sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
<nsh>
privkey is leaked through committing to the nonce of the transaction somehow - variation of anduck's/tonych's proposals, but i don't understand the`doctor HTLC or lightning channel stuff in general
<nsh>
or making the nonce derived from the privkey
<amiller_>
yeah but how do you enforce anything about the nonce
nanasho has joined #bitcoin-wizards
damethos has joined #bitcoin-wizards
<sipa>
nsh: I have an ECDSA private key a with associated public key A. Can you construct a scriptPubKey (given A) that I can spend, but only by revealing a.
<sipa>
(Is my interpretation of the problem, and I don't know the solution, so mayne I missed something in the way the question was formulated)
paci has quit [Ping timeout: 265 seconds]
<amiller_>
maybe you can do something with the sighash flags, where you get a signature on an "empty" transaction, and then you provide the actual money payload with a new input, that you construct after seeing the first signature, and the script basically says "SIG has to be valid under this public key, and it has to be different than SIG' which i saw previously"
<sipa>
amiller_: signing the hash 1 is possible, but the signer chooses the flags
<amiller_>
oh
<amiller_>
well, maybe you can just require the first signature to have the right flag before constructing the second scriptPubkey input with the actual money
<sipa>
the substr opcode was disabled
<sipa>
otherwise i could just require a signature whose r value was a fixed constant with known nonce
paci has joined #bitcoin-wizards
tulip has quit [Ping timeout: 272 seconds]
damethos has quit [Quit: Bye]
flipswitchbitch has quit [Ping timeout: 272 seconds]
justice has joined #bitcoin-wizards
justice has quit [Read error: Connection reset by peer]
tulip has joined #bitcoin-wizards
psztorc has joined #bitcoin-wizards
jaekwon has quit [Remote host closed the connection]
psztorc_ has quit [Ping timeout: 260 seconds]
jaekwon has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 246 seconds]
psztorc_ has joined #bitcoin-wizards
psztorc__ has joined #bitcoin-wizards
psztorc has quit [Ping timeout: 240 seconds]
TBI_ has quit [Read error: Connection reset by peer]
TBI_ has joined #bitcoin-wizards
psztorc_ has quit [Ping timeout: 260 seconds]
Monthrect is now known as Piper-Off
Yoghur114 has quit [Remote host closed the connection]
jaekwon has quit [Remote host closed the connection]
Ylbam has quit [Quit: Connection closed for inactivity]
rusty has quit [Ping timeout: 260 seconds]
jtimon has quit [Ping timeout: 252 seconds]
nessence has quit [Remote host closed the connection]
nessence has joined #bitcoin-wizards
roconnor has joined #bitcoin-wizards
nessence has quit [Ping timeout: 250 seconds]
<andytoshi>
i think i see how to do the signature thing
<andytoshi>
pretty nasty
<andytoshi>
oh, no, my idea reveals the keys. i'll shut up :)
<gmaxwell>
the goal is to reveal the key!
<gmaxwell>
what did you think the goal was?!
<sipa>
gmaxwell: i guess he means his trick would reveal the key before spending?
<andytoshi>
yes, that's what i mean sipa :P
<andytoshi>
oh, wait, before even spending once?
<sipa>
andytoshi: eh, perhaps you better explain what you think the goal was, and how you failed it
<andytoshi>
sipa: i had thought the goal was to create a sig such that if you produce two of them with the same key, the key is revealed. but not if you only produce one.
<andytoshi>
but now i see that the goal is weaker than that
<andytoshi>
it's ok that if a single bitcoin signature is published, the key is exposed
<andytoshi>
just that it should be possible to publish an out-of-band signature with same key, and that does not expose anything
<gmaxwell>
yea, the goal is that at the end of the protocol, the final signature means the other party learns the private key.
<gmaxwell>
You can have setup before that.
<gmaxwell>
So, e.g. a single show signature would work; but it doesn't need to be one.
<andytoshi>
ok, my thing is still broken because it reveals the key to everyone (so miners can steal). it might be salvagable tho
<gmaxwell>
it's okay if it reveals it to everyone.
<gmaxwell>
the last step can do normal key && leaked key (via bitcoin script.)
<andytoshi>
ok, that's a good point
<andytoshi>
then if my thing works at all (i'm 80% sure..) it's a win :P
<andytoshi>
but how is that different than a hash preimage?
<gmaxwell>
because the other party generates a new ephemeral pubkey P, and you pay to P+{pubkey whos discrete log you're gonna leak}.
<gmaxwell>
and the two transactions are unlikable by the public (which doesn't know P)
<andytoshi>
oh, right!
<andytoshi>
sorry, i'm very tired :)
<gmaxwell>
eat.
the`doctor has quit [Ping timeout: 265 seconds]
<andytoshi>
oh, shit, good call
adam3us has quit [Quit: Leaving.]
psztorc has joined #bitcoin-wizards
psztorc__ has quit [Ping timeout: 246 seconds]
rusty2 has joined #bitcoin-wizards
belcher has quit [Quit: Leaving]
bramc has joined #bitcoin-wizards
moa has quit [Ping timeout: 260 seconds]
Newyorkadam has joined #bitcoin-wizards
moa has joined #bitcoin-wizards
badmofo has quit [Quit: Leaving]
rusty2 has quit [Quit: Leaving.]
rusty has joined #bitcoin-wizards
jaekwon has joined #bitcoin-wizards
Lightsword has quit [Read error: Connection reset by peer]
Lightsword has joined #bitcoin-wizards
Giszmo has quit [Quit: Leaving.]
jcluck is now known as cluckj
xeon-enouf has quit [Remote host closed the connection]
xeon-enouf has joined #bitcoin-wizards
GGuyZ has quit [Quit: GGuyZ]
smk has joined #bitcoin-wizards
<bramc>
Taek, Is there any technical protocol documentation which starts with the per-connection state machine?
GGuyZ has joined #bitcoin-wizards
jaekwon has quit [Remote host closed the connection]
<tulip>
bramc: that's about the extent of it, beyond looking at the source.
kwonbie has joined #bitcoin-wizards
<bramc>
tulip: What *is* the state machine of a connection? There must be one, even if it's implicit and only understood by a priestly few.
<phantomcircuit>
bramc, there aren't docs about it but it's very simple really
<phantomcircuit>
vesion/verack before anything else
<phantomcircuit>
connecting peer sends version
<bramc>
phantomcircuit, Yeah yeah let's just skip all that handshake stuff for now
<phantomcircuit>
then take a look at the getheaders stuff there's a hack there to signal to the other peer that they should request more
<phantomcircuit>
otherwise everything is async
roconnor has quit [Quit: Konversation terminated!]
<phantomcircuit>
currently we only respond to messages in order but well...
<bramc>
When I think about a connection state machine it starts with you always having an idea of what my current longest chain is
<tulip>
basically after the handshake the only thing you need to do is respond to ping messages, and not send anything invalid, everything else is optional as far as connections are concerned.
<bramc>
*sigh*
GGuyZ has quit [Quit: GGuyZ]
<bramc>
Some day I should really write a document about how to design network protocols.
<tulip>
bit late for this one.
Lightsword has quit [Quit: Lightsword]
TheSeven has quit [Disconnected by services]
[7] has joined #bitcoin-wizards
<tulip>
it's simple but lots of things are weird in ways they shouldn't be. the "alert" message type somehow manages to be more complex than all of the other ones combined, even though it is never used and all of the fields in it are irrelevant.
<bramc>
If we're syncing with each other, the logic should fundamentally be that you and I announce to each other what our current greatest work factor chain is. Then whoever has a shorter one asks for stuff from the peer who has a taller one until we're back in sync
<bramc>
The main subtlety should be whether we proactively send whole pieces of data to the peer or wait for them to be requested
<bramc>
That's another thing which I have no idea how Bitcoin currently does it.
<kanzure>
btw, have you been lurking #bitcoin-core-dev
<bramc>
No I have not
Newyorkadam has quit [Quit: Newyorkadam]
<tulip>
bramc: it works something like that at the moment. nodes can use 'getheaders' commands to build up the tree of block headers and verify the PoW before wasting time downloading the actual binaries. once it has the headers it can download them out of order.
<bramc>
At the back of my mind I have this implicit assumption that everybody is familiar with BitTorrent's original wire protocol state machine and the improved one with the fast extensions and understands the philosophical implications for this for protocol design generally. This is probably a ridiculous assumption...
GGuyZ has joined #bitcoin-wizards
<bramc>
tulip, Right, so it's pull-based rather than push-based, at least as far as the blockchain is concerned (mempool is a different subject). That makes sense. How is a new highest block announced?
<tulip>
newly received objects can be announced to peers using the 'inv' message, which contains the hash of the new transaction or block. if the node doesn't have it and is interested, it requests the binary from the peer using 'getdata'.
Newyorkadam has joined #bitcoin-wizards
<bramc>
Does inv specific whether it's talking about a transaction or block? And if it's talking about a block, does it include work factor?
<tulip>
just the type, hash of the object. there's discussion about pushing the entire header instead for blocks, which isn't a whole lot larger.
<bramc>
Or I should say, work factor and height, and if it includes height is there a way to request the last n block hashes so you don't have to walk the linked list one at a time?
<tulip>
the block header doesn't contain the height unfortunately.
<bramc>
This protocol is... distinctly suboptimal when you're catching up.
<tulip>
the coinbase transaction does however as part of BIP30, it's used as a salt to stop duplicate transaction IDs. you can include a block header and markle path to the coinbase transaction in a few hundred bytes.
<bramc>
I assume peers also have a policy of not announcing that they have anything which they themselves haven't validated, and not announcing orphaned blocks?
<tulip>
announcing invalid objects is a violation of the protocol and causes a disconnection and ban of that peer.
<bramc>
You don't need blocks to contain heights for the peer protocol to report them
jcluck has joined #bitcoin-wizards
<tulip>
it's not that inefficient now for catching up with the chain, it used to be.
<bramc>
An object can be valid but not validated, for example I can be in the process of downloading a block from a peer but I haven't finished validating it yet because I don't have all of the blocks below it yet. For me to announce that I have that object to my own peers would be very bad behavior.
<bramc>
Well you're stuck not being able to pipeline the block headers with this protocol. That shouldn't be *too* bad as long as you can pipeline the actual transactions though. How does it handle those? Are the intermediary positions in the hash tree treated as separate objects?
cluckj has quit [Ping timeout: 265 seconds]
<tulip>
the merkle tree isn't stored in the block format, it's literally just a concatenation of [block header] [num of transactions] [transaction binary]. the node rebuilds it as part of the validation.
<bramc>
So the transaction binary has to be transferred as a complete blob before it can be validated?
GGuyZ has quit [Read error: Connection reset by peer]
GGuyZ_ has joined #bitcoin-wizards
<tulip>
yes. there's an alternate protocol which in a round about way lets you build the merkle tree from transactions you've already seen on the network, the remote peer pre-emptively sending you any transaction binaries it knows you have missed.
<bramc>
Also, dumb question: If I restart my node after it's been asleep for a while, what does it do with everything in its mempool? Presumably most of what's in there is now garbage, does it throw it away, waste a bunch of bandwidth trying to send it around immediately, or something else?
<tulip>
the memory pool is not retained in any capacity.
<bramc>
That's an unfortunate but pragmatic policy
<tulip>
wait, asleep.
<tulip>
if the process is just paused, the transactions in the mempool will probably have been confirmed in newly incoming blocks, once they've been confirmed they'll be removed.
<bramc>
By 'asleep' I mean 'paused for long enough that the old connections all time out and new ones have to be formed'
<tulip>
it'll be retained in that case.
<bramc>
Presumably whenever you form a new connection, even if it's with a peer you had a connection to before, you have to rework your whole connection state
<tulip>
that'll just be the new headers though.
<tulip>
nodes that have been restarted are significantly slower than ones that have kept running for a while, most of the reason the network hasn't collapsed already is that Bitcoin Core uses caching of transaction validity. with the caching turned down things really start to get slow.
<bramc>
By the way, in the blockchain format, does it form the merkle root by hashing the hashes of transactions, or is it really and truly the hash of the complete blob?
Lightsword has joined #bitcoin-wizards
<bramc>
I'm not sure what you mean by 'caching of transaction validity'
<tulip>
say we see an unconfirmed transaction, we can cache the ECDSA signature verification, if we see it in a block later we can skip that slow business entirely. this is slightly problematic because the network speed relies on miners not packing blocks with unknown transactions.
GGuyZ_ has quit [Read error: Connection reset by peer]
GGuyZ has joined #bitcoin-wizards
<bramc>
Right signature validations should of course be cached
<tulip>
it's not an ideal solution though, it opens you up to attacks where certain nodes can have a cache eviction attack performed against them to intentionally slow their accepting of new blocks.
<bramc>
Maybe I should explain how I'd go about designing Bitcoin peer protocol from scratch, because we're speaking somewhat different languages here. When I design a protocol the first question is 'what is the state which peers present to each other, and how should peers respond appropriately to achieve eventual consistency?' Most network protocols are centered around 'what does the current code do in response to particular me
<bramc>
ssages?' with the state being implicit and somewhat busted
jaekwon has joined #bitcoin-wizards
<bramc>
What sort of cache eviction attack are you thinking of?
TBI__ has joined #bitcoin-wizards
jaekwon has quit [Remote host closed the connection]
jaekwon has joined #bitcoin-wizards
<tulip>
say my node only stores 50MB of validated signatures in its cache. you flood me with 51MB of useless transactions and cause relevant ones to be evicted, when a new block comes around I've no useful pre-validation remaining and have to do all of the work again.
<bramc>
Define 'useless transactions'. There's a limit of the number of transactions you can make, based on the number of utxos you have
TBI_ has quit [Ping timeout: 264 seconds]
<tulip>
that's not a meaningful limit to the number of them, there's 32642787 unspent outputs. you can also do tricks with miner participation, like making reasonable transactions and then re-signing them for their block contents causing the cache to be useless.
<bramc>
To my mind there are two different and tangentially related things which connections do: transmit blocks and transmit uncommitted transactions
<tulip>
one thing to remember is that when the p2p network was designed, there were more purposes than that. only 2 of the commands dealt with transactions and blocks.
<bramc>
You can keep that under control by only allowing a single replacement of each input per block
<tulip>
how do you mean?
<bramc>
I have a working idea in my mind of a set of policies which do a decent job of deciding what in the mempool to forward, but it only works with rbf and I have little motivation to figure out how to hack things in not the right way.
<tulip>
(other commands included 'review', 'product', and 'table', 'submitorder')
<bramc>
If you send me a transaction which validates, then you send me another transaction for the same utxo, I ignore it until a block has passed, without even trying to validate.
<bramc>
Right, there's some weird stuff about bitcoin peer protocol having plans for a marketplace, all of which has been abandoned.
<bramc>
It's the borscht belt.
<tulip>
and a poker game.
<tulip>
I haven't followed RBF concepts so I can't really comment on that in comparison to any other.
<bramc>
There are two situations to take seriously: (a) You join with nothing and are downloading since genesis, and (b) there are two different long chains which are neck and neck trying to outrace each other and swapping who's in first
nessence has joined #bitcoin-wizards
<tulip>
if the latter is happening you've got other troubles.
kwonbie has quit [Ping timeout: 240 seconds]
<bramc>
all your peers. The only way a transaction can get out of dead is if the block height it became dead in gets rewound.
<bramc>
With regards to rbf and all that, the high level abstract point is that transactions go into three buckets: dead, tbd, and accepted. Which bucket they go in is based on their fees, what you already had when you received them, what else is in your mempool, and of course whether they passed validation. Sometimes after a block passes you move stuff from tbd to accepted. What accepted means is that you proactively push it on
<bramc>
Yes case (b) sucks big donkey nuts. All the more reason why peers should try to handle it rather than spontaneously melting.
<bramc>
Note also that (a) and (b) can happen at the same time.
<tulip>
I don't think the software can handle (b), long reorganisations cause the nodes to catch fire essentially.
<tulip>
all of your peers drop you due to the pings timing out, for example.
<bramc>
For the purposes of (b) it's very important that peers announce what their current highest block is and be able to answer questions about its linear history as a whole
<bramc>
Yes catching on fire in the event of a long reorg is what I'd expect in the case of a hacked together protocol. It isn't inherent to the blockchain though.
GGuyZ has quit [Ping timeout: 252 seconds]
<tulip>
the problems with the p2p protocol are a bit wider than this discussion though. the transaction flooding system is quite leaky, there's an incentive for companies to attempt to connect massively to every peer they can in order to gain timing information. what that means ultimately is that huge portion of the capacity is wasted.
GGuyZ has joined #bitcoin-wizards
<bramc>
The details of exactly how the current protocol catches on fire in that situation is something I'd only want to know out of morbid rather than academic curiosity
nessence has quit []
<bramc>
Well, good behavior is to either (a) spam every peer you're connected to with every transaction you accept (which like I said before isn't all of them immediately, especially with real fees and rbf) (b) spam all your peers with just the hashes of transactions you've accepted and let them request them, (c) immediately spam a subset of your peers with either of those two and wait a bit to see if you get equivalent notifica
<bramc>
tions from other peers before spamming the rest
simba has quit [Remote host closed the connection]
<bramc>
Fundamentally when two peers connect to each other for each item in the mempool something will have to be sent between them for them to both know they've gotten it. The only short circuit is for the transaction to already be in an accepted block. Unless you have weak blocks. Weak blocks are a good idea.
rht___ has joined #bitcoin-wizards
<tulip>
we do (b) today basically.
<tulip>
(c) is problematic because it assumes on some level that your peers are sane.
<bramc>
That is a pragmatic default. I wouldn't advocate for anything else.
Newyorkadam has quit [Quit: Newyorkadam]
ThomasV has joined #bitcoin-wizards
Lightsword has quit [Quit: Lightsword]
Newyorkadam has joined #bitcoin-wizards
Lightsword has joined #bitcoin-wizards
jaekwon has quit [Remote host closed the connection]
simba has joined #bitcoin-wizards
tulip has quit []
GGuyZ has quit [Quit: GGuyZ]
spinza has quit [Ping timeout: 276 seconds]
spinza has joined #bitcoin-wizards
sparetire_ has quit [Quit: sparetire_]
<gmaxwell>
No more entries in the key disclosing signature contest?
dEBRUYNE has joined #bitcoin-wizards
<gmaxwell>
andytoshi came up with the same approach aj came up with.
Newyorkadam has quit [Quit: Newyorkadam]
<gmaxwell>
(which I think also works, but is less efficient than mine.)
PaulCapestany has quit [Quit: .]
<rusty>
gmaxwell: OK, spill...
PaulCapestany has joined #bitcoin-wizards
<gmaxwell>
okay lets pretend then that someone started doing it and the scriptpubkeys showed up on the network.
<gmaxwell>
The scriptPubkey that forces you to reveal a private key is OP_SIZE 57 OP_LESSTHANOREQUAL OP_VERIFY <P> OP_CHECKSIGVERIFY
<gmaxwell>
(57 could be modified slightly, as there is a signing time, security tradeoff.)
* gmaxwell
stands back while all the people say "WTF?"
PaulCapestany has quit [Quit: .]
PaulCapestany has joined #bitcoin-wizards
<bramc>
gmaxwell, Sadly I can't read Bitcoin script. Is the challenge to make a scriptsubkey which can only be opened by revealing the private key to a specific public key which is presented as a challenge?
<gmaxwell>
yes
<gmaxwell>
in the existing Bitcoin network today; it's not hard to do with minor soft-fork additions.
PaulCapestany has quit [Ping timeout: 252 seconds]
dEBRUYNE has quit [Ping timeout: 265 seconds]
<petertodd>
gmaxwell: oh, you're just forcing me to make a signature that allows some math to be used to recover the private key, probably using the sighash_single bug
<rusty>
OK, so they have to have provided an unusually small signature. With DER encoding + sig type, that means the <= 57 bytes check here implies length of S + length of R <= 50 bytes?
<gmaxwell>
petertodd: nope. :)
<gmaxwell>
rusty: yes.
<gmaxwell>
I'll give the rest away: There exists a point with known discrete log which begins with 90 bits of zeros.
<gmaxwell>
For reasons unknown to us when G was selected for secp256k1 they took a 166 bit number of unknown origin coerced it to a point and doubled it.
<petertodd>
gmaxwell: ok, so the first part of my guess was right :P
<gmaxwell>
So that point has a discrete log of 1/2 F(n).
<petertodd>
gmaxwell: "For reasons unknown to us" <- that sounds sketchy
PaulCapestany has joined #bitcoin-wizards
<gmaxwell>
petertodd: nah, not really-- it's pretty easy to prove that the selection of the generator is irrelevant. Thats why no specs bother to disclose how they came up with them. (I had to harass DJB to spec it for his curves.)
<gmaxwell>
For lots of curves they're sha1s of random stuff or ascii text or other random stuff.
<petertodd>
gmaxwell: good; irrelevant except for crazy tricks like this?
<gmaxwell>
Well irrelevent for "elliptic curve security" which doesn't mean entirely irrelevant.
<rusty>
gmaxwell: so, the only other (known) way to get a sig that small is brute force?
<gmaxwell>
(if you have a magic generator Q that you can solve discrete logs with respect to it, solve the discrete log of G with respect to it.. Now any disrectly log problem with respect to G reduces to one with respect to Q just by multiplying the point in question by the inverse of the DL of G wrt Q.)
<gmaxwell>
rusty: Yes.
<gmaxwell>
The 90 bit reduction is a bit weak because you could grid R then grind S, so what my script actually requires is smaller than you'd get with that special R.
<gmaxwell>
You're required to grind S some too.
<bramc>
For a given modulus aren't all generators isomorphic, and you pick one which allows an efficient implementation?
<gmaxwell>
bramc: assuming that there are no subgroups (there aren't for secp256k1); for EC the choice of the generator doesn't really have performance implementations, not like it does for Zp discrete-log.
<rusty>
Damn, gtg. Will digest on ride home...
matsjj has quit [Ping timeout: 246 seconds]
<bramc>
Ah, I was thinking of GF(2^n) where they're all exactly the same and it's all about which one has the most efficient implementation
rusty has quit [Quit: Leaving.]
TBI__ has quit [Ping timeout: 260 seconds]
TBI has joined #bitcoin-wizards
Ylbam has joined #bitcoin-wizards
Burrito has joined #bitcoin-wizards
orik has joined #bitcoin-wizards
<bramc>
Back on the subject of a long back and forth fork: Only a small amount of miner self-interestedness could easily result in two competing forks between miners which could take quite a while sort itself out. Eventually it inevitably would, but oh what a mess.
<bramc>
One of those 'wouldn't this be fun' scenarios which works on paper. Miners could even start adding bribes to their own losing chain to pull in other miners, resulting in a Democrats vs Republicans sort of scenario
ThomasV has quit [Ping timeout: 265 seconds]
jaekwon has joined #bitcoin-wizards
<bramc>
Just need a single utxo you control to go into different places in the two chains and presto, instant ability to bribe all the other miners to join your fork
dave4925_h has joined #bitcoin-wizards
thrasher` has quit [Ping timeout: 265 seconds]
digitalmagus8 has joined #bitcoin-wizards
<bramc>
Geeze, thinking this through is making me very glad the block cycle times aren't any shorter
joesmoe has quit [Ping timeout: 265 seconds]
mr_burdell_ has joined #bitcoin-wizards
jgarzik__ has joined #bitcoin-wizards
hashtagg has joined #bitcoin-wizards
dave4925 has quit [Ping timeout: 265 seconds]
digitalmagus has quit [Ping timeout: 265 seconds]
droark has quit [Ping timeout: 265 seconds]
earthrise has quit [Ping timeout: 265 seconds]
SwedFTP_ has joined #bitcoin-wizards
jcluck has quit [Ping timeout: 265 seconds]
justanotheruser has quit [Ping timeout: 265 seconds]
Cory has quit [Ping timeout: 265 seconds]
Londe2 has quit [Ping timeout: 265 seconds]
indolering has quit [Ping timeout: 265 seconds]
Eliel_ has quit [Ping timeout: 265 seconds]
maaku has quit [Ping timeout: 265 seconds]
arowser_ has joined #bitcoin-wizards
BlueMatt_ has joined #bitcoin-wizards
bsm1175322 has joined #bitcoin-wizards
Pasha has joined #bitcoin-wizards
Eliel has joined #bitcoin-wizards
nephyrin has joined #bitcoin-wizards
[Derek]_ has joined #bitcoin-wizards
aj_ has joined #bitcoin-wizards
cluckj has joined #bitcoin-wizards
Jeremy_Rand_ has joined #bitcoin-wizards
jcorgan_ has joined #bitcoin-wizards
jcorgan_ has quit [Changing host]
jcorgan_ has joined #bitcoin-wizards
kinlo_ has joined #bitcoin-wizards
vdo_ has joined #bitcoin-wizards
luke-jr_ has joined #bitcoin-wizards
AdrianG_ has joined #bitcoin-wizards
nanasha has joined #bitcoin-wizards
jessepollak_ has joined #bitcoin-wizards
wizkid057 has quit [Disconnected by services]
wump has joined #bitcoin-wizards
sipa_ has joined #bitcoin-wizards
SgtStroopwafel_ has joined #bitcoin-wizards
wizkid057 has joined #bitcoin-wizards
gnusha_ has joined #bitcoin-wizards
OxADADA_ has joined #bitcoin-wizards
coryfields_ has joined #bitcoin-wizards
huseby_ has joined #bitcoin-wizards
jbenet_ has joined #bitcoin-wizards
phantomcircuit_ has joined #bitcoin-wizards
BurritoBazooka has joined #bitcoin-wizards
thrasher` has joined #bitcoin-wizards
Taek42 has joined #bitcoin-wizards
dansmith_ has joined #bitcoin-wizards
crescend1 has joined #bitcoin-wizards
kisspunch_ has joined #bitcoin-wizards
catlasshrugged_ has joined #bitcoin-wizards
orik has quit [*.net *.split]
spinza has quit [*.net *.split]
nanasho has quit [*.net *.split]
arowser has quit [*.net *.split]
kinlo has quit [*.net *.split]
bildramer has quit [*.net *.split]
ttttemp has quit [*.net *.split]
richardkiss has quit [*.net *.split]
tucenaber has quit [*.net *.split]
metric has quit [*.net *.split]
BlueMatt has quit [*.net *.split]
dansmith_btc has quit [*.net *.split]
kinlo_ is now known as kinlo
pozitron has joined #bitcoin-wizards
<bramc>
A netsplit. I feel like it's 1995.
warren_2 has joined #bitcoin-wizards
otoburb_ has joined #bitcoin-wizards
bildramer has joined #bitcoin-wizards
SgtStroopwafel has quit [*.net *.split]
publius1788 has quit [*.net *.split]
Pugg has quit [*.net *.split]
jeremyrubin has quit [*.net *.split]
lmatteis has quit [*.net *.split]
morcos_ has quit [*.net *.split]
N0S4A2 has quit [*.net *.split]
lomax_ has quit [*.net *.split]
catlasshrugged has quit [*.net *.split]
btcdrak has quit [*.net *.split]
ibrightly has quit [*.net *.split]
keus has quit [*.net *.split]
Piper-Off has quit [*.net *.split]
berndj-blackout has joined #bitcoin-wizards
jeremyrubin has joined #bitcoin-wizards
Burrito has quit [*.net *.split]
moa has quit [*.net *.split]
Madars has quit [*.net *.split]
jcorgan has quit [*.net *.split]
mm_1 has quit [*.net *.split]
warren has quit [*.net *.split]
otoburb has quit [*.net *.split]
Apocalyptic has quit [*.net *.split]
berndj has quit [*.net *.split]
warren_2 is now known as warren
keus has joined #bitcoin-wizards
Pasha is now known as Cory
earthrise has joined #bitcoin-wizards
guruvan- has joined #bitcoin-wizards
jaekwon has quit [*.net *.split]
jgarzik_ has quit [*.net *.split]
OxADADA has quit [*.net *.split]
Jeremy_Rand has quit [*.net *.split]
Luke-Jr has quit [*.net *.split]
AdrianG has quit [*.net *.split]
jonasschnelli has quit [*.net *.split]
publius1788 has joined #bitcoin-wizards
<Taek42>
lol @ the number of users spiking while everyone gets shifted to their alt handles
smooth_ has joined #bitcoin-wizards
<bramc>
A majority of mining power could successfully conspire to reliably win forks. A significant minority could make it worth their own while to mine them.
Apocalyptic has joined #bitcoin-wizards
<Taek42>
I've been thinking about a potential schelling point where the biggest miners only forward blocks they find to the other biggest miners and nobody else
mm_1 has joined #bitcoin-wizards
OneFixt_ has joined #bitcoin-wizards
<Taek42>
as long as blocks are getting to a majority of the hashpower, the minority will experience higher orphan rates
hashtag_ has quit [*.net *.split]
ebfull has quit [*.net *.split]
SwedFTP has quit [*.net *.split]
bsm117532 has quit [*.net *.split]
Guest1234 has quit [*.net *.split]
mr_burdell has quit [*.net *.split]
heath_ has quit [*.net *.split]
nwilcox|1fk has quit [*.net *.split]
wilbns has quit [*.net *.split]
nanotube has quit [*.net *.split]
Anduck has quit [*.net *.split]
Graet has quit [*.net *.split]
isis has quit [*.net *.split]
smooth has quit [*.net *.split]
petertodd has quit [*.net *.split]
Fistful_of_Coins has quit [*.net *.split]
crescendo has quit [*.net *.split]
petertodd has joined #bitcoin-wizards
mr_burdell_ is now known as mr_burdell
SwedFTP_ is now known as SwedFTP
<gmaxwell>
Taek42: really you would prefer only about 33% of the hashpower gets your blocks quickly.
<gmaxwell>
(same reason as the selfish mining results)
paci has quit [*.net *.split]
shesek has quit [*.net *.split]
wumpus has quit [*.net *.split]
huseby has quit [*.net *.split]
phantomcircuit has quit [*.net *.split]
go1111111 has quit [*.net *.split]
aj has quit [*.net *.split]
Krellan_ has quit [*.net *.split]
nephyrin` has quit [*.net *.split]
helo has quit [*.net *.split]
vdo has quit [*.net *.split]
kisspunch has quit [*.net *.split]
fkhan has quit [*.net *.split]
waxwing has quit [*.net *.split]
gnusha has quit [*.net *.split]
OneFixt has quit [*.net *.split]
stevenroose has quit [*.net *.split]
[Derek] has quit [*.net *.split]
humd1ng3r has quit [*.net *.split]
GreenIsMyPepper has quit [*.net *.split]
sipa has quit [*.net *.split]
Taek has quit [*.net *.split]
adlai has quit [*.net *.split]
jeremias has quit [*.net *.split]
xaptah has quit [*.net *.split]
kumavis has quit [*.net *.split]
aem has quit [*.net *.split]
nsh has quit [*.net *.split]
jbenet has quit [*.net *.split]
PsychoticBoy has quit [*.net *.split]
catcow has quit [*.net *.split]
coryfields has quit [*.net *.split]
guruvan has quit [*.net *.split]
robmyers has quit [*.net *.split]
runeks has quit [*.net *.split]
jessepollak has quit [*.net *.split]
adams__ has quit [*.net *.split]
Jaamg has quit [*.net *.split]
kisspunch_ is now known as kisspunch
guruvan- is now known as guruvan
mr_burdell is now known as Guest79101
indolering has joined #bitcoin-wizards
spinza has joined #bitcoin-wizards
jessepollak_ is now known as jessepollak
humd1ng3r has joined #bitcoin-wizards
matsjj has joined #bitcoin-wizards
helo has joined #bitcoin-wizards
ibrightly has joined #bitcoin-wizards
kaptah has joined #bitcoin-wizards
heath has joined #bitcoin-wizards
fkhan has joined #bitcoin-wizards
fkhan has quit [Changing host]
fkhan has joined #bitcoin-wizards
PaulCapestany has quit [*.net *.split]
davec has quit [*.net *.split]
Iriez has quit [*.net *.split]
starsoccer has quit [*.net *.split]
PaulCapestany has joined #bitcoin-wizards
nsh- has joined #bitcoin-wizards
ttttemp has joined #bitcoin-wizards
Lightsword has joined #bitcoin-wizards
joesmoe has joined #bitcoin-wizards
Fistful_of_Coins has joined #bitcoin-wizards
GreenIsMyPepper has joined #bitcoin-wizards
N0S4A2 has joined #bitcoin-wizards
<bramc>
gmaxwell, What's the reasoning behind 1/3 getting blocks quickly?
rht___ has quit [Quit: Connection closed for inactivity]
<Taek42>
when 33% of the hashpower is 1 block ahead, the remaining 66% needs to mine 2 blocks to win the fork-race
<Taek42>
each side of the fork has a 50% chance of winning
paci has joined #bitcoin-wizards
Pugg has joined #bitcoin-wizards
<bramc>
Mining being heavily centralized really doesn't help
davec has joined #bitcoin-wizards
<gmaxwell>
bramc: no shit.
go1111111 has joined #bitcoin-wizards
bobke_ has joined #bitcoin-wizards
arowser has joined #bitcoin-wizards
<gmaxwell>
Unfortunately, bitcoin users have been in excuse mode for so long, getting traction about improving that is not easy.
nanotube has joined #bitcoin-wizards
ebfull has joined #bitcoin-wizards
<bramc>
gmaxwell, I'm not sure what can be done to improve it. Other than explaining to people that joining mining pools just because isn't such a hot idea I mean.
<bramc>
Not that mining decentralization actually fixes the problem, but at least it helps.
warren_2 has joined #bitcoin-wizards
davout_ has joined #bitcoin-wizards
zmachine has joined #bitcoin-wizards
OxADADA has joined #bitcoin-wizards
<gmaxwell>
Oh there are lots of things that can be done both technical and socially. E.g. a lot would be improved to just fix the race misunderstanding; though thats harder when propagation effects make it somewhat true.
seg_ has joined #bitcoin-wizards
poggy has joined #bitcoin-wizards
btcdrak_ has joined #bitcoin-wizards
N0S4A2 has quit [*.net *.split]
helo has quit [*.net *.split]
berndj-blackout has quit [*.net *.split]
warren has quit [*.net *.split]
catlasshrugged_ has quit [*.net *.split]
dansmith_ has quit [*.net *.split]
OxADADA_ has quit [*.net *.split]
arowser_ has quit [*.net *.split]
koshii has quit [*.net *.split]
neha has quit [*.net *.split]
d4de has quit [*.net *.split]
tripleslash has quit [*.net *.split]
bobke has quit [*.net *.split]
katu has quit [*.net *.split]
zm4c1n3 has quit [*.net *.split]
seg has quit [*.net *.split]
davout has quit [*.net *.split]
poggy_ has quit [*.net *.split]
jonasschnelli has joined #bitcoin-wizards
warren_2 is now known as warren
seg_ is now known as seg
koshii has joined #bitcoin-wizards
kumavis has joined #bitcoin-wizards
dansmith_btc has joined #bitcoin-wizards
N0S4A2 has joined #bitcoin-wizards
waxwing has joined #bitcoin-wizards
d4de has joined #bitcoin-wizards
neha has joined #bitcoin-wizards
katu has joined #bitcoin-wizards
luke-jr_ is now known as Luke-Jr
tripleslash has joined #bitcoin-wizards
btcdrak_ is now known as btcdrak
damethos has joined #bitcoin-wizards
berndj has joined #bitcoin-wizards
jeremias has joined #bitcoin-wizards
jbenet_ is now known as jbenet
catcow has joined #bitcoin-wizards
aem has joined #bitcoin-wizards
justanotheruser has joined #bitcoin-wizards
helo has joined #bitcoin-wizards
moa has joined #bitcoin-wizards
wump is now known as wumpus
adams__ has joined #bitcoin-wizards
Guest1234 has joined #bitcoin-wizards
tucenaber has joined #bitcoin-wizards
morcos has joined #bitcoin-wizards
robmyers has joined #bitcoin-wizards
LeMiner2 has joined #bitcoin-wizards
adlai has joined #bitcoin-wizards
Jaamg has joined #bitcoin-wizards
LeMiner has quit [Ping timeout: 246 seconds]
PsychoticBoy has joined #bitcoin-wizards
Piper-Off has joined #bitcoin-wizards
runeks has joined #bitcoin-wizards
lmatteis has joined #bitcoin-wizards
Iriez has joined #bitcoin-wizards
starsoccer has joined #bitcoin-wizards
lomax_ has joined #bitcoin-wizards
nwilcox|afk has joined #bitcoin-wizards
isis has joined #bitcoin-wizards
starsoccer is now known as Guest77392
shesek has joined #bitcoin-wizards
jbenet has joined #bitcoin-wizards
jbenet has quit [Changing host]
ibrightly has joined #bitcoin-wizards
ibrightly has quit [Changing host]
fkhan has quit [Changing host]
fkhan has joined #bitcoin-wizards
Pugg has quit [Changing host]
Pugg has joined #bitcoin-wizards
btcdrak has quit [Changing host]
btcdrak has joined #bitcoin-wizards
kumavis has quit [Changing host]
kumavis has joined #bitcoin-wizards
catcow has quit [Changing host]
catcow has joined #bitcoin-wizards
aem has quit [Changing host]
aem has joined #bitcoin-wizards
adams__ has joined #bitcoin-wizards
adams__ has quit [Changing host]
Jaamg has quit [Changing host]
Jaamg has joined #bitcoin-wizards
runeks has quit [Changing host]
runeks has joined #bitcoin-wizards
lmatteis has quit [Changing host]
lmatteis has joined #bitcoin-wizards
adam3us has joined #bitcoin-wizards
wilbns has joined #bitcoin-wizards
Graet has joined #bitcoin-wizards
wilbns has quit [Changing host]
wilbns has joined #bitcoin-wizards
PsychoticBoy has quit [Ping timeout: 240 seconds]
Graet is now known as Guest62454
wilbns is now known as Guest53307
ThomasV has joined #bitcoin-wizards
lmatteis_ has joined #bitcoin-wizards
runeks_ has joined #bitcoin-wizards
mjerr has joined #bitcoin-wizards
LeMiner has joined #bitcoin-wizards
morcos has quit [Ping timeout: 240 seconds]
Jaamg has quit [Ping timeout: 240 seconds]
morcos has joined #bitcoin-wizards
LeMiner2 has quit [Ping timeout: 246 seconds]
lmatteis has quit [*.net *.split]
runeks has quit [*.net *.split]
runeks_ is now known as runeks
lmatteis_ is now known as lmatteis
tucenaber has quit [*.net *.split]
LeMiner2 has joined #bitcoin-wizards
PsychoticBoy has joined #bitcoin-wizards
LeMiner has quit [Ping timeout: 246 seconds]
BurritoBazooka is now known as Burrito
paveljanik has joined #bitcoin-wizards
paveljanik has joined #bitcoin-wizards
jgarzik has joined #bitcoin-wizards
jgarzik__ has quit [Ping timeout: 260 seconds]
<bramc>
Is bitcoin-ng specifically meant to solve all this miner conspiracy forkage stuff?
bramc has quit [Quit: This computer has gone to sleep]
<gmaxwell>
no, though it decouples size related propagation latency from the mastership race.
Myagui has quit [Excess Flood]
Myagui has joined #bitcoin-wizards
JackH has joined #bitcoin-wizards
phantomcircuit_ is now known as phantomcircuit
Jaamg has joined #bitcoin-wizards
Emcy_ has joined #bitcoin-wizards
Emcy_ has quit [Changing host]
Emcy_ has joined #bitcoin-wizards
Madars has joined #bitcoin-wizards
adam3us1 has joined #bitcoin-wizards
adam3us has quit [Ping timeout: 264 seconds]
psztorc has quit [Ping timeout: 264 seconds]
tucenaber has joined #bitcoin-wizards
morcos has quit [Ping timeout: 264 seconds]
jcorgan_ has quit [Ping timeout: 264 seconds]
JackH has quit [Ping timeout: 264 seconds]
PsychoticBoy has quit [Ping timeout: 264 seconds]
publius1788 has quit [Ping timeout: 264 seconds]
kinlo has quit [Ping timeout: 264 seconds]
SwedFTP has quit [Ping timeout: 264 seconds]
melvster has quit [Ping timeout: 264 seconds]
mountaingoat has quit [Ping timeout: 264 seconds]
orik has joined #bitcoin-wizards
PsychoticBoy has joined #bitcoin-wizards
waxwing has quit [Ping timeout: 264 seconds]
zmachine has quit [Ping timeout: 264 seconds]
go1111111 has quit [Ping timeout: 264 seconds]
nanotube has quit [Ping timeout: 264 seconds]
heath has quit [Ping timeout: 264 seconds]
Emcy has quit [Ping timeout: 264 seconds]
publius1788 has joined #bitcoin-wizards
kinlo has joined #bitcoin-wizards
heath has joined #bitcoin-wizards
Myagui has quit [Ping timeout: 265 seconds]
simba has quit [Remote host closed the connection]
SwedFTP has joined #bitcoin-wizards
zmachine has joined #bitcoin-wizards
sipa_ is now known as sipa
morcos has joined #bitcoin-wizards
jcorgan has joined #bitcoin-wizards
jcorgan has quit [Changing host]
jcorgan has joined #bitcoin-wizards
<gmaxwell>
What you can do is multiply once, then double many times (cheper than an add when j-invariant=0), then do a batch modular inversion. Then use the efficient endomorphism to get thre point from every point for the cost of just a FE multiply.
<gmaxwell>
The result is something on the order of 15 million per second.
nanotube has joined #bitcoin-wizards
<gmaxwell>
aj_: which is why I was able to get ones with 4-5 bytes of fixed space.
<aj_>
gmaxwell: so 15 zero bytes means 4 zero bytes in s using g/2; which means 4GH when signing normally, which means it doesn't work well with CPUs?
go1111111 has joined #bitcoin-wizards
JackH has joined #bitcoin-wizards
waxwing has joined #bitcoin-wizards
melvster has joined #bitcoin-wizards
<sipa>
gmaxwell: i considered restricting the size of the signature, but dismissed it as too slow to be usable
<aj_>
gmaxwell: i was thinking even 3 zero bytes in s, at 16MH was a bit worrying if you want to do this with a client running on a phone or similar...
mountaingoat has joined #bitcoin-wizards
<gmaxwell>
aj_: well, I was assuming around 2^30 work-- the time is all the hash the field operations are free by comparison. It can be fundged a bit.
<gmaxwell>
aj_: in theory it works without any S restriction, but I wasn't happy with the security parameter due to splitting the cost between R and S being possible..
<aj_>
gmaxwell: though i guess since you're revealing P anyway, you could just outsource the whole problem anyway
<gmaxwell>
sipa: in particular the fact that we know the discrete log of a point that as 11 bytes of zeros is actually useful for something!
aj_ is now known as aj
<sipa>
gmaxwell: very true...
<sipa>
i hadn't considered using that point
<gmaxwell>
aj_: if you assume an equal split (perhaps not rational because of the computational cost) then you get half the bits of security, so my figures give about 60 bit security.
stevenroose has joined #bitcoin-wizards
<gmaxwell>
aj: actually I think the R grinding is cheaper than the S grinding. group_double_var: 0.199us + 3* fe_mul 0.0310us = 3 points. or .0766/point.. about 8x faster than sha256^2 for my laptop.
<sipa>
gmaxwell: security against what?
<gmaxwell>
sipa: the attack is that someone who doesn't want to reveal grids a lot of R values to find an unusually small one, then takes the best and grinds S values (by changing the transaction and hashing)
<gmaxwell>
E.g. if we only required it to be the smallest you get from R, the attacker can actually grind that: 90 bits smaller is hard, but 2x 40 bits much better.
<sipa>
i'm missing something
<sipa>
we don't want people to not reveal
c-cex-finch has joined #bitcoin-wizards
<gmaxwell>
sipa: my forced reveal scriptpubkey is OP_SIZE 57 OP_LESSTHENOREQAL OP_VERIFY <P> OP_CHECKSIGVERIFY. To get that size you'd use the special R and do 2^30 hashing work to get S small enough.
MoALTz has joined #bitcoin-wizards
<sipa>
ah, you mean that someone is able to satisfy the signature without it being revealing
<gmaxwell>
If instead I required <=61 instead, which is the size you get from the special R and a random S then an attacker can do 2^40 work to get a small but not heroically small R; then 2^40 work to get a small S.
<gmaxwell>
right.
<sipa>
i assumed the size was chosen small enough to make that impossible
<aj>
gmaxwell: 2**32 hashing work no? you still have to have 4*8=32 zero bits to drop 8 bytes, then another zero bit to not add a zero byte back to avoid it being a negative number?
<sipa>
gmaxwell: 60-bit of antisecurity :)
<gmaxwell>
aj: freeking der encoding. :P well you save one bit of hashing work becaues of the low-s flip.
<gmaxwell>
(if your result is in the upper half you flip and it's still a valid signature.)
<gmaxwell>
aj: you and andytoshi should writeup your solution to; which you both independantly came up with. (I gave up on that approach too early when sighash flags frustrated me)
<sipa>
so size 57... that means 50 bytes of actual r+s data
<sipa>
or 199 bits in r and s on average
<sipa>
gmaxwell: you can require two different small signatures, for a public key and a related one
<sipa>
oh, that just doubles the amount of s work
<gmaxwell>
oh thats interesting actually I think there might be something to combining the two approaches.
<gmaxwell>
oh darn nah, bitcoin screws us.
<gmaxwell>
well I guess but it's more gross.
<sipa>
i was thinking along the line of requiring two identical signatires, one for the real public key and one for a public key you choose to reveal
<gmaxwell>
You compute P's reveal signature for a message of 1. And give me the hash of it.
<sipa>
but that's something someone without the private key can do too
<gmaxwell>
sipa: identical signature constraints is what aj and andytoshi came up with.
<gmaxwell>
there is a non-smallness related solution via that but it gets ugly to handle due to sighash flags.
<aj>
gmaxwell, sipa: i think if you require 5 small signatures, you get forced to do a squared amount of work, no matter how clever you are with different sighash options
<sipa>
mine, specificallt, where it's already past 11am!
flipswitchbitch has joined #bitcoin-wizards
matsjj has quit [Remote host closed the connection]
matsjj has joined #bitcoin-wizards
p15 has joined #bitcoin-wizards
psztorc has joined #bitcoin-wizards
jaekwon has joined #bitcoin-wizards
matsjj has quit [Remote host closed the connection]
ThomasV has joined #bitcoin-wizards
matsjj has joined #bitcoin-wizards
jaekwon has quit [Ping timeout: 264 seconds]
GGuyZ has joined #bitcoin-wizards
moa has quit [Quit: Leaving.]
Lightsword has quit [Quit: Lightsword]
GGuyZ has quit [Quit: GGuyZ]
andytoshi has quit [Ping timeout: 272 seconds]
melvster has quit [Ping timeout: 240 seconds]
psztorc has quit [Ping timeout: 240 seconds]
jtimon has joined #bitcoin-wizards
Guest77392 has quit [Changing host]
Guest77392 has joined #bitcoin-wizards
Guest77392 is now known as starsoccer
melvster has joined #bitcoin-wizards
flipswitchbitch has quit [Ping timeout: 240 seconds]
ThomasV has quit [Quit: Quitte]
baurusdb has joined #bitcoin-wizards
baurusdb has quit [Client Quit]
Quanttek has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
c0rw1n has quit []
c0rw1n has joined #bitcoin-wizards
paveljanik has quit [Quit: Leaving]
andytoshi has joined #bitcoin-wizards
jaekwon has joined #bitcoin-wizards
nanasha has quit [Remote host closed the connection]
binaryFateCloud has quit [Quit: Konversation terminated!]
jaekwon has quit [Ping timeout: 264 seconds]
frankenmint has joined #bitcoin-wizards
binaryFateCloud has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
c0rw1n is now known as crw|away
atgreen has quit [Ping timeout: 240 seconds]
mjerr has quit [Ping timeout: 260 seconds]
flipswitchbitch has joined #bitcoin-wizards
jouke has quit [Changing host]
jouke has joined #bitcoin-wizards
Giszmo has joined #bitcoin-wizards
matsjj has quit [Remote host closed the connection]
Starduster has quit [Read error: Connection reset by peer]
Starduster has joined #bitcoin-wizards
vdo_ is now known as vdo
vdo has quit [Changing host]
vdo has joined #bitcoin-wizards
atgreen has joined #bitcoin-wizards
matsjj has joined #bitcoin-wizards
rdponticelli has joined #bitcoin-wizards
flipswitchbitch has quit [Ping timeout: 260 seconds]
Jeremy_Rand_ is now known as Jeremy_Rand
Jeremy_Rand has quit [Quit: Konversation terminated!]
Jeremy_Rand has joined #bitcoin-wizards
gielbier has joined #bitcoin-wizards
gielbier has joined #bitcoin-wizards
Quanttek has quit [Read error: Connection reset by peer]
atgreen has quit [Ping timeout: 276 seconds]
mjerr has joined #bitcoin-wizards
bobke_ is now known as bobke
bobke is now known as Guest80641
Guyver2 has joined #bitcoin-wizards
damethos has quit [Quit: Bye]
binaryFateCloud has quit [Quit: Konversation terminated!]
arowser has quit [Quit: No Ping reply in 180 seconds.]
ThomasV has quit [Ping timeout: 264 seconds]
arowser has joined #bitcoin-wizards
sparetire_ has joined #bitcoin-wizards
damethos has joined #bitcoin-wizards
rdponticelli has quit [Ping timeout: 264 seconds]
jaekwon has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
c-cex-finch has quit [Quit: Connection closed for inactivity]
melvster has quit [Ping timeout: 250 seconds]
matsjj has quit [Remote host closed the connection]
melvster has joined #bitcoin-wizards
mjerr has quit [Ping timeout: 264 seconds]
jaekwon has quit [Remote host closed the connection]
Guest80641 is now known as bobke
tripleslash_a has joined #bitcoin-wizards
baurusdb has joined #bitcoin-wizards
Yoghur114 has quit [Ping timeout: 240 seconds]
mountaingoat has quit [Ping timeout: 240 seconds]
katu has quit [Ping timeout: 240 seconds]
waxwing has quit [Ping timeout: 240 seconds]
justanotheruser has quit [Ping timeout: 240 seconds]
andytoshi has quit [Ping timeout: 240 seconds]
tripleslash has quit [Ping timeout: 240 seconds]
justanotheruser has joined #bitcoin-wizards
andytoshi has joined #bitcoin-wizards
waxwing has joined #bitcoin-wizards
mountaingoat has joined #bitcoin-wizards
roconnor has joined #bitcoin-wizards
jaekwon has joined #bitcoin-wizards
katu has joined #bitcoin-wizards
yang has quit [Remote host closed the connection]
yang has joined #bitcoin-wizards
justanotheruser has quit [Changing host]
justanotheruser has joined #bitcoin-wizards
c-cex-yuriy has joined #bitcoin-wizards
flipswitchbitch has joined #bitcoin-wizards
baurusdb has quit [Quit: baurusdb]
jaekwon has quit [Remote host closed the connection]
cocoBTC has joined #bitcoin-wizards
bedeho_ has joined #bitcoin-wizards
Piper-Off is now known as Monthrect
jaekwon has joined #bitcoin-wizards
baurusdb has joined #bitcoin-wizards
c-cex-finch has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 260 seconds]
badmofo has joined #bitcoin-wizards
JackH has quit [Ping timeout: 250 seconds]
dEBRUYNE has joined #bitcoin-wizards
ielo_ has joined #bitcoin-wizards
paveljanik has joined #bitcoin-wizards
bedeho__ has joined #bitcoin-wizards
damethos has quit [Quit: Bye]
tucenaber has quit [*.net *.split]
bedeho_ has quit [*.net *.split]
flipswitchbitch has quit [*.net *.split]
Iriez has quit [*.net *.split]
starsoccer has quit [*.net *.split]
Yoghur114 has joined #bitcoin-wizards
mably has joined #bitcoin-wizards
ielo_ has quit [Quit: Leaving]
dEBRUYNE_ has joined #bitcoin-wizards
jaekwon has quit [Remote host closed the connection]
waxwing has quit [*.net *.split]
tripleslash_a has quit [*.net *.split]
Myagui has quit [*.net *.split]
morcos has quit [*.net *.split]
jgarzik has quit [*.net *.split]
Guest1234 has quit [*.net *.split]
btcdrak has quit [*.net *.split]
seg has quit [*.net *.split]
warren has quit [*.net *.split]
ebfull has quit [*.net *.split]
Anduck has quit [*.net *.split]
Fistful_of_Coins has quit [*.net *.split]
humd1ng3r has quit [*.net *.split]
OneFixt_ has quit [*.net *.split]
keus has quit [*.net *.split]
earthrise has quit [*.net *.split]
gnusha_ has quit [*.net *.split]
wizkid057 has quit [*.net *.split]
Eliel has quit [*.net *.split]
hashtagg has quit [*.net *.split]
dave4925_h has quit [*.net *.split]
TBI has quit [*.net *.split]
DougieBot5000 has quit [*.net *.split]
rasengan has quit [*.net *.split]
Tiraspol has quit [*.net *.split]
sdaftuar has quit [*.net *.split]
lecusemble has quit [*.net *.split]
livegnik has quit [*.net *.split]
gavinandresen has quit [*.net *.split]
jrayhawk has quit [*.net *.split]
epscy has quit [*.net *.split]
jouke has quit [*.net *.split]
luny has quit [*.net *.split]
lclc has quit [*.net *.split]
afdudley has quit [*.net *.split]
devrandom has quit [*.net *.split]
harding has quit [*.net *.split]
phy1729 has quit [*.net *.split]
instagibbs has quit [*.net *.split]
jaromil has quit [*.net *.split]
a5m0 has quit [*.net *.split]
BrainOverfl0w has quit [*.net *.split]
yoleaux has quit [*.net *.split]
spinza has quit [*.net *.split]
BlueMatt_ has quit [*.net *.split]
Kireji has quit [*.net *.split]
dEBRUYNE_ has quit [*.net *.split]
Yoghur114 has quit [*.net *.split]
c-cex-finch has quit [*.net *.split]
AaronvanW has quit [*.net *.split]
Jaamg has quit [*.net *.split]
nanotube has quit [*.net *.split]
Guest53307 has quit [*.net *.split]
Guest62454 has quit [*.net *.split]
lomax_ has quit [*.net *.split]
nwilcox|afk has quit [*.net *.split]
Monthrect has quit [*.net *.split]
katu has quit [*.net *.split]
justanotheruser has quit [*.net *.split]
kyuupichan has quit [*.net *.split]
penjenayah has quit [*.net *.split]
Starduster has quit [*.net *.split]
crw|away has quit [*.net *.split]
jtimon has quit [*.net *.split]
kinlo has quit [*.net *.split]
Madars has quit [*.net *.split]
adlai has quit [*.net *.split]
helo has quit [*.net *.split]
jeremias has quit [*.net *.split]
d4de has quit [*.net *.split]
davout_ has quit [*.net *.split]
fkhan has quit [*.net *.split]
guruvan has quit [*.net *.split]
pozitron has quit [*.net *.split]
thrasher` has quit [*.net *.split]
vdo has quit [*.net *.split]
cluckj has quit [*.net *.split]
Cory has quit [*.net *.split]
Guest79101 has quit [*.net *.split]
[7] has quit [*.net *.split]
xeon-enouf has quit [*.net *.split]
MagikSquirrel has quit [*.net *.split]
Keefe has quit [*.net *.split]
dgenr8 has quit [*.net *.split]
eric has quit [*.net *.split]
zxzzt has quit [*.net *.split]
optimator has quit [*.net *.split]
Meeh_ has quit [*.net *.split]
Logicwax has quit [*.net *.split]
yorick has quit [*.net *.split]
qawap_ has quit [*.net *.split]
brand0 has quit [*.net *.split]
grandmaster has quit [*.net *.split]
cocoBTC has quit [*.net *.split]
c-cex-yuriy has quit [*.net *.split]
mountaingoat has quit [*.net *.split]
arowser has quit [*.net *.split]
frankenmint has quit [*.net *.split]
PsychoticBoy has quit [*.net *.split]
runeks has quit [*.net *.split]
jonasschnelli has quit [*.net *.split]
huseby_ has quit [*.net *.split]
malte has quit [*.net *.split]
forrestv has quit [*.net *.split]
null_radix has quit [*.net *.split]
grantsmith has quit [*.net *.split]
dignork has quit [*.net *.split]
mariorz has quit [*.net *.split]
jlyndon has quit [*.net *.split]
mappum has quit [*.net *.split]
artifexd has quit [*.net *.split]
robmyers has quit [*.net *.split]
adams__ has quit [*.net *.split]
aem has quit [*.net *.split]
koshii has quit [*.net *.split]
kumavis has quit [*.net *.split]
bobke has quit [*.net *.split]
davec has quit [*.net *.split]
catlasshrugged has quit [*.net *.split]
Pugg has quit [*.net *.split]
GreenIsMyPepper has quit [*.net *.split]
joesmoe has quit [*.net *.split]
ttttemp has quit [*.net *.split]
kaptah has quit [*.net *.split]
ibrightly has quit [*.net *.split]
indolering has quit [*.net *.split]
nsh- has quit [*.net *.split]
smooth_ has quit [*.net *.split]
Apocalyptic has quit [*.net *.split]
kisspunch has quit [*.net *.split]
crescend1 has quit [*.net *.split]
Taek42 has quit [*.net *.split]
coryfields_ has quit [*.net *.split]
jbenet has quit [*.net *.split]
SgtStroopwafel_ has quit [*.net *.split]
AdrianG_ has quit [*.net *.split]
Luke-Jr has quit [*.net *.split]
[Derek]_ has quit [*.net *.split]
nephyrin has quit [*.net *.split]
PRab has quit [*.net *.split]
Guest46756 has quit [*.net *.split]
lnovy has quit [*.net *.split]
pigeons has quit [*.net *.split]
ir2ivps5 has quit [*.net *.split]
archobserver has quit [*.net *.split]
tromp_ has quit [*.net *.split]
alexkuck has quit [*.net *.split]
wpalczynski has quit [*.net *.split]
bitkarma has quit [*.net *.split]
mably has quit [*.net *.split]
cfields_ has quit [*.net *.split]
Xzibit17 has quit [*.net *.split]
bsm1175321 has quit [*.net *.split]
STRML has quit [*.net *.split]
TD-Linux has quit [*.net *.split]
smk has quit [*.net *.split]
ChanServ has quit [*.net *.split]
bedeho__ has quit [*.net *.split]
andytoshi has quit [*.net *.split]
CoinMuncher has quit [*.net *.split]
zmachine has quit [*.net *.split]
adam3us1 has quit [*.net *.split]
Emcy_ has quit [*.net *.split]
shesek has quit [*.net *.split]
berndj has quit [*.net *.split]
neha has quit [*.net *.split]
paci has quit [*.net *.split]
mm_1 has quit [*.net *.split]
aj has quit [*.net *.split]
bsm1175322 has quit [*.net *.split]
weex_ has quit [*.net *.split]
CodeArtix has quit [*.net *.split]
tromp__ has quit [*.net *.split]
MRL-Relay has quit [*.net *.split]
amiller_ has quit [*.net *.split]
stonecoldpat1 has quit [*.net *.split]
d9b4bef9 has quit [*.net *.split]
warptangent has quit [*.net *.split]
jlrubin has quit [*.net *.split]
ryan-c has quit [*.net *.split]
toomim has quit [*.net *.split]
execute has quit [*.net *.split]
comboy has quit [*.net *.split]
nickler has quit [*.net *.split]
ghtdak has quit [*.net *.split]
asoltys has quit [*.net *.split]
gwillen has quit [*.net *.split]
larraboj has quit [*.net *.split]
Tenhi has quit [*.net *.split]
sparetire has quit [*.net *.split]
dEBRUYNE has quit [*.net *.split]
yang has quit [*.net *.split]
roconnor has quit [*.net *.split]
melvster has quit [*.net *.split]
Giszmo has quit [*.net *.split]
badmofo has quit [*.net *.split]
p15 has quit [*.net *.split]
paveljanik has quit [*.net *.split]
baurusdb has quit [*.net *.split]
Guyver2 has quit [*.net *.split]
Jeremy_Rand has quit [*.net *.split]
MoALTz has quit [*.net *.split]
stevenroose has quit [*.net *.split]
publius1788 has quit [*.net *.split]
isis has quit [*.net *.split]
catcow has quit [*.net *.split]
PaulCapestany has quit [*.net *.split]
jeremyrubin has quit [*.net *.split]
bildramer has quit [*.net *.split]
jessepollak has quit [*.net *.split]
ciege has quit [*.net *.split]
[d__d] has quit [*.net *.split]
kanzure has quit [*.net *.split]
espes has quit [*.net *.split]
[ace] has quit [*.net *.split]
gmaxwell has quit [*.net *.split]
arubi has quit [*.net *.split]
iddo has quit [*.net *.split]
gribble has quit [*.net *.split]
jojva has quit [*.net *.split]
alpalp has quit [*.net *.split]
face has quit [*.net *.split]
nba_btchip has quit [*.net *.split]
BananaLotus has quit [*.net *.split]
so has quit [*.net *.split]
ggreer has quit [*.net *.split]
fluffypony has quit [*.net *.split]
roasbeef has quit [*.net *.split]
LeMiner2 has quit [*.net *.split]
K1773R has quit [*.net *.split]
shesek has joined #bitcoin-wizards
lomax_ has joined #bitcoin-wizards
yang_ has joined #bitcoin-wizards
Logicwax has joined #bitcoin-wizards
null_radix has joined #bitcoin-wizards
mariorz has joined #bitcoin-wizards
prosody has quit [Max SendQ exceeded]
dEBRUYNE__ has joined #bitcoin-wizards
hashtagg has joined #bitcoin-wizards
Yoghur114_2 has joined #bitcoin-wizards
morcos_ has joined #bitcoin-wizards
AaronvanW_ has joined #bitcoin-wizards
dave4925_x has joined #bitcoin-wizards
yang has joined #bitcoin-wizards
c-cex-finch_ has joined #bitcoin-wizards
prosody has joined #bitcoin-wizards
starsoccer has joined #bitcoin-wizards
Iriez has joined #bitcoin-wizards
rasengan has joined #bitcoin-wizards
5EXAALJ4V has joined #bitcoin-wizards
tucenaber has joined #bitcoin-wizards
starsoccer is now known as Guest86164
katu has joined #bitcoin-wizards
lecusemble has joined #bitcoin-wizards
c-cex-finch_ is now known as c-cex-finch
Eliel has joined #bitcoin-wizards
seg has joined #bitcoin-wizards
frankenm_ has joined #bitcoin-wizards
hashtag_ has joined #bitcoin-wizards
tripleslash_b has joined #bitcoin-wizards
melvster has joined #bitcoin-wizards
chmod755 has joined #bitcoin-wizards
<andytoshi>
gmaxwell: hah! i'm torn as to whether i should've gotten that
lclc_ has joined #bitcoin-wizards
<andytoshi>
(the only reason i would've is that i had the hint "gmaxwell figured this" which should've hinted at what tricks would be used; without that i'd be hopeless, this is insane)
AnoAnon has quit [Read error: Connection reset by peer]
cluckj has quit [Ping timeout: 260 seconds]
<andytoshi>
and thanks for writing up our solution aj :)
jrayhawk has joined #bitcoin-wizards
sdaftuar_ has joined #bitcoin-wizards
<aj>
andytoshi: don't suppose you went so far as to translate it to actual script?
<sipa>
happy to see you guys were thinking along the same lines as me
luny has joined #bitcoin-wizards
Fistful_of_Coins has joined #bitcoin-wizards
<sipa>
except you actually got somewhere :)
hashtagg has quit [*.net *.split]
yang_ has quit [*.net *.split]
<andytoshi>
aj: no, not that far, though i was close
cfields has joined #bitcoin-wizards
cluckj has joined #bitcoin-wizards
<andytoshi>
like, i came up with this while studying my script parser, so i was thinking in terms of opcodes anyway
Tiraspol has joined #bitcoin-wizards
Tiraspol has quit [Changing host]
Tiraspol has joined #bitcoin-wizards
STRML has joined #bitcoin-wizards
<andytoshi>
but the stack-swapping and equality checking (or duplication) seemed like a lot of work :)
phy1729 has joined #bitcoin-wizards
Myagui has joined #bitcoin-wizards
jouke has joined #bitcoin-wizards
mountaingoat has joined #bitcoin-wizards
cocoBTC has joined #bitcoin-wizards
<andytoshi>
does the cost for renting hw go up if you try to rent a ton at once? aj's mail gives numbers like "grind for a week to steal" but you can't start grinding til you have an output to spend from, and once that exists the CLTV starts ticking
<andytoshi>
so you'll only have hours or so (right?)
earthrise has joined #bitcoin-wizards
<sipa>
andytoshi: that's pretty ugly still... those times may change significantly over time
<aj>
depends how long the locktime is? some of the handwavy numbers for lightning are relatively high (2 days per hop, 19 hops)
5EXAALJ4V has quit [Ping timeout: 260 seconds]
harding has joined #bitcoin-wizards
<aj>
(you've got to have a pretty strong pre-calculated r for that though)
<andytoshi>
oh, derp, i forgot r can be precalculated
<andytoshi>
so you have unlimited time in which to do that part
TD-Linux has joined #bitcoin-wizards
damethos has joined #bitcoin-wizards
<aj>
yeah, and you also have to be careful not to use that r to reveal a secret someone else already knows, or to reveal the same secret twice
ebfull has joined #bitcoin-wizards
lecusemble has joined #bitcoin-wizards
justanotheruser has joined #bitcoin-wizards
<aj>
err, "or to avoid revealing the same secret twice" rather
<andytoshi>
well, as soon as you use it everyone knows its discrete log, so then anybody can use it for their own stealing i think
<andytoshi>
i'm unsure what you mean by "revealing the same secret twice"
tripleslash has joined #bitcoin-wizards
<afdudley>
interdependent secrets is how I read that.
<aj>
as in "what's the preimage for X?" "cheat with r=blah" then later, "what's the preimage for X?" cheat with the same r=blah, combine the two cheats lets you work out r and the preimage for X
<aj>
lets you work out N from r i mean
<andytoshi>
oh, right, i forgot that cheaters don't reveal anything :P
<andytoshi>
yes, you're right, the r is single-use only
<aj>
(once the log of your clever r is known it's no better than g/2)
<andytoshi>
yup
<aj>
r is okay to reuse for different secrets though afaict
tripleslash_b has quit [Ping timeout: 240 seconds]
cfields has quit [Ping timeout: 240 seconds]
luny has quit [Ping timeout: 240 seconds]
melvster has quit [Ping timeout: 240 seconds]
Kireji_ has joined #bitcoin-wizards
katu has quit [Remote host closed the connection]
<andytoshi>
yes, it is
<andytoshi>
(which is why yours and my solution required 3 sigs instead of 2, as i'd initially thought)
melvster has joined #bitcoin-wizards
<aj>
haha, i got that wrong too :(
<andytoshi>
lol! sounds like we had exactly the same conversation with gmaxwell
rasengan has joined #bitcoin-wizards
rustyn has joined #bitcoin-wizards
cfields has joined #bitcoin-wizards
luny has joined #bitcoin-wizards
<andytoshi>
so. a good thing about this is that the security is time-sensitive. like, i believe the posted benchmark numbers today but maybe not next year, but i can freely use the scheme today knowing that the window for cheating is limited by the CLTV period
<andytoshi>
secondly, a grinded r can only be used once. so it can only be used to cheat on a single lightning tx (which i think are limited to like $10 worth?)
bsm117532 has joined #bitcoin-wizards
<aj>
hmm? i thought we just agreed a grinded r can be reused on many transactions (as long as the secrets to be revealed are different) ?
<andytoshi>
oh ugh yes
<aj>
it's probably like $15 per tx now
<aj>
("how do i cheat lightning txs?" "you just grind r" "oh, i'v already got that app!")
<chmod755>
what?
<andytoshi>
right aj
<andytoshi>
having a granularity of bytes rather than bits is nice
Fistful_of_Coins has quit [Ping timeout: 262 seconds]