cee818350d857029e0e7148fece35646d479aea1 17:59:50 for instance P2SH could have been done with a nVersion bump 18:01:05 but some other version number was changed for that, no? 18:01:05 jtimon: right, you could have done that as a soft-fork 18:01:37 jtimon: no, that was done with voting by putting the string "P2SH" in the coinbase - not a great mechanism 18:02:00 jtimon: the "height in coinbase" soft-fork was a lesson learned there, and was done with a CBlock.nVersion bump. 18:02:30 jtimon: oh, sorry, and come to think of it the voting *wasn't* software evaluated 18:02:57 jtimon: IE, miners "voted", then a bitcoin was released that turned on P2SH on a specific day IIRC 18:03:10 eh, I might have to double-check the code for that, don't quote me :) 18:03:55 jtimon_ has joined #bitcoin-wizards 18:04:23 petertodd: "right, you could have done that as a soft-fork" what? adding the nRefHeight field? 18:04:50 anyway, the tx-nversion looked ideal for our changes, I'm not sure what we should use instead 18:05:05 jtimon_: yeah, you'd do it by just recording nRefHeight in a different datastructure that was stored along-side the block 18:05:18 no, no 18:05:32 the nRefHeight goes with EACH transaction 18:05:46 Yes, and along-side the block you store an nRefHeight array for each tx. 18:05:54 oh, I see 18:06:05 but... 18:06:12 that number has to be signed 18:06:25 it really belongs in the tx 18:06:53 jtimon has quit 18:06:54 See, what might be good is a hard-fork to allow arbitrary junk to go at the end of CTransaction's, and then forever after you could add new fields in soft-forks by bumping nVersion. 18:06:59 spinza has quit 18:07:00 spin123456 has joined #bitcoin-wizards 18:07:15 interesting 18:07:34 jtimon_: oh right, well, that's another thing: SignatureHash() should have been written so that the presence of unknown flags makes the signature always evaluate as true, so that new flags could be defined in soft-forks. 18:07:43 adam3us1 has quit 18:07:51 Additionally you need different OP_CODESEPARATOR there too, long story. :P 18:09:10 (well, actually, better to only define *some* of the unused flag bits as "return true") 18:09:39 (though an even better system wouldn't have a "all-in-one" CHECKSIG anyway, but I digress) 18:09:41 well, I think it was much simpler to just add the nRefHeight field after nLockTime (if I remember correctly, that's where it is) 18:09:53 sure, given you're doing a hard-fork 18:10:36 so there's no way to signal hardfork versions for transactions? 18:10:57 point is, if you're doing a hard-fork you don't have too really 18:11:26 well, it just simplifies the implementation, since older versions will still work the same 18:11:33 yeah, older code 18:12:46 petertodd: sig flags are set by the signer. So I write a txn with an unknown flag and freely spend your inputs. :P 18:13:34 I guess we will keep using the nVersions even if it wasn'te the purpose for a lack of a better alternative 18:14:13 shesek has quit 18:14:18 gmaxwell: gah, damn, that's right 18:14:31 shesek has joined #bitcoin-wizards 18:14:49 gmaxwell: yeah, guess that just leaves the OP_CODESEPARATOR solution so you can put arbitrary signed data in the scriptSig 18:15:36 the "junk-at-the-end-of-the-tx and nversion for softfork additional fields" is really interesting though 18:16:04 yup, basically you just need to hard-fork in a total-transaction-length field and then go nuts 18:17:18 you probably want OP_CHECKSIG to be made to include the *contents* of the extra data in the signature hash, which nicely can be done backwards compatibile - generally the extra contents are empty 18:17:54 though it'll make it impossible to prevent arbitrary data storage on the blockchain, as something like p2sh^2 intends to do 18:18:08 petertodd: on another subject I don't know if you saw my musing; wrt coinbase only pooling, if the payout is to some M of N keys, then shares could be submitted to N entities and they could share the shares to achieve a consistent state and then do consensus signing of payouts. So you can even distribute the payout trust in coinbase only mining. 18:18:29 shesek: if you genuinely make arbitrary data storing impossible you've probably made future soft-forks difficult to impossible 18:18:44 shesek: e.g. you need to change the signature algorithm, now what? 18:19:05 are all forms of transaction storage length prefixed though? 18:19:24 gmaxwell: ha, nice 18:19:30 petertodd: also the entities need only about 1mbit/sec of bandwidth if you assume eligius' current user count and that each user is targeting 4000 shares / day (which gets them to the point where weekly performance <98.5% if less than 1% likely) 18:19:38 maaku_: not yet, but they can be made to be in a hard-fork 18:19:47 would those then be unspendable for 100 blocks? 18:19:51 which means you could easily support additional observer entities over the N. 18:19:54 regardless though I don't think it will work - before the soft-fork the length-extending version means nothing, after it means there's extra bytes 18:20:18 maaku_: doing that in a soft-fork is much less trivial, I'm talking about a hard-fork 18:20:20 well ok, i guess it'd work if every instance of transaction storage is made length prefixed 18:20:31 helo: the payouts in what I'm talking about? yes. 18:20:32 gmaxwell: not bad 18:21:17 helo: The payouts to the pool itself are generated, the payouts to the users would be instant spendable. 18:21:37 our current approach (for freimarkets, freicoin we screwed up) is to have the block height indicate the hard-fork transaction format 18:21:42 (I think doing coinbase payments in such a model would add a lot of complexity for not a ton of data) 18:21:56 gmaxwell: (U)TXO commitments should be structured such that multiple low-bandwidth parties can create a block co-operatively. Shouldn't be too hard to pull off in a trusted scenario, harder in untrusted. (though could be fidelity bonded)_ 18:22:17 which is somewhat undesireable around the transition, although that is one-time and can be mitigated by creating new-format transactions early 18:22:29 spinza has joined #bitcoin-wizards 18:22:41 maaku_: that's reasonable, although remember that you can do a nVersion voted hardfork too 18:24:17 spin123456 has quit 18:24:30 adam3us1 has joined #bitcoin-wizards 18:26:00 orperelman has joined #bitcoin-wizards 18:27:41 kind of off-topic, but now that you're talking about coinbase...nVersion=2 of joke I think I heard here 18:29:19 The success of coinbase surprises me given that their transactions take 100 blocks to confirm. That latency surprises me even more given that they use mongoDB, whose writes are almost as fast as writes to /dev/null 18:30:52 nessence_ has quit 18:31:01 just a mix of jokes really 18:31:02 jtimon_: well, that was more funny than the comedian they hired for the san jose conference 18:31:10 hehe 18:31:41 I saw him a little bit, but yeah, not funny at all, I couldn't watch the whole video 18:31:56 jtimon_: I think it's because they have to send their transactions all the way to blockchain in the UK for processing. 18:32:09 hehe 18:32:36 gmaxwell: these services need a little button that gives you the raw hex of your tx 18:34:51 spinza has quit 18:34:52 spin123456 has joined #bitcoin-wizards 18:35:07 adam3us1 has quit 18:35:19 petertodd: We got blockchain.info to add that. (well not a button but a ?format=hex on the transaction page) 18:35:28 gmaxwell: nice! 18:39:42 adam3us1 has joined #bitcoin-wizards 18:41:28 spin123456 has quit 18:44:23 spinza has joined #bitcoin-wizards 19:09:56 jtimon_ has quit 19:33:45 shesek has quit 19:46:31 shesek has joined #bitcoin-wizards 19:54:31 spinza has quit 19:54:32 spin123456 has joined #bitcoin-wizards 20:00:49 Jtimon & Peter, it's all about the PR and marketing, one of the reasons they are so successful, they are doing an amazing PR work - gotta give them that 20:01:38 It's amazing me to this day - there is almost no normal wallet out there today that I can recommend to new bitcoin users heh 20:04:18 go1111111 has joined #bitcoin-wizards 20:39:33 orperelman has quit 20:45:42 gmaxwell: proof of (holding) bitcoin - (for bandwidth allocation in bitmessage etc) but with 100btc i can take 100 shares of bandwidth at no cost (if i was holding them anyway). 20:46:35 gmaxwell: "as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out." dont object to backing out (say NO to block-chain spam!), but what are they saying missing context? 20:53:37 Luke-Jr has quit 20:54:01 Luke-Jr has joined #bitcoin-wizards 20:55:06 adam3us1 has quit 20:56:31 <_ingsoc> _ingsoc has joined #bitcoin-wizards 21:07:45 adam3us1 has joined #bitcoin-wizards 21:17:20 gmaxwell: ps still musing about how to do a subliminal channel free sig (motivated by such things). one thing wondering is the existing possibility to make a ECDSA key that can sig that is valid for two different msg hashes (by chosing public key at time one msg is known). thinking it might be enuf flexibility to do something 21:22:47 Luke-Jr has quit 21:23:37 Luke-Jr has joined #bitcoin-wizards 21:26:31 <_ingsoc> _ingsoc has quit 21:28:19 <_ingsoc> _ingsoc has joined #bitcoin-wizards 21:37:03 adam3us: there have been a number of articles about how bitcoin has been "upgraded" to enable "distributed storage" and such horrifying things like that. 21:40:32 gmaxwell: ah yes. its a scary situation indeed. the flip side is there are then people who will stego encode then in multisigs if you dont, and create needless non-compactable TXOs and on. Cant win:( well maybe... there's the subliminal channel plugging drive - could try how far you can get with that. eg all outputs are blinded somehow by the next mining event and unblinded by recipient or inputs blinded by spender and unblinded by mi 21:41:16 adam3us: thats why I didn't oppose it initially. Though the trade off of people thinking it is a good non-antisocial and supported application is concerning. 21:41:39 Esp what happens if abusive use arises and it must be turned back, but there is also non-abusive use? 21:41:49 gmaxwell: pegged side-chain, pegged side-chain, pegged side-chain 21:42:11 I mean there is a whole seperate stupid altcoin "datacoin" 21:43:14 gmaxwell: seriously. if that can be bootstrapped there is no rational excuse for not using one. i mean maybe we'll need a pegged-side-chain-gen.io because of lameness but otherwise... 21:45:00 gmaxwell: yes it seems like the msg was interpreted badly as a big GREEN light, that people can do any random stuff like its an API, or I dunno "HTTP on top of TCP" 21:49:35 go1111111 has quit 22:16:05 orperelman has joined #bitcoin-wizards 23:08:22 maaku_ is now known as maaku 23:13:34 andytoshi: I wonder in a public CJ server if there would be a value in using a socialist millionaire protocol so that a prospective CJ player could query the available sessions to test for an output size match, without disclosing what size they're looking for (and without learning what any of the ongoing sizes is) 23:17:18 gmaxwell: what would they learn in the case that a match exists? 23:18:08 it seems like they could get a good idea of the sessions just by testing various output values to see if they can join 23:18:36 andytoshi: you can limit them by making them show you inputs they're interested in using as a rate limiter. 23:19:54 ok, fair enough 23:19:59 go1111111 has joined #bitcoin-wizards 23:20:10 i'll put this on my list of "things to do when we have enough people for more than one session at once" :) 23:20:12 I mean ultimately what you can do is a multiparty computation where the server has a list of possible CJ's and the user has a set of inputs/outputs they're interested in and the MPC tells the user and the server which one they ought to be joining and no one learns anything beyond that... but thats getting into moon technology where socialist millionaire protocol is straightforward. 23:20:47 well, if it's tractable moon technology then i'll look into using it one of these days .. 23:21:03 i am being selfish and using other peoples' privacy desires for my own learning purposes 23:23:11 if i can get my bitcoind back to life i'll have a coinjoin client written by sunday evening, then this week we'll see if i can spur some popularity 23:23:18 It's not intractable, but not a 1 hour hack either. 23:28:39 <_ingsoc> _ingsoc has quit 23:31:35 there may be a 'simple' way to implement it where the server and the client disclose a bunch of fake data about the candidate joins and inputs/outputs (including the real data), and then the server and the client compute which would go with which, and then you do a far simpler multiparty computation just to learn a single one of matchups which involve real transactions. 23:32:50 (lets you keep the coinjoin matching outside of the multiparty computation.. the multiparty computation would just be "take two bitstrings, return a random index which has a 1 in both bitstrings" 23:32:54 ) 23:34:38 mappum has joined #bitcoin-wizards 23:41:50 nomailing has joined #bitcoin-wizards 23:44:51 gmaxwell: would there be a chance at analagous technology for the p2p case? 23:45:53 for my architecture I'm still assuming a broadcast architecture for requesting potential joins 23:46:00 which isn't as privacy enhancing as I would like... 23:48:18 maaku: nothing fundimentally prevents it, e.g. you could do multiparty computation with any number of parties. Though I think the complexity of hacks like I suggested to keep the mpc part maximally simple would not scale well. 23:51:31 go1111111 has quit