sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
MaxSan_ has joined #bitcoin-wizards
davec_ has quit [Read error: Connection reset by peer]
davec_ has joined #bitcoin-wizards
zooko has quit [Ping timeout: 244 seconds]
Dizzle has quit [Remote host closed the connection]
rusty2 has joined #bitcoin-wizards
zooko has joined #bitcoin-wizards
<zooko>
Taek, bsm[0-9]*: This combines two of my favorite ideas: bearer bond controlled by private key, and Proof-of-Storage.
rdponticelli has quit [Remote host closed the connection]
<bsm1175321>
Some day, someone will figure out the meaning behind the numbers...it shouldn't be too hard in the crypto community.
bsm117532 has quit [Killed (verne.freenode.net (Nickname regained by services))]
bsm1175321 is now known as bsm117532
<bsm117532>
ahem, these numbers. My IRC client adds the 1. It has nothing to do with the others.
bsm1175321 has joined #bitcoin-wizards
<bsm117532>
zooko: It seems to me that since presenting the proof of storage is equivalent to storage, the proof is effectively worthless (or equivalent). The idea, I think, is that the storer is holding *more* than they offer as proof. But this boils down to basic counterparty risk.
<bsm117532>
Any algorithm which seeks to determine whether I'm actually storing the data, without requiring me to produce *all* data, can be short-circuited. e.g. a bittorrent-style Merkle proof can be short circuited such that I store half as much data, but get paid half the time. Any challenge-response algorithm is at best statistical, unless you, yourself, are holding all the data.
* bsm117532
suddenly groks the difficulty with proof-of-storage.
Emcy has joined #bitcoin-wizards
<bsm117532>
A ZKP that you hold could be constructed in an analagous manner to the Fiat-Shamir scheme. However this is effectively security by obscurity. If you intend to upload your data to the cloud, delete it, but retain a set of compact ZKP's, you're then reliant on those ZKP's not being stolen.
<bsm117532>
Any proof sufficient to actually *prove* you hold the data must be equivalent in size to the data itself.
<rusty2>
So, if bloom filtering sucks for privacy, are there other proposals?
<bsm117532>
A statistical proof that you're holding 97% of my data is worthless, when single bit errors can render an archived filesystem unreadable. (Don't get me started on filesystems without integrated error correction and detection...)
rusty2 is now known as rusty
<bsm117532>
rusty: No. It doesn't matter what's in the "proof". If you request any subset of data, I know your target of interest is in the subset.
<bsm117532>
Your only recourse is to request a larger subset, and eventually, you're a full node.
<rusty>
bsm117532: I'm starting a new thread, sorry for any confusion :)
<bsm117532>
rusty: no problem, I think Taek and zokoo are not online now anyway. ;-)
<rusty>
bsm117532: even if all filtering will reduce your anonymity set, the current implementation is both remarkably poor, and complex. Simply allowing a node to set filters based on the bottom 20 bits would be as effective, and be easy for wallet authors to reason about.
<bsm117532>
Using oblivious transfer, requesting a subset A of B such that A < B would presumably require a full node to perform a computation over a larger subset C such that A < C < B. So, presumably such an idea places a load upon full nodes that can easily be construed as a DoS attack.
<bsm117532>
rusty: Bloom filters are dumb, Cuckoo filters are where it's at.
<bsm117532>
You basically just described a Cuckoo filter.
<rusty>
(Note: bottom 20 bits of some template-based transform of the tx, such as address extraction for p2pkh, etc).
<bsm117532>
The objects of interest to us are *already* the outputs of hash functions, and therefore uniformly distributed. There's no reason to hash them again in a Bloom filter, and as you say, it's unnecessarily complex. A cuckoo filter is precisely truncating to a certain number of bits.
<rusty>
bsm117532: argh, no... you still want to be able to specify the number of bits you're interested in, eg. "bottom 10 bits are xxx".
<bsm117532>
rusty: that's unavoidable.
<rusty>
bsm117532: well, uniformly distributed in the non-DoS case, but there's no advantage to bloom there either AFAICT.
<bsm117532>
You simply can't encode 100000 possibilities into only 10 bits.
<bsm117532>
Bloom filters are incredibly hard to reason about, since they involve opaque constants k (number of hash functions) and m (number of bits). It's much easier to reason about cuckoo filters -- if I'm asking for a cuckoo filter of 10 bits, you know there are at most 1024 possibilities in my set of interest. k and m just hide the obvious.
<rusty>
bsm117532: ? If you have simple #bits-must-match-value filters, then sender can choose their precision. If you restrict #bits < 20, and the total number of filters per node, the filtering implementation gets extremely fast too.
<bsm117532>
Yes. Why the (?) ?
<bsm117532>
Maybe I'm missing what "filters per node" is referring to...
<rusty>
A response to your "You simply can't encode 100000 possibilities into only 10 bits." which seems a non-sequiteur...
copumpkin has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
<rusty>
bsm117532: the simplest scheme possible is a #bits-must-match-value filter. But you need more than one per node for that case (unless they're really only watching one address).
<bsm117532>
Why is more than one node required? (Forgive me I'm not super versant with bitcoin's SPV implementation)
<rusty>
bsm117532: if my SPV wallet hands out two addresses, it wants to see payments to either one. If it's using BIP32, it can grind out addresses which match on the lower bits, simplifying its filter, but if it imports addresses from elsewhere it's inevitable that it will want more than one filtering pattern.
Ylbam has quit [Quit: Connection closed for inactivity]
Noldorin has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
<bsm117532>
You're going to make me dig up my Bloom filter worksheets from years ago. I'm unable to reconstruct the argument I'm trying to give about cuckoo filters, except that I found them a lot easier to reason about. My conclusion was that the "filter size" was log(number of possible matched elements) for both Bloom and cuckoo, but Bloom was far more difficult to reason about due to the extra parameter.
linton_s_dawson has joined #bitcoin-wizards
linton_s_dawson has quit [Client Quit]
<bsm117532>
rusty: My suggestion regarding oblivious transfer is analagous to what happens with ZKP's. ZKP's are also an interactive protocol, made non-interactive by the Fiat-Shamir mechanism. In other words, I can perform log(n) requests in order to query the entire database, leaving the database provider oblivious as to what I queried, but requiring the database provider to actually retrieve every single element recorded.
<bsm117532>
Thus, privacy comes at the cost of the provider having to read the entire database in order to satisfy every query. (which, seems obvious in hindsight)
<Taek>
rusty: what's the ultimate goal? A compressed way to tell someone what transactions you have?
<Taek>
bsm117532: you can do a proof of storage without the data as long as you held the data at one point in time
<rusty>
Taek: no, a way to filter what txs you receive, without leaking too much info. ie. SPV wallet.
<Taek>
That seems inherently leaky. If you are only receiving 1/10th the transactions I know that yours are in that 1/10th
bsm1175321 has quit [Remote host closed the connection]
<bsm117532>
Taek: I think I'm saying the same thing -- I can short-circuit the proof algorithm by computing the proofs and deleting the original storage, if I know how to compute the proofs beforehand. Therefore my "proof" is only as good as the requester's ability to keep the proof requirements secret.
<Taek>
ah, that's true. Anything else is statistical. But, even hashing is statistical
<zooko>
rusty: I think that's basically the "Private Information Retrieval" problem.
<zooko>
It's a hoary classic in crypto, and I don't think there's a simple home-run solution yet.
* bsm117532
again groks the difficulty with proof-of-storage. Seems to me it's fundamentally counterparty risk. Perhaps statistics is an improvement. But we haven't made a revolution here, yet.
<zooko>
But there are many complex solutions with interesting properties that you may like to study. :-)
<zooko>
I think I have an improvement to PoS/PoR. Can I shoot you a stale rough draft?
<Taek>
I'd be interested in seeing it
<zooko>
Will do, Taek.
<rusty>
zooko: ha thanks! No, I don't plan on solving it. It looks like engineering incremental improvements FTW.
<zooko>
It is written for a reader who already groks Tahoe-LAFS, but you either already grok that or you can pick it up easily …
<bsm117532>
I made a funny comparison that now seems apt: For such IOU systems, their flaw is that no matter how ironclad your records, they must be tied to the real world assets. Just because my clay tablet says you have three goats, and owe me two, doesn’t prove that you possess three goats or are capable of producing two. This is counterparty risk, and is fundamental to IOU-based accounting systems, leading to the creati
<zooko>
The bottom line is that erasure coding *across* servers combined with client-privacy is really different and better than anything that doesn't have those two things.
* zooko
is searching for stale, rough-draft text files on old filesystems…
<bsm117532>
Goats being equivalent to bits of storage, here.
<Taek>
oh that would be a good strategy. If you download your transactions from multiple parties nobody has the complete picture, especially if you slip some false positive in
<bsm117532>
Taek: I like it.
<bsm117532>
Yet it's still inherently statistical. Your guarantee that anyone is holding all your shit is only statistical. If I can satisfy your request 97% of the time and get paid, that's a damn good business model.
<bsm117532>
zooko: Your guarantee that a party has correctly implemented erasure encoding is only statistical.
<zooko>
bsm117532: I think we can make it net negative for lossy servers...
<bsm117532>
I'm pretty fundamentally against punishment-based systems. Because...Sybil.
<zooko>
Here, I found the text file. Will send, if you agree to either send me at least 25 words of commentary in response within 72 hours or else you have to post a picture of yourself balancing a mug full of beer on your head.
* zooko
lols
pro has quit [Quit: Leaving]
* bsm117532
will transmit head-beer across the tubes with glee.
<zooko>
Uh-oh, I made the mistake of reading the rough draft before sending it…
<zooko>
and now I've found the place where I was 2/3 of the way through rewriting it and a sentence tails off with "xxxxxc stopping for the night".
copumpkin has joined #bitcoin-wizards
<bsm117532>
Take it from me: it's the onus of the author to not burden the reader with his bullshit. Not the other way around. Proof-of-Stakers take note.
<zooko>
Oh, good thing I'm sitting here editing this up before I send it to you then,
<zooko>
Gotta earn that beer-balancing pic.
<bsm117532>
I might even pour the beer into a watermelon first zooko, if it's good enough. ;-)
<bsm117532>
FWIW you're doing well so far. Don't screw this up! :-P
<zooko>
Sigh, now I have to try to repair all the broken links. The web is so damned fragile!!
<bsm117532>
Meh, don't bother with that, just make a cogent argument.
* bsm117532
reviews reams of non-cogent, non-published articles on his hard drive.
<bsm117532>
Triply-backed-up, of course, until Taek comes to save us from bit-rot. ;-)
<zooko>
What's Taek's email addr?
<Taek>
david@nebulouslabs.com
<zooko>
Thanks!
<zooko>
Sent! Thank you so much for expressing interest in this particular thing, which I've invested hours into and am very proud of even though it has never really been "published".
<bsm117532>
Let me state here for posterity, my respect for zooko not withstanding in the preceding discussion.
<bsm117532>
Is always the onus of the creator of an idea to prove it, not the responsibility of everyone else to disprove it. A simple Sybil attack is to flood the knowledgeable with bullshit, and force them to make sense of it. This is madness. It is far easier to create bullshit and supply it to the knowledgeable than for the knowledgeable to disprove it. One must prove one's ideas.
<zooko>
:-)
<bsm117532>
And here I'm going to shill: http://ledgerjournal.org. Our purpose is to separate the wheat from the chaff and find the truly great ideas, by the only system that has truly proven itself: peer review. We will find the most relevant expert and submit it to rigorous peer review. We exist to determine if your idea passes muster. That's what peer review is. We have many relevant experts or will find a relevant exp
limbera has left #bitcoin-wizards [#bitcoin-wizards]
chjj has quit [Ping timeout: 260 seconds]
chxdd has quit [Remote host closed the connection]
Burrito has quit [Quit: Leaving]
N0S4A2 has quit [Quit: WeeChat 1.5]
<zooko>
Uhm, thanks for the suggestion! What a compliment. Tell me if you still want me to submit it after you look at that text file I sent.
<zooko>
It doesn't have any blockchain in it.
netsin has joined #bitcoin-wizards
netsin has quit [Client Quit]
chjj has joined #bitcoin-wizards
PaulCapestany has quit [Quit: .]
PaulCapestany has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
Alopex has quit [Remote host closed the connection]
Alopex has joined #bitcoin-wizards
whphhg has quit [Ping timeout: 260 seconds]
netsin has joined #bitcoin-wizards
<midnightmagic>
Right, except the managing editor is a plagiarizing aggressive type who draws little cartoons of people getting crushed to death. <_<
netsin has quit [Remote host closed the connection]
netsin has joined #bitcoin-wizards
nuke1989 has quit [Remote host closed the connection]
TheSeven has quit [Ping timeout: 272 seconds]
[7] has joined #bitcoin-wizards
whphhg has joined #bitcoin-wizards
mkarrer has quit []
mkarrer has joined #bitcoin-wizards
moli has quit [Read error: Connection reset by peer]
moli has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 250 seconds]
AusteritySucks has quit [Ping timeout: 276 seconds]
paveljanik has quit [Quit: Leaving]
Aranjedeath has quit [Quit: Three sheets to the wind]
zooko has quit [Ping timeout: 250 seconds]
netsin has quit []
AusteritySucks has joined #bitcoin-wizards
molz has joined #bitcoin-wizards
moli has quit [Ping timeout: 246 seconds]
Giszmo has quit [Remote host closed the connection]
AusteritySucks has quit [Ping timeout: 244 seconds]
rusty has quit [Ping timeout: 244 seconds]
afk11 has quit [Ping timeout: 252 seconds]
r0ach has quit [Ping timeout: 250 seconds]
afk11 has joined #bitcoin-wizards
afk11 has quit [Changing host]
afk11 has joined #bitcoin-wizards
dEBRUYNE has joined #bitcoin-wizards
afk11 has quit [Ping timeout: 272 seconds]
afk11 has joined #bitcoin-wizards
afk11 has quit [Changing host]
afk11 has joined #bitcoin-wizards
ManfredMacx has joined #bitcoin-wizards
hashtagg has joined #bitcoin-wizards
hashtag_ has quit [Ping timeout: 250 seconds]
dEBRUYNE has quit [Quit: Leaving]
Guyver2 has joined #bitcoin-wizards
midnightmagic has quit [Ping timeout: 272 seconds]
dEBRUYNE has joined #bitcoin-wizards
dEBRUYNE has quit [Read error: Connection reset by peer]
c0rw1n has quit [Ping timeout: 240 seconds]
c0rw1n_ has quit [Ping timeout: 250 seconds]
r0ach has joined #bitcoin-wizards
dEBRUYNE has joined #bitcoin-wizards
berndj has quit [Ping timeout: 246 seconds]
dEBRUYNE has quit [Quit: Leaving]
mkarrer has quit []
mkarrer has joined #bitcoin-wizards
chjj has quit [Ping timeout: 250 seconds]
xsdfdfsa has joined #bitcoin-wizards
Ylbam has joined #bitcoin-wizards
chjj has joined #bitcoin-wizards
MaxSan_ has quit [Ping timeout: 272 seconds]
xsdfdfsa has quit [Remote host closed the connection]
domwoe has quit [Remote host closed the connection]
<JackH>
do we have any documentation explaining some potential use cases for OP_CSV/OP_CLTV beside lightning/payment channels?
<maaku>
JackH: the sidechain peg uses CSV
<JackH>
I thought that required additional opcodes to fully verify maaku
<maaku>
yes it does
<maaku>
you didn't specify current bitcoin script only ;)
<maaku>
one of the many opcodes required is CSV
<JackH>
the portion that wont be working is fully validating sidechain tokens on the Bitcoin blockchain right?
<JackH>
its still not "aware" as far as I understand
<JackH>
even with CSV
<JackH>
I actually wanted to talk to you about this:
<JackH>
BIP 68 and 112 (CSV) let you start the clock only when the channel is being closed out, which has two primary implications: channel close-out can be much faster (configurable, but realistically a few days in the worst case), and channels never expire. Pretty cool.
<JackH>
CSV is also useful for the sidechain 2-way peg, or any other application that involves waiting for things to settle or to see if anyone can provide a fraud proof.
<JackH>
(I invented CSV. Ping me if you have other questions.)
<JackH>
you wrote that on reddit at some point
ThomasV has joined #bitcoin-wizards
<JackH>
could I "bind" my op_cltv & op_csv transaction with my sidechain op_cltv & op_csv transaction to form a pegging that way? so that I "bind" tokens on the secondary layer together?
<jl2012>
petertodd did mention the idea of relative locktime on this topic. But I can't find the post
<jl2012>
relative locktime is more reliable for this purpose, as it ensures that the redeem tx must be known to the public for a certain amount of time
<jl2012>
a long enough CLTV is ok too
<JackH>
well we have both now, so we are good
<jl2012>
using CSV/CLTV is much easier than petertodd's idea in 2013
Burrito has joined #bitcoin-wizards
<JackH>
I just want to go away from the over exploited op_return and the counterparty way of doing things
ruby32 has quit [Ping timeout: 250 seconds]
<maaku>
JackH: i'd probably need more specific info, as I'm not sure what you mean by "bind your [mainchain] transaction with your sidechain transaction"
ThomasV has quit [Ping timeout: 252 seconds]
<JackH>
I am thinking about a previous conversation on IRC where luke questions if lightning can be build on top of lightning. With that type of layers of abstractions, I can imagine intertwining layers from multiple chains, in order to make use of Bitcoins as tokens to perform some actions required (some contract execution or a more complex function)
<JackH>
binding = perform computational operations by requiring Bitcoins as part of the process
<GreenIsMyPepper>
yes, it's theoretically to treat payments on LN as circuits
<GreenIsMyPepper>
theoretically possible, imean
<jl2012>
JackH: pathological gambler may use CLTV/CSV to securely lock their money
<JackH>
now that is a service!
<JackH>
but it still requires Bitcoin, as money for the gambler, which means he needs to exchange into BtC
<JackH>
I want to use the secondary layers as features for computations, and for example use them as part of larger executions that for instance originate in a sidechain (just to keep the protocal layer identical)
ruby32 has joined #bitcoin-wizards
dEBRUYNE has joined #bitcoin-wizards
ManfredMacx has quit [Quit: Bye]
Giszmo has joined #bitcoin-wizards
Chris_Stewart_5 has joined #bitcoin-wizards
domwoe has quit [Remote host closed the connection]
<petertodd>
jl2012: yeah, I need to do a quick writeup/standard on csv for fidelity bonds
<JackH>
petertodd, it would be great if you can include general CSV potential cases
<petertodd>
JackH: iirc the bip has those written up
<JackH>
petertodd, I noticed a few things were mentioned yes
<JackH>
I guess I keep going back to my own idea about mixing channel tx's via CSV with other scripts....ill figure it out eventually myself
<JackH>
like GreenIsMyPepper pointed out
domwoe has quit [Remote host closed the connection]
nonaTure has quit [Ping timeout: 276 seconds]
nonaTure has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 250 seconds]
Chris_Stewart_5 has joined #bitcoin-wizards
markus-k has joined #bitcoin-wizards
molz has quit [Ping timeout: 252 seconds]
<Chris_Stewart_5>
Can you think of all consensus rules in bitcoin right now as a mathematical set R, and the set of all possible consensus rules as the mathematical set S, if we add a softfork, is that softfork increasing the cardinality of set R by one?
nonaTure has quit [Ping timeout: 246 seconds]
<Chris_Stewart_5>
and any removal of an element from set R is a hardfork?
AaronvanW has quit [Read error: Connection reset by peer]
AaronvanW has joined #bitcoin-wizards
Tenhi_ has joined #bitcoin-wizards
x0f_ has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 260 seconds]
neha has quit [Ping timeout: 244 seconds]
neha has joined #bitcoin-wizards
moli has joined #bitcoin-wizards
nonaTure has joined #bitcoin-wizards
Tenhi_ has quit [K-Lined]
rdponticelli has quit [Remote host closed the connection]
Chris_Stewart_5 has joined #bitcoin-wizards
murch has quit [Quit: Leaving.]
c0rw1n- has quit [Ping timeout: 252 seconds]
<maaku>
Chris_Stewart_5: sure i suppose. a specific hard fork can introduce more than one rule though
<maaku>
gah, specific soft fork
<Chris_Stewart_5>
Seems like that is more of an implementation details rather than the abstract concept of a soft fork
N0S4A2 has joined #bitcoin-wizards
<maaku>
sure
Chris_Stewart_5 has quit [Ping timeout: 246 seconds]
Adiabat has quit [Remote host closed the connection]
Samdney has joined #bitcoin-wizards
afk11 has quit [Ping timeout: 276 seconds]
domwoe has quit [Remote host closed the connection]
domwoe has joined #bitcoin-wizards
afk11 has joined #bitcoin-wizards
afk11 has quit [Changing host]
afk11 has joined #bitcoin-wizards
domwoe has quit [Remote host closed the connection]
domwoe has joined #bitcoin-wizards
bsm117532 has quit [Remote host closed the connection]
iddo has joined #bitcoin-wizards
mkarrer_ has joined #bitcoin-wizards
MRL-Relay has quit [Ping timeout: 244 seconds]
MRL-Relay has joined #bitcoin-wizards
mkarrer has quit [Ping timeout: 244 seconds]
kinlo has quit [Ping timeout: 244 seconds]
nba_btchip has quit [Ping timeout: 244 seconds]
nba_btchip has joined #bitcoin-wizards
livegnik has quit [Ping timeout: 244 seconds]
yang has quit [Ping timeout: 244 seconds]
livegnik has joined #bitcoin-wizards
kinlo has joined #bitcoin-wizards
yang has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 240 seconds]
moli has quit [Ping timeout: 250 seconds]
kvnn has joined #bitcoin-wizards
<kvnn>
Hello
dEBRUYNE has quit [Quit: Leaving]
bsm117532 has joined #bitcoin-wizards
<kvnn>
can I currently use nLockTime to create a tx w/ output1, and then create another tx w/ output1 without a time lock, in order to invalidate the first transaction?
dEBRUYNE has joined #bitcoin-wizards
rdponticelli has joined #bitcoin-wizards
Chris_Stewart_5 has joined #bitcoin-wizards
dEBRUYNE has quit [Quit: Leaving]
<kvnn>
the time-locked transaction is just an "unconfirmed transaction" until the "minimal time" is reached, right?
<helo>
kvnn: it's invalid, and needs to be broadcast after the time is reached
<kvnn>
what if its broadcast before the time is reached?
<helo>
it's treated as an invalid transaction
King_Rex has quit [Remote host closed the connection]
<kvnn>
so the answer to my first question would be "yes", right?
King_Rex has joined #bitcoin-wizards
<kvnn>
if that first tx is broadcast after the time-lock, its still going to be invalid b/c the output was already spent
King_Rex has quit [Remote host closed the connection]
superkuh has quit [Quit: the neuronal action potential is an electrical manipulation of reversible abrupt phase changes in the lipid bilayer]
dEBRUYNE has joined #bitcoin-wizards
superkuh has joined #bitcoin-wizards
domwoe has quit [Remote host closed the connection]
kvnn has quit [Remote host closed the connection]
domwoe has joined #bitcoin-wizards
MaxSan_ has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
domwoe has quit [Remote host closed the connection]