sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
jimmysong has joined #bitcoin-wizards
jimmysong_ has quit [Ping timeout: 240 seconds]
Emcy_ has joined #bitcoin-wizards
Emcy has quit [Ping timeout: 240 seconds]
shesek has joined #bitcoin-wizards
shesek has quit [Changing host]
shesek has joined #bitcoin-wizards
pro has quit [Quit: Leaving]
dnaleor has quit [Quit: Leaving]
dabura667 has joined #bitcoin-wizards
sausage_factory has quit [Ping timeout: 240 seconds]
Chris_Stewart_5 has quit [Ping timeout: 240 seconds]
d9b4bef9 has quit [Remote host closed the connection]
str4d has quit [Ping timeout: 248 seconds]
d9b4bef9 has joined #bitcoin-wizards
arubi has quit [Remote host closed the connection]
arubi has joined #bitcoin-wizards
AaronvanW has quit []
eddiewang has quit [Remote host closed the connection]
eddiewang has joined #bitcoin-wizards
eddiewang has quit [Ping timeout: 248 seconds]
eddiewang has joined #bitcoin-wizards
Noldorin has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
rmwb has quit [Remote host closed the connection]
rmwb has joined #bitcoin-wizards
legogris has quit [Remote host closed the connection]
legogris has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 255 seconds]
rmwb has joined #bitcoin-wizards
TheSeven has quit [Ping timeout: 240 seconds]
dabura667 has quit [Remote host closed the connection]
TheSeven has joined #bitcoin-wizards
dabura667 has joined #bitcoin-wizards
TheSeven has quit [Ping timeout: 246 seconds]
TheSeven has joined #bitcoin-wizards
Emcy_ has quit [Ping timeout: 240 seconds]
rmwb_ has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 240 seconds]
Emcy has joined #bitcoin-wizards
d9b4bef9 has quit [Remote host closed the connection]
d9b4bef9 has joined #bitcoin-wizards
packetsmurf has joined #bitcoin-wizards
coinsmurf has quit [Ping timeout: 240 seconds]
rmwb_ has quit [Remote host closed the connection]
rmwb has joined #bitcoin-wizards
prime_ has joined #bitcoin-wizards
chjj has quit [Ping timeout: 240 seconds]
eddiewang has quit [Remote host closed the connection]
eddiewang has joined #bitcoin-wizards
eddiewang has quit [Ping timeout: 240 seconds]
BashCo has quit [Remote host closed the connection]
jannes has joined #bitcoin-wizards
dnaleor has joined #bitcoin-wizards
BashCo has joined #bitcoin-wizards
chjj has joined #bitcoin-wizards
rmwb has quit [Remote host closed the connection]
rmwb has joined #bitcoin-wizards
rockhouse has joined #bitcoin-wizards
rockhouse has quit [Changing host]
rockhouse has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 246 seconds]
MaxSan has joined #bitcoin-wizards
shesek has quit [Ping timeout: 248 seconds]
shesek has joined #bitcoin-wizards
MaxSan has quit [Ping timeout: 276 seconds]
MaxSan has joined #bitcoin-wizards
CheckDavid has joined #bitcoin-wizards
daszorz has joined #bitcoin-wizards
Logicwax has quit [Ping timeout: 260 seconds]
MaxSan has quit [Ping timeout: 246 seconds]
Logicwax has joined #bitcoin-wizards
eddiewang has joined #bitcoin-wizards
eddiewang has quit [Ping timeout: 240 seconds]
MaxSan has joined #bitcoin-wizards
MaxSan has quit [Max SendQ exceeded]
MaxSan has joined #bitcoin-wizards
MaxSan has quit [Max SendQ exceeded]
MaxSan has joined #bitcoin-wizards
rmwb has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 248 seconds]
MaxSan has quit [Ping timeout: 240 seconds]
pro has joined #bitcoin-wizards
MaxSan has joined #bitcoin-wizards
MaxSan has quit [Max SendQ exceeded]
MaxSan has joined #bitcoin-wizards
laurentmt has joined #bitcoin-wizards
laurentmt has quit [Client Quit]
rmwb has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
jguchte has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 255 seconds]
HostFat_ has quit [Ping timeout: 276 seconds]
JackH has quit [Quit: Leaving]
<waxwing>
i just looked up DMMS in sidechains.pdf and noticed that it describes DMMS but doesn't attempt to formally define it. am i imagining it, or did an earlier draft have some kind of definition?
jguchte has quit [Quit: Page closed]
echonaut has quit [Remote host closed the connection]
echonaut has joined #bitcoin-wizards
HostFat has joined #bitcoin-wizards
rmwb has joined #bitcoin-wizards
punch has joined #bitcoin-wizards
MaxSan has quit [Ping timeout: 240 seconds]
CheckDavid has quit [Quit: Connection closed for inactivity]
rmwb has quit [Ping timeout: 255 seconds]
deusexbeer has quit [Ping timeout: 240 seconds]
dabura667 has quit [Remote host closed the connection]
cluckj has quit [Quit: Leaving]
davec has quit [Ping timeout: 255 seconds]
davec has joined #bitcoin-wizards
eddiewang has joined #bitcoin-wizards
c0rw1n has quit [Ping timeout: 248 seconds]
eddiewang has quit [Ping timeout: 255 seconds]
c0rw1n has joined #bitcoin-wizards
Giszmo has joined #bitcoin-wizards
rmwb has joined #bitcoin-wizards
thrmo has joined #bitcoin-wizards
eddiewang has joined #bitcoin-wizards
intcat has quit [Remote host closed the connection]
Chris_Stewart_5 has joined #bitcoin-wizards
belcher has quit [Quit: Leaving]
intcat has joined #bitcoin-wizards
PaulCapestany has quit [Quit: .]
trippysalmon has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 276 seconds]
Murch has joined #bitcoin-wizards
PaulCapestany has joined #bitcoin-wizards
dnaleor has quit [Quit: Leaving]
CheckDavid has joined #bitcoin-wizards
Guyver2 has joined #bitcoin-wizards
eddiewang has quit [Remote host closed the connection]
eddiewang has joined #bitcoin-wizards
midnightmagic has quit [Ping timeout: 260 seconds]
<andytoshi>
waxwing: there is a pseudo-definition in pos.pdf .. that is as close as i got to a formal definition
<waxwing>
andytoshi: ok, thanks. that's probably what my memory was pinging me about, then.
<andytoshi>
i had spent a while trying to define it widely enough that pos would sensibly fall under the definition (then i could argue it didn't satisfy the security property because of costless simulation) but i wound up either defining it so broadly that there was no cost requirement and basically no security definition, or so narrowly that only proof-of-work could satisfy it
eddiewang has quit [Ping timeout: 248 seconds]
<andytoshi>
at the time we wrote the sidechains paper we thought that the dynamic-membership thing was super important because we cared about mining decentralization and censorship resistance, which are the properties that sidechains need. intuitively that's totally orthogonal to whether robust consensus can be achieved .. for that it seems like the cost requirement of PoW is the most important thing, and
<andytoshi>
dynamic membership is basically a consequence of that rather than the other way around.
<andytoshi>
at the time i didn't think bitcoin could be so resilient if its mining centralization story didn't get dramatically better, but history has proven me wrong, and now my thinking is that DMMS is not really a useful way to think about what PoW gets us
<waxwing>
i think the signature being on work rather than an identity is pretty central. but i tend to look at these things in vague, handwavy ways :)
deusexbeer has joined #bitcoin-wizards
<andytoshi>
yeah, i like "signature of work", we should've used that rather than "dynamic membership" as the main feature of the signature
rmwb has joined #bitcoin-wizards
<andytoshi>
but at the time i was very concerned about having enough miners to prevent censorship (now i focus on doing things that miners simply cannot detect :P), and also debunking the NXT/peercoin proof-of-stake hotness (which has since evolved into systems that are reasonably open about having totally different trust models
<kanzure>
instagibbs: you should post that in the partially signed transaction thread on bitcoin-dev.
midnightmagic has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 240 seconds]
CheckDavid has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 246 seconds]
AaronvanW has joined #bitcoin-wizards
Aaronvan_ has joined #bitcoin-wizards
alferz has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 240 seconds]
<waxwing>
it's interesting, probably needed. introduces another pre-round of interaction before carrying out the join, iiuc.
<waxwing>
need to pass around your sigs of H(A|x) before starting the signing round, right.
<waxwing>
it's like signing before signing; first sign to authenticate, then sign to authorise (payment).
Aaronvan_ is now known as AaronvanW
Chris_Stewart_5 has joined #bitcoin-wizards
<kanzure>
instagibbs: ehy not force user to remember previous input sighash...? it should be trusted unchanging data after first pass, ya?
<kanzure>
*why
dnaleor has joined #bitcoin-wizards
<waxwing>
kanzure: i think the attack model here is for the HW wallet not to trust anything, verifies increasing balance in the tx itself.
<waxwing>
hence 'host' etc.
HostFat_ has joined #bitcoin-wizards
HostFat has quit [Ping timeout: 240 seconds]
<arubi>
could you add the fees expected to sighash somehow that can also be validated by the hw wallet?
<arubi>
oh wait, the output still pays, but not to you right? hm
<waxwing>
i think it has to be implicit that the device verifies outputs ownership, that side shouldn't be a problem right.
<andytoshi>
typically you give bip32 paths to the device for outputs it owns. you can lie to it and say it doesn't own something it does, but not the other way around
<andytoshi>
i think that adding fees to SIGHASH_ALL would've been a strict improvement, thoguh i'm not sure how general the benefit would be, there's a lot of attack surface here to think about
adlai has quit [Changing host]
adlai has joined #bitcoin-wizards
rmwb has joined #bitcoin-wizards
Aaronvan_ has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 240 seconds]
<instagibbs>
I think general input attribution is needed for the coinjoin case, and possibly others
prime_ has quit [Ping timeout: 255 seconds]
<kanzure>
"not to trust anything" well it has to trust the user that the transaction is intended to be signed, right?
<kanzure>
or is this not using the trust root model?
<arubi>
well if I can assert somehow that an input of mine in a transaction will result in an output that pays more than this input's worth, then I won't mind running that in the background :)
<kanzure>
for hardware wallets my personal preference has been to always have a verification step before sending anything to the hardware wallet (e.g. verify the transaction and check the inputs and outputs)
<arubi>
hardware wallets already try to tell you which output is your change with bip32, so if you sign your input amount, fees, and the "change" amount is larger than the input, you can't lose
<kanzure>
"check the inputs" includes things like: look at the prevout transaction; identify the nature of the prevout transaction (why is it in your wallet or what purpose did it serve) (same with each referenced output); check the amounts on the inputs by checking the referenced outputs; check any data that the user included w.r.t amount *expectations* for the transaction to confirm that utxo data ...
<kanzure>
...from mainnet conforms to the user's expectations; do bip32 derivations for any of the inputs yadda yadda; do bip32 derivations for any of the outputs and report to user the output amounts (including total fee). etc.
<arubi>
oh yea, I was only thinking about coinjoin\joinmarket stuff here. for some specific payment I do want this control
<kanzure>
joinmarket is defo SIGHASH_ALL ya?
<arubi>
right
<instagibbs>
even in the completely manual case I'd like to know the fees im claiming to sign are actually real, it's additive
<kanzure>
all of that should be automated and standardized. "go to some website and paste" is silly.
<kanzure>
and verifying a signed transaction is fine but the verification steps should have occurred even earlier in the process before applying any signatures at all
<arubi>
oh wow, I should upgrade my scheme..
rmwb has quit [Ping timeout: 276 seconds]
<kanzure>
in that pdf they suggest using a quarantined machine for certain procedures (which i agree with) but i disagree that a qr code works for the transfer of all relevant data (qr codes crap out at like 1 kb i thought?)
<kanzure>
so for non-private (and non-secret) data that needs to be sent to a quarantined machne i would suggest either multiple qr codes exchanged by screen or audio transfer
IniGit has quit []
Alina-malina has quit [Ping timeout: 240 seconds]
blackwraith has joined #bitcoin-wizards
Raccoon has quit [K-Lined]
priidu has quit [Ping timeout: 240 seconds]
nicolagreco has quit [Ping timeout: 255 seconds]
nicolagreco has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 248 seconds]
Alina-malina has joined #bitcoin-wizards
MaxSan has quit [Quit: Leaving.]
harrymm has joined #bitcoin-wizards
shesek has quit [Ping timeout: 240 seconds]
Giszmo has joined #bitcoin-wizards
Belkaar has quit [Ping timeout: 246 seconds]
Belkaar has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
Chris_Stewart_5 has joined #bitcoin-wizards
CheckDavid has quit [Quit: Connection closed for inactivity]
Alina-malina has quit [Changing host]
Alina-malina has joined #bitcoin-wizards
JackH has joined #bitcoin-wizards
prime_ has joined #bitcoin-wizards
thrmo has joined #bitcoin-wizards
eddiewang has quit []
rmwb has joined #bitcoin-wizards
thrmo has quit [Ping timeout: 255 seconds]
thrmo has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 246 seconds]
oleganza has joined #bitcoin-wizards
<oleganza>
If i understand correctly from past conversations, UTXO snapshots are not trustworthy in BTC/Ethereum: for 100% autonomy you need to replay the entire chain from genesis block.
<oleganza>
At the same time, Mimblewimble allows to have the similar compression via cut-through. So every block is effectively a UTXO snapshot and, if i understood gmaxwell's comment a few days back, somehow that snapshot *is* trustworthy (e.g. does not require replay of all transactions from the genesis block). Maybe i've reinterpreted that incorrectly.
rmwb has quit [Ping timeout: 276 seconds]
<oleganza>
So, if MW enables utxo snapshots w/o changing the trust assumptions, would it be possible to have that in Bitcoin in plaintext mode? Where range proof is simply a plaintext amount & a signature for the blinding factor? That should be the same overhead as today (no rangeproofs, 1 sig per output, but now associated with an output, not the input).
Chris_Stewart_5 has joined #bitcoin-wizards
<kanzure>
the compact chain sinking signatures stuff?
<andytoshi>
oleganza: in MW you need the utxo snapshot *plus* the kernels (excess values) from every previous block
<andytoshi>
so it's more like you're compressing all the transactions into single signatures, than that you're getting rid of them entirely
<kanzure>
in that sense, yes signature aggregation for bitcoin is a good idea
<andytoshi>
oh i see what you're saying oleganza , to basically do MW + normal bitcoin
<andytoshi>
and no, that doesn't work because once you cut-through scripts you lose the ability to verify them, so you're again weakening the trust model
<andytoshi>
MW really depends on its lack of scripts, so there's no script-based security to be lost
alferz has quit [Ping timeout: 240 seconds]
PaulCapestany has quit [Quit: .]
HostFat_ has quit [Ping timeout: 240 seconds]
jps has joined #bitcoin-wizards
<oleganza>
andytoshi: got it, that's where i was confused.
<oleganza>
(re: MW really depends on its lack of scripts, so there's no script-based security to be lost)
<oleganza>
thanks!
<oleganza>
so it seems even theoretically there's no way of having UTXO snapshots that are compatible with BTC's security model (even if we can tweak PoW to some compressible PoW)?
<oleganza>
oh, wait. I'm confused again.
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]
<oleganza>
What i meant above is what if we have opt-in outputs of second sort that do not use scripts at all, but pubkeys. And malleability/cut-through compression applies only to these outputs?
<oleganza>
and lets imagine, 99% of outputs eventually become these new MW-style outputs (sans CT).
<oleganza>
would then the process of "blockchain replay" be more efficient, closer to MW? Or still no?
<oleganza>
kanzure: thanks for the link!
HostFat has joined #bitcoin-wizards
<andytoshi>
oleganza: yeah, if these were used for entire transactions (all inputs and outputs are these "scriptless ouptuts") you can compress them to just excess values (which wolud be attached to the transactions in the form of OP_RETURN outputs)
<andytoshi>
we had an intern here at blocstream implement a good chunk of this this summer on Elements actually, since we already had CT
execute has quit [Ping timeout: 240 seconds]
<oleganza>
:-)
jps has quit [Quit: jps]
<oleganza>
i guess the big part of petertodd's idea of MMR TXOs being committed from time to time is not only efficiency, but also having enough PoW built on top of a single snapshot, so once can trust it better than just taking an arbitrary tip.
<andytoshi>
yeah, absolutely, and MW gives a way to really amplify that
<oleganza>
s/once/one/
<oleganza>
i wonder if there's ever a case for fully-autonomous bootstrap of a node where we can't simply grab a "universally acceptable" snapshot from a month ago. IMHO, it's similar to how you manually check the software that you download. You compare checksums etc before trusting it. Similarly, you can check that everyone's on chain X having the same snapshot Y from 4000 blocks ago.
<oleganza>
that's not 100% automated (vs. just loading up a genesis block and running from there), but we don't do node upgrades or first-installs in 100% automated manner either...
<oleganza>
(i know, i know, the next logical step is "subjectivity something" and full vitalking towards PoS)
<kanzure>
no next step w/ trust is to skip PoS and go straight to signed blocks
<oleganza>
yup
<oleganza>
but not having decent UTXO snapshots in the face of ever-growing blockchain is a huge PITA while everyone-verified UTXO snapshots with a large grace period is (probably?) very far from PoS/signed blocks in terms of relaxing security assumptions.
<oleganza>
or is it?
<kanzure>
have you kept track of the full node proposals where the user pairs an lite client with their full node?
<oleganza>
have seen something about it. Is there a good summary?
<oleganza>
i'm not saying once cannot run a network of lite nodes off a trusted full node. I'm talking about setting up your own full node from scratch.
<oleganza>
today you can efficiently do it manually by copying bitcoin data folder from a trusted friend and then never be sure if one UTXO was tweaked, so 99% of the time your chain is valid until it isn't.
<oleganza>
(cont.) if that entire utxo snapshot was verified by the network (assuming extra cost is worth it), you'd be sure your friend did not tweak a single utxo there.
<oleganza>
so it was either full-blown 51% attack (which is our current model anyway), or your utxo set is 100% correct.
<andytoshi>
ignoring the optics of it, there's certainly an argument that if you're downloading a trusted binary of core, you might as well also trust a recent chainstate that they've signed (and better, if there were a process within gitian that downloaded and verified that whole chainstate)
<oleganza>
yup
<oleganza>
and if chainstate is signed/verified by the whole network, and also the software is compiled from sources and verified by whole network, then... then... then it'll be Tezos-level of voodoo (without bad parts)
<oleganza>
but, alas, our compilers require too delicate setting (via VM) to emit deterministic binaries.
rmwb has joined #bitcoin-wizards
<andytoshi>
heh, well, i'm not suggesting anynthing very elaborate with the "whole network" or whatnot, just "this chain was signed by these people with real names and reputations, who I'm already trusting not to provide me backdoored software anyway"
eck has quit [Quit: we out here]
Chris_Stewart_5 has quit [Ping timeout: 240 seconds]
Aaronvan_ is now known as AaronvanW
rmwb has quit [Ping timeout: 240 seconds]
eck has joined #bitcoin-wizards
eck has quit [Client Quit]
eck has joined #bitcoin-wizards
eck has quit [Client Quit]
eck has joined #bitcoin-wizards
eck has quit [Client Quit]
eck has joined #bitcoin-wizards
Newyorkadam has joined #bitcoin-wizards
blackwraith has quit [Read error: No route to host]
Murch has quit [Quit: Snoozing.]
blackwraith has joined #bitcoin-wizards
Murch has joined #bitcoin-wizards
meshcollider has joined #bitcoin-wizards
eck has quit [Quit: we out here]
eck has joined #bitcoin-wizards
JackH has quit [Ping timeout: 255 seconds]
LeMiner2 has joined #bitcoin-wizards
LeMiner has quit [Ping timeout: 248 seconds]
LeMiner2 is now known as LeMiner
rmwb has joined #bitcoin-wizards
oleganza has quit [Quit: oleganza]
JackH has joined #bitcoin-wizards
JackH has quit [Ping timeout: 255 seconds]
Newyorkadam has quit [Quit: Newyorkadam]
oleganza has joined #bitcoin-wizards
Noldorin has quit [Remote host closed the connection]