sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
Ylbam has quit [Quit: Connection closed for inactivity]
<yoleaux>
@kanzure Do you know to which paper about SC in Solidity Boneh is referring to in the beginning? (@domiwoe)
<sipa>
SC?
<kanzure>
smart contracts? dunno.
dEBRUYNE has joined #bitcoin-wizards
cyphase has quit [Quit: cyphase.com]
thesnark has quit [Ping timeout: 276 seconds]
<domwoe>
yeah
<domwoe>
I'm referring to that: "There was a paper that came out of this with ethereum smart contracts. So did elaine shi. They were using the python version of the scripting language. Ours is the javascript version of the scripting language."
cyphase has joined #bitcoin-wizards
Alopex has quit [Remote host closed the connection]
Alopex has joined #bitcoin-wizards
thesnark has joined #bitcoin-wizards
AusteritySucks has quit [Ping timeout: 252 seconds]
<pigeons>
they have a "go-like version too, Mutans or somethin. I guess people only use solidity now
bildramer has quit [Ping timeout: 258 seconds]
bildramer has joined #bitcoin-wizards
AusteritySucks has joined #bitcoin-wizards
laurentmt has joined #bitcoin-wizards
laurentmt has quit [Client Quit]
<domwoe>
That's the python/serpent paper by Elaine Shi he mentions
dnaleor has quit [Quit: Leaving]
<kanzure>
unfortunately that elaine shi paper was mentioned by me, not dan
<kanzure>
although he recognized it, so *shrug*
<domwoe>
ah ok. But "Ours is the javascript version of the scripting language." refers to Boneh's group
<kanzure>
yes that's right
<domwoe>
hmm maybe it's not yet published
jtimon has quit [Ping timeout: 252 seconds]
bildramer has quit [Ping timeout: 250 seconds]
thesnark has quit [Ping timeout: 244 seconds]
bildramer has joined #bitcoin-wizards
netzin has joined #bitcoin-wizards
netzin is now known as nets1n
dEBRUYNE has quit [Ping timeout: 250 seconds]
King_Rex has quit [Remote host closed the connection]
nuke_ has quit [Quit: Leaving]
rhett has joined #bitcoin-wizards
<rhett>
hi wizards
<rhett>
Why doesn't someone do what ethereum classic did for a larger blocksize bitcoin?
<rhett>
instead of the bitcoin XT approach
<rhett>
give everyone who currently has bitcoin equivalent bitcoin XL on a new forked blockchain, and then list it on an exchange?
<sipa>
that's what classic/xt would have done if it actually got adopted
<rhett>
I thought classic was trying to write blocks on the bitcoin blockchain
belcher has quit [Ping timeout: 264 seconds]
<sipa>
a hard fork causes a fork... afterwards there are two chains
<rhett>
right, like ethereum classic
<sipa>
the only difference is who gets to claim the name 'bitcoin'
<sipa>
but there is no technical difference here
<rhett>
maybe I'm confused. With ETH/ ETC, there are two chains. ETC won't likely "die" completely even if its market cap goes way down
<rhett>
I thought bitcoin XT was trying to write blocks on the bitcoin blockchain
<rhett>
and competing for block writing
<rhett>
the ETC approach doesn't care what ETH does
<rhett>
ETC is just an altcoin
<rhett>
and it trades on an exchange
<rhett>
just like litecoin or dogecoin
<sipa>
i would argue that the new 'ETH' is an altcoin, and ETC is just the new name for what ETH used to be
<sipa>
yes, you're confused
<sipa>
there is zero difference between the two approaches
<rhett>
so, where can I buy bitcoin XT?
<sipa>
xt never caused a fork
<sipa>
because it didn't get adopted by miners
<sipa>
there is no such thing as 'writing in the bitcoin blockchain'; after a fork, there are two completely independent chains
<rhett>
so there is 100% difference between the two approaches
<sipa>
there would be no difference if XT or Bitcoin Classic would have been adopted
<rhett>
so there is 100% difference between the two approaches
<sipa>
no
<sipa>
what XT was _trying_ to do is exactly the same thing as what ETH _did_
<rhett>
can't you make an altcoin with like 2 miners?
<dgenr8>
in the last 2 hours BIP109 has 4.2% of hash power. but it is defined not to fork with less that 75%
<sipa>
sure, it would be very insecure though
<rhett>
ok, so ETC started out very insecure. The main differences were social ones, not necessary technical
<rhett>
let people speculate on an insecure altcoin
<sipa>
yes, the difference is that for ETH/ETC, a fork actually happened, and despite all claims that everyone would switch to the new ETH, that was wrong... and ETC actually got some traction
<dgenr8>
sipa: how do you feel about it? you mention quite often that "100% agreement is required to fork"
<bsm1175321>
The one thing the ETH/ETC fiasco taught me was that there is a profit motive for exchanges to enable trading on both sides of the fork, and it has nothing to do with technical merits of the fork. ANY hard fork which creates two tradeable coins can cause a 50% split of mining power, and effective destruction of the currency.
<domwoe>
Although it would be much harder to continue a minority fork in bitcoin because the difficulty gets only re-adjusted every 2000 blocks or so
<sipa>
plus bitcoin actually gets used for payments
<rhett>
exactly bsm117532 I think someone must do it with bitcoin soon
<bsm1175321>
rhett I think you misunderstood me.
<rhett>
not that it will necessarily be good for bitcoin
<rhett>
but good for the exchanges
<sipa>
rhett: i don't understand why you think so. Classic and XT and Unlimited _tried_ to do exactly that in bitcoin
<rhett>
and coin pumpers
<sipa>
you seem to think that what happened with ETH was somehow different
<rhett>
sipa: it was different because kraken, poloniex, soon coinbase email customers and say, "hey you have some free ETC"
<sipa>
rhett: no, it was different because miners actually went along with the fork
<sipa>
rhett: the fact that exchanges then chose to also list the minority fork was a logical consequence
<rhett>
imagine if they just emailed everyone and said, "hey you have some free BTC-XL"
<rhett>
bitcoin ran fine on 1% of the mining power it has today
<sipa>
that's irrelevant
<rhett>
coins with low mining power are just worth less
<sipa>
that's completely unrelated
<sipa>
a minority chain with 1% would be trivially attacked by the 99%
<sipa>
plus it would greatly undermine bitcoin's value proposition
<rhett>
they are separate coins
<rhett>
why doesn't dogecoin get trivially attacked?
<sipa>
doesn't prevent attacking
<sipa>
because it's a different proof of work function
<sipa>
bitcoin miners can't be used to attack dogecoin
<bsm1175321>
Dogecoin did. They implmented merge-mining with litecoin to mitigate it.
<kanzure>
sipa: pool hopping does cause problems for some scrypt-based altcoins
<sipa>
kanzure: yes, but a scrypt miner can't be used to attack a sha-pow chain
<kanzure>
(and other hash functions, of course)
<rhett>
So, if the fork changes the work function, but uses the same keypairs?
<sipa>
rhett: that's possible
<dgenr8>
rhett: if a bitcoin fork actually does try to do what ETC did, you'll know it
<sipa>
rhett: but then you can't claim to be the 'successor' to bitcoin anymore
<rhett>
i'd want to get in early if the coin pumpers are any good
<sipa>
well good luck :)
<dgenr8>
sipa: how do you feel about relying on close ties with centralized mining? necessary evil?
<kanzure>
dgenr8: how do you feel about asking loaded questions? :)
<dgenr8>
the only guy I've seen talk about an "inspired derivative" of bitcoin is Reid Hoffman
<kanzure>
sipa: perhaps exchanges that want to capitalize on the belief of users like rhett would be better off without a hard-fork at all. instead, they could list other symbols for trading prior to and without any fork, by holding the private keys themselvs. then the exchanges would be responsible for not double spending against themselves.
<kanzure>
*themselves
nets1n has quit [Remote host closed the connection]
nets1n has joined #bitcoin-wizards
aalex has quit [Ping timeout: 240 seconds]
<kanzure>
sipa: also, from a safety perspective, it is much better for exchanges to list something like that, rather than running an altcoin source code (for example: see how cryptsy was hax0red via remote backdoor in one of the altcoin implementations that they installed on to a shared server). other safety benefits include not blowing up the network in difficult-to-illustrate ways, or not needing to spend money on R&D for anti-replay tech things.
<sipa>
kanzure: ha! starts to sound like how buying virtual mining contracts is sometimes more profitable than buying actual hardware :)
nets1n has quit [Ping timeout: 252 seconds]
aalex has joined #bitcoin-wizards
<kanzure>
sipa: nope, no profitability claims were being made :)
<kanzure>
sipa: and it's entirely possible for highly-centralized constructions to be profitable, regardless of infringement on underlying principles. anyway, the exchanges could choose to use their fee earnings to fund deployment of.. uh.. whatever it is that they think they want..
<kanzure>
*fee earnings from that new listed symbol (in particular)
<dgenr8>
sipa: will blockstream introduce sidechains that mix transferred BTC with generated native tokens?
<kanzure>
i think others have already introduced that (drivejobs etc)
<dgenr8>
sipa: how do you feel about censorship?
<sipa>
dgenr8: i have no idea what you mean
<kanzure>
dgenr8: what's up?
<sipa>
by mix, do you mean coinjoin?
<dgenr8>
no, i mean creating value units in coinbases or the like, and not just by incoming transfers from BTC
<sipa>
native assets on a sidechain is something we're working on, yes
<sipa>
not sure what you mean by mixing
<dgenr8>
that the generated units are indistinguishable from or used equivalently to the incoming transferred units. ie new money supply created by and for ... someone
<sipa>
well they're a different asset class than BTC
<sipa>
if they're indistinguishable, you'd be creating a fractional reserve layer
<dgenr8>
last week i was chatting with a ripply guy. he expressed that he would be just fine with XRP, of which his company owns half the supply, becoming the dominant crypto currency
<sipa>
the amount of BTC in a sidechain must exactly match the amount pegged to it from the bitcoin chain, or you'd cause a "run on the sidechain" as the last people out would lose
<sipa>
i hope that the design of sidechains makes such a thing unviable, as the pegged amounts on both sides is visible to everyone
<sipa>
*are
<dgenr8>
suppose the sidechain is really useful. because of improvements (that haven't been made to bitcoin). then the BTC units transferred there might be more valuable, even after dilution from money printing.
<sipa>
with a 2-way peg in place the value on both sides should be identical
<sipa>
or close to identical
<sipa>
due to the slow transfer there may be some arbitrage possible
<dgenr8>
hence my original question. will blockstream introduce sidechains that mix transferred BTC with generated native tokens?
<sipa>
do you mean whether we plan to create a fraction reserve bitcoin in a sidechain? definitely not
<dgenr8>
how reassuring :)
<dgenr8>
hit kanzure
<dgenr8>
hi
<kanzure>
i know 18 forms of whatever CSW said, hitting me is ill advised
<sipa>
and i hope that the design of sidechains makes that impossible for anyone else who would want to try
<sipa>
at least it would have to be a transparent fractional reserve, where all users are aware of it
<kanzure>
it's ot really a concern because a federated signing model is not really useful in the same way that bitcoin is currently useful. so "it would be more valuable" is possible (in terms of market price) but it's also irrelevant -- lots of highly centralized bad ideas have a high market price, who cares.
<kanzure>
(and even if you strike "highly centralized" from my last message, i still think that a 10,000-signatory sidechain is still not encroaching on bitcoin value prop)
<kanzure>
(and perhaps some might think 10k-signatory/functionary is highly centralized anyway, hehe)
<dgenr8>
a sidechain as an altcoin that supports pegging, so pretty much the whole universe is open to it in terms of design. anyone disagree with that characterization?
<kanzure>
strong disagree. many forms of sidechain designs can be ill-advised . large chunks of universe are inaccessible from a design perspective.
<dgenr8>
s/as/is
Alopex has quit [Remote host closed the connection]
Alopex has joined #bitcoin-wizards
<maaku>
kanzure what CSW said is only 9 forms/schools
AusteritySucks has quit [Ping timeout: 276 seconds]
Tenhi_ has quit [K-Lined]
default has joined #bitcoin-wizards
default is now known as Guest48235
AusteritySucks has joined #bitcoin-wizards
Guyver2 has joined #bitcoin-wizards
wizkid057 has joined #bitcoin-wizards
Sleepnbum has joined #bitcoin-wizards
PaulCapestany has quit [Quit: .]
PaulCapestany has joined #bitcoin-wizards
nets1n has quit [Remote host closed the connection]
AusteritySucks has quit [Ping timeout: 244 seconds]
dnaleor has quit [Read error: Connection reset by peer]
tectonic has joined #bitcoin-wizards
dnaleor has joined #bitcoin-wizards
nets1n has joined #bitcoin-wizards
AusteritySucks has joined #bitcoin-wizards
nets1n has quit [Remote host closed the connection]
nets1n has joined #bitcoin-wizards
tectonic has left #bitcoin-wizards [#bitcoin-wizards]
AusteritySucks has joined #bitcoin-wizards
oneeman has joined #bitcoin-wizards
domwoe has quit [Remote host closed the connection]
mdavid613 has joined #bitcoin-wizards
licnep has joined #bitcoin-wizards
AusteritySucks has quit [Ping timeout: 250 seconds]
dnaleor has quit [Quit: Leaving]
whphhg has quit [Remote host closed the connection]
whphhg_ has joined #bitcoin-wizards
whphhg_ is now known as whphhg
AusteritySucks has joined #bitcoin-wizards
dnaleor has joined #bitcoin-wizards
Ylbam has joined #bitcoin-wizards
HostFat has quit [Quit: Leaving]
Mazz_ has joined #bitcoin-wizards
dnaleor has quit [Ping timeout: 240 seconds]
nets1n has quit [Remote host closed the connection]
FNinTak has joined #bitcoin-wizards
dnaleor has joined #bitcoin-wizards
<FNinTak>
Re: ASICs; is there any reason to expect an ASIC for some PoW function to never be developed?
<FNinTak>
Seems like Memory-hard functions or even Proofs-of-Storage would only delay this until marketcap reaches some threshold
oneeman has quit [Remote host closed the connection]
<kanzure>
FNinTak: yes that's why one common argument is that the function needs to be simple. by using something with hidden obscure optimizations, you're bifurcating the market into people who are clever enough to know to make those optimizations on their asics, etc...
liviud has quit [Read error: Connection reset by peer]
liviud has joined #bitcoin-wizards
<luke-jr>
FNinTak: the idea behind memory-hard and proof-of-storage is that everyone already can get the ASIC; otherwise, an ASIC can always be made
<FNinTak>
Agreed; my question is more that even in those situations, the incentive to create new ASICs is a function of marketcap
<FNinTak>
Which, if significant optimizations are possible, doesn't solve the problem of centralized mining...
<luke-jr>
if you already have an ASIC, the optimizations possible are much reduced in theory
nets1n has joined #bitcoin-wizards
<luke-jr>
eg, if you had a truly memory-hard PoW, then the best you could do is replace the PC with a FPGA controller to reduce build costs (but not runtime costs)
<luke-jr>
this is assuming the PoW relies on the memory being reliable of course; otherwise you could perhaps get a small boost by then overclocking it
<luke-jr>
but even that shouldn't be nearly as significant as a formerly non-ASIC algo
<luke-jr>
essentially it makes it into a hardware competition, rather than competing against emulators (CPU/GPU mining)
nets1n has quit [Remote host closed the connection]
<FNinTak>
Or fab an FPGA with High-Bandwidth Memory, where the memory dies sit on top of the FPGA itself
<luke-jr>
perhaps
<FNinTak>
re hardware competition: by definition the devices available to average consumers will lag significantly behind enterprise-level products, for which access is restricted
<luke-jr>
access is not currently restricted, and general-purpose use means that is unlikely to change just for mining
<cjd>
There's a pow function called Argon2 which supposedly uses data dependent behavior which means branching and that knocks out most SIMD stuff (GPU), if I understand it properly it's designed so that the best ASIC for attacking this is almost identical to a commodity CPU
<luke-jr>
cjd: that'd be bad :p
<luke-jr>
CPUs are extremely complex
<cjd>
because botnets?
<qpm>
tx:<Jeremy_Rand> FNinTak: I very much enjoyed a talk a few months ago from Adam Back, where he suggested that you could design an ASIC that solves arbitrary CPU-based PoW problems faster than a CPU can.
<luke-jr>
because you're just giving Intel/AMD a monopoly on mining
<qpm>
tx:<Jeremy_Rand> The idea was that you could design something that's basically a general-purpose CPU, but with a reliability of only 90 - 95% rather than the much higher reliability needed for commercial CPU's
<cjd>
ahh, nice trick
<qpm>
tx:<Jeremy_Rand> Totally useless for general purpose computing, but would probably be a lot faster at mining
<cjd>
If you want a "task" which is really really hard to do on anything other than a CPU, look at compiling C code like e.g. the linux kernel
Guest48235 has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
<sipa>
cjd: pow functions which are hard to do on anything but a general purpose cpu usually have very nontrivial avenues for algorithmic optimization
justanotheruser has quit [Read error: Connection reset by peer]
<luke-jr>
cjd: not all tasks can be PoW ;)
<sipa>
typical example: say you create a PoW function which consists of 1000 different hash algorithms, and the used one depends on a simple hash of the data
<cjd>
sipa: That agrees with my intuition
<sipa>
you'd think you need to build an asic that can do all 1000 algorithms
<luke-jr>
might be nice to use SNARK execution as a PoW though - at least then we'd have secondary use cases for the ASICs
<qpm>
tx:<Jeremy_Rand> luke-jr: you could hypothetically turn any task into a SNARK circuit, and use the SNARK proving and verifying algos as the mining and verifying algos.
<sipa>
but no, you can just select the subset of data that uses a single pow function
justanotheruser has joined #bitcoin-wizards
<qpm>
tx:<Jeremy_Rand> luke-jr: heh, great minds think alike it seems
<sipa>
and if that gives you a 1000x fold power improvement, it will beat general purpose cpus
<qpm>
tx:<Jeremy_Rand> (I'm not saying that using SNARKs for that is necessarily a good idea. Just that it occurred to me as a possibility.)
<sipa>
qpm: alike minds call eachother great :)
<cjd>
yeah, I found the scrypt time-memory tradeoff back in 2010 before litecoin was implemented
<cjd>
FNinTak: you're going to want Argon2i for this
<qpm>
tx:<Jeremy_Rand> sipa: I know, I actually strongly dislike the phrase "great minds think alike" since it discourages independent thought / innovation. Yet I still find myself using it occasionally.
<cjd>
modulo what sipa says :)
<FNinTak>
Also @luke-jr RISC-V CPUs would stand a chance here
<FNinTak>
cjd: you sure? 2d is the variant data-dependent access patterns
<kanzure>
"Can we build a hash function that is memory hard, but the memory access pattern is independent of the password being hashed?it can depend on a salt, but not the password. The answer is yes. Argon is one of the candidates that provides this. Unfortunately argon doesn't have a security proof, and we were able to show a time-space tradeoff, in the version that has a constant... there was a recent paper that does give a ... time-space ...
<kanzure>
... tradeoff on argon, and then it shows that tradeoff is optimal."
<kanzure>
cjd: ^
<cjd>
There's always *a* space/time, it should just be very expensive
<gmaxwell>
these functions are not interesting as hashcash, as they are symmetrically hard to verify.
<gmaxwell>
or at least not very interesting.
<Alanius>
gmaxwell: do you mean any memory-hard function, or specifically the argon family?
<gmaxwell>
Alanius: the argon family (actually also basically every memory hard function discussed in phc)
<gmaxwell>
wrt "a tradeoff", it's referring to time area product which is what that subfield has decided is the standard for memory hardness. I'm unconvinced by that metric since it ignores that hardware costs are amortized across continued uses but energy is not.
<FNinTak>
Which is then an argument against energy-efficient PoWs?
<maaku>
this channel is bifurcated into those obsessed with PoW, and those who couldn't care less :\
<qpm>
* tx:Jeremy_Rand finds PoW discussion highly interesting in small occasional doses, is definitely not obsessed with it, and is enjoying the current discussion
<gmaxwell>
I find them profoundly boring, virtually nothing new has been said in the last 4 years.
<gmaxwell>
most of the things people go on about end up being really severely broken.
<gmaxwell>
When they're not, they're only "interesting upto constant factors".
<gmaxwell>
which is the most limited type of interesting
<qpm>
tx:<Jeremy_Rand> gmaxwell: I'll assume that you're correct on that, but for non-experts like me, it is beneficial to see this kind of thing discussed periodically, as it helps us catch up a bit to the experts in the field
<gmaxwell>
much of it is the same tarpit that sci.crypt suffered in the 90s where everyone and their brother felt the need to cook up their own unsoundly constructed block cipher. Turns out that its much easier to fling out some ideas than to reason about them.
<kanzure>
summaries would probably be more helpful than periodic discussion, although i'm not eager to sit around producing large writeups
<gmaxwell>
yea I'm not yelling about the conversation, just mostly pointing out that I agree its boring.
<maaku>
Jeremy_Rand: I think what gmaxwell is saying is that this field isn't advancing. It's been in a 4 year rut. Once you're caught up, it's the same old stuff under new names.
<maaku>
Although I think tromp's work on memory _bandwidth_ limited pow is an exception to that, but it's the only one and still nothing revolutionary...
<Alanius>
that does raise the question though, what standards does a development have to satisfy in order to be considered new stuff?
<kanzure>
a small heartwarming data point that some here might appreciate is that according to twitter analytics the dan boneh discussion was much more widely read than the other two recent docs.
<qpm>
tx:<Jeremy_Rand> kanzure: agree that summaries are more useful in theory, but I think the interactive nature of discussions makes it a bit easier to understand thought processes. Perhaps a "FAQ"-style summary would be the best of both.
<kanzure>
Jeremy_Rand: yep, need a volunteer or to pay someone to do that.
<qpm>
tx:<Jeremy_Rand> But yes, agreed that most people who thoroughly understand the topic probably have better things to do than write detailed summaries.
<FNinTak>
I found the ASIC FAQs by apoelstra very useful, a document of a similar format concerning memory-hardness, etc. would be useful
<kanzure>
andytoshi operates on a strict payment schedule of one bottle beer per page minimum
<qpm>
tx:<Jeremy_Rand> maaku: as an amateur, I perceived the Cuckoo Cycle PoW concept to be an advancement as well, regardless of whether it ends up being usable in the real world. Is my perception shared by more knowledgeable people?
<bsm1175321>
PoW is the anchor of the coin to the real world. It's the way real world value is coupled into the coin. That comes in two forms: initial capital costs, and running costs (electricity). PoW algorithms generally don't paint themselves on these axes, but should. I agree with gmaxwell, it's boring...
<bsm1175321>
"memory hard" just shifts the initial capital cost to another form that doesn't require designing an ASIC.
<kanzure>
why would that be true? you can put lots of memory on ASICs.
<andytoshi>
FNinTak: i've been trying to think about memory hardness over the last couple weeks, but i don't have anything more insightful to say than what's in the ASIC paper
<andytoshi>
which is a footnote about how it shifts costs from operating to capital
<FNinTak>
Ah, didn't remember that from my previous reads; that's fair
licnep has quit [Quit: Connection closed for inactivity]
<FNinTak>
though there is extra complexity introduced with memory-hardness re: caching and the bounds on much SRAM can be used, etc.
<FNinTak>
Also could be worth mentioned Proofs-of-Storage?
<bsm1175321>
It seems to me that the only way to prove storage is to have storage. If you've reduced your storage to a small set of proofs that you can verify, then I can reduce it in the same way and you won't know that I don't have your storage until you request it all. So, the "proof" only works if I know what I'm going to ask you, and you don't.
<bsm1175321>
These proofs are very unlike PoW hashes.
<Alanius>
that sounds very much like it cannot be made non-interactive