00:05:36 spin123456 has quit 00:05:53 spinza has joined #bitcoin-wizards 00:09:31 DougieBot5000 has quit 00:15:05 nomailing has quit 00:21:16 New torrent, http://gtf.org/garzik/bitcoin/bootstrap.dat.torrent 00:21:34 maaku: fwiw, you can do a very easy implementation of socalist millionaire using only blind signing. 00:23:28 maaku: you hava a database you'd like me to check for matches it. You sign each entry and give me the signatures. I learn nothing useful from this. Then when I want to see if X is in the database, I blind X and ask you to sign it. You learn nothing about X. Then I unblind and can see if it was in your list. 00:31:25 Alanius has quit 00:31:31 Alanius has joined #bitcoin-wizards 00:34:13 jgarzik do you have the previous 2 or 3 bootstrap torrents you made anywhere? 00:34:20 maaku: though I think until someone works out what an 'optimal' CJ decision looks like, it's hard to reason about what it would take for some magical private process to generate them. 00:34:44 it occurs to me i can seed them all from the same file 00:39:21 well actually ive got 3, 4.5gb, 9gb and this new 13gb 00:39:31 i think thats all of them right 00:41:52 gmaxwell: what do you mean by 'optimal coinjoin decision'? 00:48:27 shesek has quit 00:56:46 Emcy, sf.net/projects/bitcoin has current; above is current+1 00:58:07 huh? 00:58:31 thats the bitcoin client 00:58:40 maaku: I mean, say given a set of transactions, which partipants will not gain any privacy under an assumption that the attacker understands coinjoins and are unravling them based on the assumption that users_inputs==users_outputs? 01:00:35 shesek has joined #bitcoin-wizards 01:11:50 maaku has quit 01:14:31 maaku has joined #bitcoin-wizards 01:14:55 maaku is now known as Guest56197 02:03:22 orperelman has quit 02:26:18 nessence has joined #bitcoin-wizards 03:18:02 oh. I think I just reduced the complexity of my trivial NIZK proof to O(N) without substantially increasing the complexity of it, though by adding a discrete log hardness assumption. 03:19:53 The point I'd made at the end is that you could remove the N^2 by using an xor-homorphic commitment as that would allow you to just combine the gate key commitments directly. 03:23:53 But really the xor-homorphic commitment only needs to be xor-homorphic for a single bit, which means straight up additive homorphism over any field should work. E.g. the commitment can be X*g in some EC group. 03:30:05 nanotube has quit 03:31:57 jtimon has joined #bitcoin-wizards 03:36:26 nanotube has joined #bitcoin-wizards 03:46:45 jtimon has quit 04:31:37 Luke-Jr has quit 04:37:20 Luke-Jr has joined #bitcoin-wizards 04:38:44 Oh, interesting. I can get a simpler CoinSwap protocol if prior to any transactions, one party proves to the other H(X),H(Y),X xor Y for some undisclosed X,Y in other words, having this proof in hand you know that if you know the preimage of H(X) the you also know the preimage of H(Y). 04:39:20 I think I can do a proof for H(X),H(Y),X^Y with sha256 under 40 megabytes now. 04:40:47 (the coinswap is simpler from a protocol perspective because you just prove this relation externally to me, then we can just make parallel hashlocked payments knowing that one will reveal the other without a public linkage. 04:42:27 Guest56197 has quit 04:42:54 maaku has joined #bitcoin-wizards 04:43:18 maaku is now known as Guest85612 04:43:56 Luke-Jr has quit 04:46:27 Luke-Jr has joined #bitcoin-wizards 05:01:34 vector7 has joined #bitcoin-wizards 05:02:13 vector7 has left #bitcoin-wizards 06:00:54 gmaxwell, oh, that's very interesting! hashlocked transactions always seemed like a great solution if we could get rid of the link it creates on the blockchain 06:01:21 40mb isn't ideal, but isn't too awful either given that its exchanged privately between two users and shouldn't be done too often 06:03:24 nessence has quit 06:17:18 the transactions would look somewhat unique if its used as the primary transaction method and not just as a fallback in case of cheating, though I don't know how much of a problem that is if its commonly used 06:49:07 fagmuffinz has quit 06:49:28 fagmuffinz has joined #bitcoin-wizards 06:56:33 ethereum discussion on the front page of HN : https://news.ycombinator.com/item?id=7041628 06:56:53 Guest85612 is now known as maaku 07:06:22 maaku: do they have some prevention from people making infinite loops? 07:06:40 If I wanted to attack the currency I would just mine an infinite loop into the blockchain 07:07:29 roidster has quit 07:13:34 shesek: oh well there is another way to eliminate the link, but the protocol has a number of steps, which in practice results in a lot of engineering trouble. 07:13:49 shesek: https://bitcointalk.org/index.php?topic=321228.0 07:14:00 with coinswap and 4 transactions? 07:14:36 okay so you'd seen it then, yea. It would work but the state machine required to actually do it— while easy to chart is a real pita. 07:14:50 yeah, I know, but this is a much more elegant solution 07:15:37 though, as I mentioned above, being somewhat identifiable as transactions meant for that purpose is somewhat problematic until this is commonly used 07:16:29 if there are only two transactions in a whole day that uses hashlocked transactions its quite easy to link them together 07:17:37 maaku, too bad its down though 07:18:11 someone from HN posted it to pastebin: http://pastebin.com/NCGRv74u 07:21:43 oh, seems like it was published for some time now... I didn't hear of it until now 07:25:17 shesek: you need to review the coinswap page. 07:25:43 shesek: the innovation there is that if the transaction goes through successfully the public never sees the hashlock (!), it looks like a set of multisignature transactions. 07:26:12 are you talking about coinswap or the new idea you had? 07:26:17 (2 of 2 at a minimum, but no reason that you couldn't throw in a garbage pubkey and make them 2 of 3s to be less irregular) 07:26:22 shesek: coinswap. 07:26:37 but that cost is that the protocol has a bunch of stages. 07:26:38 that "they look unique which can link them" was referring to your idea posted here, not to coinswap 07:26:44 oh! okay yea. 07:27:02 Well you could perform the same transform to this, but then you lose the fact that its simpler. :P 07:27:20 in any case, lots of uses for hashlocked transactions. so perhaps they'll be common at some point. 07:29:59 MoALTz__ has joined #bitcoin-wizards 07:30:05 yeah, lots of interesting uses for them. I even have something for atomic exchange between altcoins (I think that was your idea originally?) laying around somewhere on my harddrive, though in a very very early stage 07:31:10 its possible to spread out the transactions over a random period of a few days to weeks, which should help until they're more commonplace 07:31:36 yea, I'd proposed the non-private version of that pattern for exactly that purpose. 07:32:17 (^ is regarding the transactions being unique) 07:32:35 MoALTz_ has quit 07:34:16 gmaxwell: regarding our proof of stake discussion yesterday, how do I prevent a miner from paying tx fees to themself and using the new UTXO as their proof? Should I require them to use a time lock on their bitcoin payment with a tx fee? 07:34:48 shesek has quit 07:36:23 shesek has joined #bitcoin-wizards 07:38:30 wyager has joined #bitcoin-wizards 07:51:02 gmaxwell, btw, I'm not really familiar with the current solutions for keeping other participants from linking your input/output in coinjoin, but I was thinking about a tor-like onion encryption to pass messages around, where you would onion-encrypt it with N participants, exposing the input and output at different "peel levels" 07:51:10 does something like that makes sense? 07:52:42 I assume it was probably already solved in some more elegant way, I should probably read some more about how coinjoin should work 07:52:50 <_ingsoc> _ingsoc has joined #bitcoin-wizards 07:54:28 <_ingsoc> _ingsoc has quit 07:55:08 <_ingsoc> _ingsoc has joined #bitcoin-wizards 07:57:50 shesek has quit 07:58:36 shesek has joined #bitcoin-wizards 08:02:44 shesek has quit 08:03:44 shesek has joined #bitcoin-wizards 08:06:51 shesek has quit 08:07:19 shesek has joined #bitcoin-wizards 08:17:51 wyager has quit 08:40:06 <_ingsoc> _ingsoc has quit 09:34:09 go1111111 has joined #bitcoin-wizards 09:49:21 <_ingsoc> _ingsoc has joined #bitcoin-wizards 10:06:51 hnz has quit 10:12:34 hnz has joined #bitcoin-wizards 10:20:56 orperelman has joined #bitcoin-wizards 10:30:23 go1111111 has quit 10:31:36 warren has quit 10:59:34 adam3us1 has quit 11:00:42 warren has joined #bitcoin-wizards 11:12:27 adam3us1 has joined #bitcoin-wizards 11:21:40 jtimon has joined #bitcoin-wizards 11:24:12 shesek has quit 11:41:35 shesek has joined #bitcoin-wizards 12:06:03 jtimon has quit 12:25:11 shesek has quit 12:37:42 jtimon has joined #bitcoin-wizards 12:40:38 shesek has joined #bitcoin-wizards 13:19:14 MoALTz__ has quit 13:19:35 MoALTz has joined #bitcoin-wizards 13:21:15 roidster has joined #bitcoin-wizards 13:21:31 roidster is now known as Guest5397 13:21:39 Guest5397 has quit 13:25:08 jtimon has quit 13:42:18 <_ingsoc> _ingsoc has quit 13:43:50 <_ingsoc> _ingsoc has joined #bitcoin-wizards 14:05:32 <_ingsoc> _ingsoc has quit 14:06:12 <_ingsoc> _ingsoc has joined #bitcoin-wizards 14:07:51 orperelman has quit 14:09:33 <_ingsoc> _ingsoc has quit 14:13:14 roidster has joined #bitcoin-wizards 14:13:30 roidster is now known as Guest25778 14:15:27 fagmuffinz has quit 14:20:26 <_ingsoc> _ingsoc has joined #bitcoin-wizards 14:20:26 <_ingsoc> _ingsoc has left #bitcoin-wizards 15:14:17 shesek has quit 15:24:35 shesek has joined #bitcoin-wizards 15:34:57 orperelman has joined #bitcoin-wizards 15:39:51 Guest25778 has quit 15:40:18 roidster has joined #bitcoin-wizards 15:43:41 <_ingsoc> _ingsoc has joined #bitcoin-wizards 15:46:57 orperelman has quit 16:05:07 justanotheruser has quit 16:30:05 <_ingsoc> _ingsoc has quit 16:30:42 <_ingsoc> _ingsoc has joined #bitcoin-wizards 16:30:42 <_ingsoc> _ingsoc has left #bitcoin-wizards 16:42:01 roidster has quit 16:44:08 Guest38118 has joined #bitcoin-wizards 16:48:34 Guest38118 has quit 17:05:01 adam3us1 has quit 17:27:10 mr_burdell has joined #bitcoin-wizards 18:01:09 shesek has quit 18:09:47 justanotheruser has joined #bitcoin-wizards 18:10:38 justanotheruser1 has joined #bitcoin-wizards 18:11:05 shesek has joined #bitcoin-wizards 18:14:17 justanotheruser has quit 18:16:13 justanotheruser1 has quit 18:16:14 justanotheruser1 has joined #bitcoin-wizards 18:17:26 <_ingsoc> _ingsoc has joined #bitcoin-wizards 18:20:27 shesek has quit 18:50:23 andytoshi: mostly I think a reduction in failed signings is worth it, and if the tool itself were misbehaving you're likely screwed. 18:50:32 <_ingsoc> _ingsoc has left #bitcoin-wizards 18:52:28 gmaxwell: agreed 18:52:50 i wish i didn't need to demand a wallet passphrase in a program that is openly communicating with my server 18:52:53 the optics are terrible 19:01:04 <_ingsoc> _ingsoc has joined #bitcoin-wizards 19:03:08 shesek has joined #bitcoin-wizards 19:22:14 Bitcoin blockchain torrent updated, 70% of previous bootstrap.dat is re-used. https://bitcointalk.org/index.php?topic=145386.0 19:46:08 <_ingsoc> Does anyone know if Vitalik Buterin hangs out on Freenode? 19:47:00 orperelman has joined #bitcoin-wizards 19:47:32 nessence has joined #bitcoin-wizards 19:51:22 orperelman has quit 19:51:59 orperelman has joined #bitcoin-wizards 19:52:14 nomailing has joined #bitcoin-wizards 20:03:47 eristisk has joined #bitcoin-wizards 20:10:47 maaku has left #bitcoin-wizards 20:11:21 maaku has joined #bitcoin-wizards 20:35:40 wyager has joined #bitcoin-wizards 20:37:07 So who's read the ethereum whitepaper? 20:38:14 MoALTz_ has joined #bitcoin-wizards 20:38:26 It's very interesting, but I think it might prove very difficult to manage 20:40:28 tacotime has joined #bitcoin-wizards 20:41:15 MoALTz has quit 20:57:02 wyager: incentives for computation is wrong 20:57:27 How so? I'm not particularly enamored with the incentive model, but I thought it seemed OK 20:57:44 there's no point in paying miners fees for computation, when the miners are not doing the compuation 20:58:11 Aren't they? 20:58:15 no 20:58:19 validating nodes are 20:58:31 most miners are not validating nodes 20:58:37 everyones doing the computation, only the miners are getting paid right 20:58:48 and worse, they are getting paid proportional to hash power 20:58:53 which has nothing to do with the computation 20:58:55 So when a program broadcasts a transaction, every single validating node broadcasts the transaction? 20:59:02 maaku: why wouldn't the miners be validating nodes? If they had something invalid in their block it would get rejected right? 20:59:12 *every single validating node computes the transaction 20:59:26 justanotheruser1 is now known as justanotheruser 20:59:45 justanotheruser: no, nearly all miners use pools 20:59:47 What about when, during the course of a contract/program executing, it sends a transaction? Does that happen like a real person/bot sending a transaction? 20:59:54 and a pool only needs to run a single validating node 21:00:25 maaku: oh, I see what you're sayinh 21:00:49 e.g. GHash.io and BTC Guild each only need to run one validating node 21:00:57 and yet they together get more that 50% of the reward 21:01:08 and the thousands of people running validating nodes for non-mining purposes get nothing 21:01:15 (but still have to run the computation) 21:01:54 OK, but I guess that still makes some sense if the point is simply to prevent logic bombs rather than to compensate the people running the contracts 21:02:27 I wish there was a way to reward validating nodes. But I don't think there is without risky sybil 21:02:55 nomailing has quit 21:03:05 the best approach is to make it truly cheap to run validating nodes 21:03:09 and/or make it so they are not required 21:03:52 maaku: what do you mean "make it so they are not required"? Wouldn't them not validating make them not validating nodes? 21:04:26 wyager has quit 21:05:13 make it so that whatever application you needed a validating node for, you don't anymore 21:05:32 e.g. because you have a succinct proof of validation (so you don't need to validate it yourself) 21:07:15 ok 21:09:40 mr_burdell has quit 21:09:54 mr_burdell has joined #bitcoin-wizards 22:03:26 blumenkraft has joined #bitcoin-wizards 22:03:34 eristisk has quit 22:15:37 so, actually implemented my ZKP, a proof of sha256 is 47mbytes. 22:16:45 (for ~123 bit security) 22:18:04 and validation requires about 1 million EC multiplies with the generator and about 4 million hash operations. 22:20:32 roidster has joined #bitcoin-wizards 22:20:41 that's a proof for "i have some input you don't know, which hashes to X" ? 22:24:15 Yes— basically its just the cost of running SHA256 under my NIZK proof system. So not just "I have" but any trivial operation along with it. Like "X is the hash of something that begins with 'sipa'" would have the same cost. 22:24:55 or for 2x that cost I can do my "Z is the xor of the preimage for hashes X and Y" 22:25:14 now I should go see if ripemd160 can be done with fewer gates. 22:33:51 this is really exciting, thanks for doing this work gmaxwell 22:35:39 gmaxwell: +1 22:36:00 indeed, very nice to see some things actually being done 22:36:06 instead of the mostly talk here :p 22:40:19 gmaxwell: Is this related to SNARK? 22:44:07 more of a NARK :P 22:52:31 blumenkraft has quit 23:45:50 orperelman has quit