sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
hsmiths__ has joined #bitcoin-wizards
c0rw|zZz has quit [Read error: Connection reset by peer]
c0rw|zZz_ has joined #bitcoin-wizards
Dizzle has joined #bitcoin-wizards
hashtag has quit [Read error: Connection reset by peer]
Guyver2 has quit [Read error: Connection reset by peer]
<bramc>
phantomcircuit, I'm not going to get 100% code coverage of every branch where an integrity check fails in my tests. I hope you understand.
<bramc>
Done rewriting get_root(). That was only 80 lines of code for today. Time to call it a day.
bramc has quit [Quit: This computer has gone to sleep]
adam3us has quit [Read error: Connection reset by peer]
adam3us has joined #bitcoin-wizards
wallet42 has joined #bitcoin-wizards
Ylbam has quit [Quit: Connection closed for inactivity]
coinoperated has joined #bitcoin-wizards
NewLiberty has joined #bitcoin-wizards
<phantomcircuit>
petertodd, i hadn't seen that before, it's a strong point
<phantomcircuit>
(from the logs kanzure posted)
zookolaptop has quit [Remote host closed the connection]
zookolaptop has joined #bitcoin-wizards
raver_edm has joined #bitcoin-wizards
bramc has joined #bitcoin-wizards
wallet421 has joined #bitcoin-wizards
wallet421 has quit [Changing host]
wallet421 has joined #bitcoin-wizards
wallet421 is now known as wallet42
<bramc>
kanzure, A fascinating thing about ZK is that it allows for very compact and quick to check proofs of non-fraud. That's all academic for the time being though. Right now the relevant thing for what I'm working on is compact proofs of inclusion and exclusion for the set.
<bramc>
And there's always the problem of invalidity that something can be technically valid but no longer because some of the data it refers to has become lost forever
<kanzure>
the conversation in those logs was because of a proposal by petertodd to make a small change to make some of those proofs easier in the near future
<kanzure>
you probably did not see his email about this topic, let me dig up a link
<bramc>
In sipa's segwit design proofs of fraud of fees are much simpler because each node in the tree includes a fee amount
frankenmint has quit [Remote host closed the connection]
<bramc>
kanzure, Oh yes I saw that. I don't like it as a solution. It adds a bunch of technical gunk which may not work so well to try and disincentivize validationless mining, when what's really needed is a bunch of work to remove the disincentives from validation, mostly around latency and validation time. Those are things we're working on already.
<bramc>
In fact it may make validation time worse. Either the re-hashing is of just the witness root, which is a trivial thing to communicate without also sending the complete set of witness data, or you have to hash over all the witness data, which obviously increases latency and costs of validation, or you check a sample of witness data, which sort of works but yech.
hsmiths__ has quit [Quit: Connection closed for inactivity]
AaronvanW has quit [Ping timeout: 260 seconds]
brg444 has quit [Ping timeout: 252 seconds]
justanot1eruser has joined #bitcoin-wizards
justanotheruser has quit [Read error: Connection reset by peer]
coinoperated has quit [Ping timeout: 276 seconds]
brg444 has joined #bitcoin-wizards
CubicEarth has quit [Remote host closed the connection]
frankenmint has joined #bitcoin-wizards
justanot1eruser is now known as justanotheruser
CubicEarth has joined #bitcoin-wizards
Giszmo has quit [Ping timeout: 240 seconds]
smk has joined #bitcoin-wizards
GGuyZ has quit [Quit: GGuyZ]
Tiraspol has quit []
<kanzure>
psztorc: i am wondering if you could elaboate on "In a complex system, it is logically defensible to say “I don’t know what the rule is for, but we should keep it right where it is anyway.” In fact, civilization practically depends on this (namely, our laws)."
<kanzure>
perhaps with something other than laws
Giszmo has joined #bitcoin-wizards
Alopex has joined #bitcoin-wizards
Alopex has quit [Excess Flood]
Dizzle has quit [Remote host closed the connection]
Alopex has joined #bitcoin-wizards
Alopex has quit [Read error: Connection reset by peer]
Burrito has quit [Quit: Leaving]
JackH has quit [Ping timeout: 265 seconds]
Alopex has joined #bitcoin-wizards
Tomiii has quit [Quit: Tomiii]
Alopex has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
Alopex has joined #bitcoin-wizards
Alopex has quit [Remote host closed the connection]
Transisto2 has joined #bitcoin-wizards
Tiraspol has joined #bitcoin-wizards
Tiraspol has quit [Changing host]
Tiraspol has joined #bitcoin-wizards
c-cex-yuriy has joined #bitcoin-wizards
Alopex has joined #bitcoin-wizards
Alopex has quit [Remote host closed the connection]
Alopex has joined #bitcoin-wizards
Alopex has quit [Remote host closed the connection]
GGuyZ has left #bitcoin-wizards [#bitcoin-wizards]
GGuyZ has joined #bitcoin-wizards
GGuyZ has left #bitcoin-wizards [#bitcoin-wizards]
Alopex has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 260 seconds]
smk has quit [Ping timeout: 252 seconds]
belcher has quit [Quit: Leaving]
funkenstein_ has joined #bitcoin-wizards
RedEmerald has quit [Ping timeout: 265 seconds]
raver_edm has quit [Quit: Leaving]
justanotheruser is now known as gentoognuhurd
brg444 has quit [Quit: Page closed]
RedEmerald has joined #bitcoin-wizards
TheSeven has quit [Ping timeout: 260 seconds]
arowser has quit [Quit: No Ping reply in 180 seconds.]
arowser has joined #bitcoin-wizards
TheSeven has joined #bitcoin-wizards
alpalp has quit [Read error: Connection reset by peer]
<petertodd>
bramc: why do you think it's possible to reduce latency? no-one has ever come up with a way to reduce worst-case bandwidth driven latency with anything similar to the current design of bitcoin
alpalp has joined #bitcoin-wizards
<petertodd>
bramc: equally, validation driven latency is mostly a non-issue - validation is parallelizable fairly easy, and there's nothing wrong with propagating non-validated data
wallet42 has quit [Read error: Connection reset by peer]
coinoperated has joined #bitcoin-wizards
wallet42 has joined #bitcoin-wizards
wallet42 has quit [Client Quit]
wallet42 has joined #bitcoin-wizards
wallet42 has quit [Client Quit]
<bramc>
petertodd, The main thing necessary for reducing latency (and by this I mean making miners able to ensure that their blocks don't get orphaned) is for there to be ways to make sure that a block is only a tiny marginal amount of data on top of what's already widely propagated. Weak blocks basically fix that problem.
<petertodd>
bramc: weak blocks are an average case fix, not a worst-case fix, and they probably disadvantage smaller miners too
<bramc>
petertodd, Huh? In the 'aggressive' case, a weak block only has a 'hard' dependency on a previous weak block's 'weak' reference, so the amount of data needed to propagate it is less than 1k
<bramc>
I mean, a successful block only has those dependencies.
<petertodd>
bramc: remember that broadcasting weak blocks is optional
<petertodd>
bramc: you find the most blocks relative to your competitors if less than 100% of the hashing power receives your block in time, with the threshold being at about 33%
GGuyZ_ has joined #bitcoin-wizards
GGuyZ_ is now known as GGuyZ
p15 has joined #bitcoin-wizards
<bramc>
petertodd, That's an unfortunate problem which I don't have any good answers to.
<petertodd>
bramc: the best answer I have is keep the blocksize small enough that it's not a significant problem - that's just a hard constraint on our design until we come up with better protocols that actually fix it
<bramc>
How is that a fix if weak blocks aren't?
<petertodd>
bramc: weak blocks are a perfectly good average case optimization, but they can't be used to justify a blocksize increase
<bramc>
petertodd, I'm not advocating a blocksize increase. Well, not past the < 2x from segwit
NewLiberty has quit [Ping timeout: 250 seconds]
<petertodd>
bramc: sure - so you agree with me that weak blocks aren't a worst-case optimization?
<petertodd>
bramc: er, wordedbetter, you agree with me that weak blocks don't improve worst-case, non-cooperating, block propagation?
tulip has joined #bitcoin-wizards
<bramc>
Define 'non-cooperating'
<petertodd>
bramc: e.g. if I decide I'll optimize for less than 100% propagation
<bramc>
petertodd, If you want to optimize for less than 100% propagation you can do that just by waiting on sending out the block you found.
<petertodd>
bramc: I'm better off doing it by selectively not propagating, to push out my highest latency competitors - just waiting harms them all equally, which isn't as useful
<petertodd>
bramc: equally, if I'm just being lazy, and my weak block setup isn't working well for whatever reason
<bramc>
petertodd, I'm hazy on the argument here. You seem to be saying that if there are weak blocks it's worthwile for one miner to make their blocks go out as slow as possible. Won't that just increase their own orphan rate and hurt them?
<petertodd>
bramc: you just need to get your blocks to >29.2% of hashing power to optimize ratio of blocks you find vs. blocks they find
brianhoffman has joined #bitcoin-wizards
<bramc>
petertodd, I heard this argument before but haven't fully grokked it yet. If I assume what you say is true, then the problem is that each miner is under some scenarios incented to make their blocks go out slower, and the protocol's job is to make them go out fast even when whoever minted the block is trying to make it go out slow?
rusty has quit [Ping timeout: 245 seconds]
<petertodd>
bramc: exactly,
<petertodd>
bramc: really, we need to be in a situation where once you broadcast your block to anyone at all, it's guaranteed to get to everyone in negligable time
<bramc>
The problems with quadratic hashing on single large transactions are also a big deal in that case
<petertodd>
bramc: of course it is, fortunately fixing that is fairly uncontroversial - why I haven't (publicly) madea big deal about it
<petertodd>
bramc: it's the bandwidth cost that is the fundemental problem
<bramc>
What is the uncontroversial fix to the quadratic hashing problem?
PRab has quit [Quit: ChatZilla 0.9.92 [Firefox 43.0.1/20151216175450]]
<petertodd>
bramc: limiting tx size isn't such a big deal
PRab has joined #bitcoin-wizards
<petertodd>
bramc: equally, can change the sighash algorithm
<bramc>
Allowing transactions to be included in a block in an arbitrary order is also a serious issue. There's a fair amount of meaningless information encoded in there which has to be broadcast
<petertodd>
bramc: for instance, can make CHECKSIG error out if tx size >100KB, and then soft-fork in a better CHECKSIG later that doesn't havethe issue
<petertodd>
bramc: why is order relevant to worstcase?
<bramc>
Come to think of it, the attack here is that miner might fill their block with garbage transactions which nobody has seen before. Since transaction fees are currently de minimis they wouldn't be losing out on anything that way
<kanzure>
btw i'm not sure petertodd has context about your merkle tree stuff
funkenstein_ has quit [Quit: Leaving]
<kanzure>
(well, he has context, but probably not knowledge of your details in particular)
CubicEarth has quit [Remote host closed the connection]
<bramc>
kanzure, I don't think it matters for what we're discussing now
<bramc>
Historically miners have been worried about the opposite problem: They freak out when their blocks get orphaned, and they've done everything in their power to avoid that, including publishing empty transactions
<petertodd>
bramc: yes, that's exactly what the attack is - I've been saying that for literally years now :)
<petertodd>
bramc: although,it's even worse because this *effect* can happen without actual malice
<petertodd>
bramc: miners worry about the opposite because currently they're not acting entirely economically rationally
CubicEarth has joined #bitcoin-wizards
<petertodd>
bramc: I mean, heck, miners in china even go as far as to loan hashing power to each other w/o payment so...
<tulip>
it's curious how trusty mining has become, people actually get concerned when there's blocks mined which don't have a publicly visible claim in the coinbase transaction as to who mined it.
NewLiberty has joined #bitcoin-wizards
<bramc>
petertodd, I think your analysis is correct but it doesn't carry over to when there are only intermittent potential orphans, it has to be a sustained thing. I'll work on it later when I'm more awake and present when I think I have a coherent argument though.
<petertodd>
bramc: why does intermittancy change the analysis?
<tulip>
it's probably ingrained enough that if anybody did mine blocks specifically defrauding other people, the blame would be instantly attributed to whoever was supposed to have mined it.
<petertodd>
tulip: if I had hashing power, I'd put someone else's pool in my coinbase and mine RBF :)
CubicEarth has quit [Read error: Connection timed out]
<coinoperated>
there was a post on reddit a week ago by (someone who claimed to be) a large scale miner, to the effect that they all talk to one another these days and don't undertake any significant decisions individually without running the idea past the rest of the G-9
<bramc>
petertodd, Because your potential for slowing everybody down is much when it's intermittent. I should be able to support this argument with some simple math though, so I'll hold off on making a strong claim until I work out the details. I'm a little wiped from doing too much coding at this point today so I'll sleep on it and slog through everything later.
<petertodd>
coinoperated: that's probably correct, although remember that's a very situationally dependent phenomenomin...
CubicEarth has joined #bitcoin-wizards
brianhoffman has quit [Ping timeout: 256 seconds]
<petertodd>
bramc: cool, looking forward to hearing about it
<tulip>
wonder what would happen if large pools broke that cartel and started not re-using addresses.
<bramc>
petertodd, I'll let you know whatever the expanded model indicates
<bramc>
There's a weird thing about distribution of mining power. If you have a small number of miners they can have a gentleman's agreement not to try to re-mine bogon fees. With very distributed mining power attempts to re-mine bogon will fail in practice. Somewhere in the middle is a level of distribution where bogon fees make the system melt.
CubicEarth has quit [Remote host closed the connection]
frankenmint has quit [Remote host closed the connection]
Yoghur114 has quit [Ping timeout: 272 seconds]
Yoghur114 has joined #bitcoin-wizards
CubicEarth has joined #bitcoin-wizards
wallet421 has joined #bitcoin-wizards
wallet421 has quit [Changing host]
wallet421 has joined #bitcoin-wizards
wallet42 has quit [Killed (weber.freenode.net (Nickname regained by services))]
wallet421 is now known as wallet42
chjj has quit [Quit: null]
Transisto2 has quit []
wallet42 has quit [Read error: Connection reset by peer]
frankenmint has joined #bitcoin-wizards
chjj has joined #bitcoin-wizards
rustyn has quit [Read error: Connection reset by peer]
rustyn has joined #bitcoin-wizards
Transisto2 has joined #bitcoin-wizards
frankenmint has quit [Remote host closed the connection]
frankenmint has joined #bitcoin-wizards
CubicEarth has quit [Remote host closed the connection]
c-cex-yuriy has quit [Quit: Connection closed for inactivity]
Yoghur114 has quit [Ping timeout: 260 seconds]
Yoghur114 has joined #bitcoin-wizards
dcousens has joined #bitcoin-wizards
bramc has quit [Quit: This computer has gone to sleep]
ThomasV has joined #bitcoin-wizards
zookolaptop has quit [Ping timeout: 256 seconds]
tripleslash_b has joined #bitcoin-wizards
tripleslash_a has quit [Ping timeout: 260 seconds]
hdbuck has joined #bitcoin-wizards
hdbuck has quit [Changing host]
hdbuck has joined #bitcoin-wizards
coinoperated has quit [Ping timeout: 276 seconds]
waxwing has quit [Read error: Connection reset by peer]
waxwing has joined #bitcoin-wizards
giel__ has quit [Read error: Connection reset by peer]
giel__ has joined #bitcoin-wizards
CubicEarth has joined #bitcoin-wizards
giel__ has quit [Quit: Leaving]
chjj has quit [Quit: null]
chjj has joined #bitcoin-wizards
Alopex has quit [Remote host closed the connection]
psztorc has quit [Quit: Page closed]
hdbuck has quit [Quit: hdbuck]
supasonic has quit [Ping timeout: 260 seconds]
rasengan has quit [Quit: leaving]
rasengan has joined #bitcoin-wizards
throughnothing has quit [Quit: Leaving...]
heyrhett has joined #bitcoin-wizards
<heyrhett>
I have a dumb question. I heard that 40% of the altcoins on coinmarketcap have failed. Does anyone know what tends to cause these failures? Is there a trend?
<nsh>
why should they succeed in the first place?
ThomasV has quit [Ping timeout: 240 seconds]
<nsh>
what is the value proposition offered? what underpins the ostensible value? what are the requirements maintenance and development and community that allow bitcoin to succeed which may be lacking in altcoins?
chjj has quit [Ping timeout: 264 seconds]
<nsh>
(unless you want to go into theoretical issues, this discussion is better suited to #bitcoin however)
<nsh>
(altcoin failure is more often sociological than theoretical, which is not to say there's a lack of technical fuck-ups, but they're secondary to the social/cultural issues generally)
<gentoognuhurd>
heyrhett: yes, the failure is due to the fact that they are scams
<heyrhett>
I get that they are scams
<heyrhett>
but I guess I'm wondering where the line is. What level of network participation is needed to maintain a PoW coin?
<heyrhett>
and how exactly do they fail
chjj has joined #bitcoin-wizards
<heyrhett>
I'm a little more interested in wondering if analogous situations could apply to bitcoin
<heyrhett>
I see a lot of small time coins still running with a small number of miners
<heyrhett>
not listed on exchanges
<heyrhett>
maybe they are considered failures if there is no real exchange that supports them anymore
<nsh>
this shouldn't be surprising though. the fact that it's surprising to you that altcoins fail probably means you don't understand the extent to which it's an incredibly difficult engineering problem
<heyrhett>
nsh: did I say I was surprised?
<heyrhett>
thanks for the link
<nsh>
imagine i said "one" instead of "you"
<nsh>
:)
Ylbam has joined #bitcoin-wizards
Guyver2 has joined #bitcoin-wizards
<fluffypony>
heyrhett: the vast majority of them have no raison d'être
<fluffypony>
most of the rest are scams
<fluffypony>
there's maybe 1% of 1% that are actually useful / not scams / not designed by utter retards
<fluffypony>
and the vast majority of those 1% of 1% will fail anyway
<heyrhett>
fluffypony: i'm aware. my favorite one is ripoffcoin
<fluffypony>
frustratingly there's LOTS of decentralised theatre in the altcoin world, and very few participants are honest enough to be realistic about how insecure their pet project is (in relation to Bitcoin)
<heyrhett>
even ripoffcoin seems to technically be operating though, with $14 in volume on cryptsy in the past 24 hours
<heyrhett>
I'm not sure if that counts in the 40% failure stat I heard
<fluffypony>
lol
<fluffypony>
I think if we're going by trade volume it's a lot higher than that
<fluffypony>
85 coins on CMC had > $100 in trade over the last 24 hours
<fluffypony>
that's of the 667 listings
<fluffypony>
so 13% are "actively" traded by some arbitrary measure I just made up
<fluffypony>
we have #bitcoin-wizards-offtopic for that now :)
<heyrhett>
haha
raver_edm has joined #bitcoin-wizards
raver_edm has quit [Client Quit]
LeMiner2 has joined #bitcoin-wizards
LeMiner has quit [Ping timeout: 246 seconds]
LeMiner2 is now known as LeMiner
JackH has joined #bitcoin-wizards
CubicEarth has quit []
ThomasV has joined #bitcoin-wizards
frankenmint has quit [Remote host closed the connection]
bramc has joined #bitcoin-wizards
JackH has quit [Ping timeout: 260 seconds]
yosso has joined #bitcoin-wizards
Yoghur114 has quit [Remote host closed the connection]
Yoghur114 has joined #bitcoin-wizards
GGuyZ has quit [Quit: GGuyZ]
yossso has joined #bitcoin-wizards
yosso has quit [Ping timeout: 260 seconds]
tripleslash_k has joined #bitcoin-wizards
dEBRUYNE has joined #bitcoin-wizards
tripleslash_b has quit [Ping timeout: 260 seconds]
p15 has quit [Ping timeout: 265 seconds]
JackH has joined #bitcoin-wizards
bramc has quit [Quit: This computer has gone to sleep]
JackH has quit [Client Quit]
ElmerFunk_ has joined #bitcoin-wizards
ElmerFunk_ has quit [Remote host closed the connection]
ElmerFunk_ has joined #bitcoin-wizards
arowser has quit [Ping timeout: 245 seconds]
arowser has joined #bitcoin-wizards
sparetire_ has quit [Quit: sparetire_]
ThomasV has quit [Ping timeout: 265 seconds]
phy1729 has quit [Ping timeout: 276 seconds]
GGuyZ has joined #bitcoin-wizards
dEBRUYNE_ has joined #bitcoin-wizards
dEBRUYNE has quit [Ping timeout: 276 seconds]
dEBRUYNE_ has quit [Client Quit]
TheSeven has quit [Ping timeout: 240 seconds]
TheSeven has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
ElmerFunk_ has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
nuke1989 has quit [Remote host closed the connection]
phy1729 has joined #bitcoin-wizards
maaku has quit [Remote host closed the connection]
wallet42 has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 260 seconds]
CubicEarth has joined #bitcoin-wizards
pozitrono has joined #bitcoin-wizards
wallet42 has quit [Quit: Leaving.]
ElmerFunk_ has joined #bitcoin-wizards
CubicEarth has quit [Remote host closed the connection]
eudoxia has joined #bitcoin-wizards
wallet42 has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 260 seconds]
GAit has joined #bitcoin-wizards
ElmerFunk_ has quit [Remote host closed the connection]
maaku has joined #bitcoin-wizards
maaku is now known as Guest87480
Guest87480 is now known as maaku
ryan-c has quit [Ping timeout: 276 seconds]
hashtag has quit [Ping timeout: 246 seconds]
tripleslash_i has joined #bitcoin-wizards
tripleslash_k has quit [Ping timeout: 264 seconds]
GAit has quit [Quit: Leaving.]
Quanttek has joined #bitcoin-wizards
GAit has joined #bitcoin-wizards
ryan-c has joined #bitcoin-wizards
hashtag has joined #bitcoin-wizards
<SheffieldCrypto_>
We're a machine learning and predictive modeling based start-up focusing on modeling various aspects of bitcoin and other digital currencies. We're currently looking for new members, please view this google doc for more information.
<bsm117532>
PoW works because energy expenditure IS fungible between forks.
<AdrianG>
so intheoreum finally works yet?
<bsm117532>
I don't think it works, that's why I'm asking.
<bsm117532>
One has to assume consensus on the state of Casper contracts to generate consensus.
tripleslash_q has joined #bitcoin-wizards
tripleslash_i has quit [Ping timeout: 265 seconds]
<AdrianG>
bsm117532: personally, i think PoS in the end boils down to subjective emotions almost
<AdrianG>
'If someone buys up half the coins on a proof-of-stake chains, and attacks it, then the community simply needs to coordinate on a patch where clients ignore the attacker’s fork, and the attacker and anyone who plays along with the attacker automatically loses all of their coins.'
<AdrianG>
so instead of fungibility, they are hard at work on how to automate blacklisting.
<bsm117532>
Yeah. Casper seems to have a long withdrawl period (4 months), I think they just put off the range of an attack to that time scale, rather than preventing them.
melvster1 has joined #bitcoin-wizards
eudoxia_ has joined #bitcoin-wizards
eudoxia has quit [Read error: Connection reset by peer]
<instagibbs>
at this point it's hard to tell what he's solving
<instagibbs>
proposing to solve*
<fluffypony>
isn't this still the 3 second block time thing?
<bsm117532>
;;later tell bramc (re non-inclusion) Aha so you're keeping the tree in sorted order. I should have thought of that... Then you just need to show the Merkle path to two adjacent leaves and the metadata indicates there are no more children. So non-inclusion proofs are log(n) and so are inclusion proofs. But in extreme circumstances you need two Merkle paths for the non-inclusion proof. I don't understand your description of "passthrough"... :-
<gribble>
The operation succeeded.
<bsm117532>
fluffypony: No it's Etherium's attempt at PoS.
<instagibbs>
he liked Truthcoin so much he replaced distributed consensus algorithms with it.
Giszmo has joined #bitcoin-wizards
<instagibbs>
oh ok, so the "old" PoS has already been tossed.
eudoxia_ has quit [Quit: Leaving]
<AdrianG>
they have a new one now?
Quanttek has quit [Read error: Connection reset by peer]
<bsm117532>
They've been working on this for a long time...
<fluffypony>
and it's WAY more complex than the last one, so it's exactly what they're aiming for
<jcorgan>
i never followed where their money came from, but somewhere, some investor has got to be asking hard questions by now
<zookolaptop>
jcorgan: I believe it was mostly from a crowd-fund, and my impression is that the crowd is mostly satisfied with their performance.
<zookolaptop>
And I just want to mention that I am blown away by their performance. Ethereum is a tour de force on many technical fronts and I'm impressed.
<fluffypony>
depends
<bsm117532>
Copying my criticism from the blog: Betting requires fungibility between forks, which is fundamentally impossible. The time horizon of an attack enabled by this non-fungibility is set by the time required to commit funds to be a bonded validator and then withdraw them. You've lengthened the time window of an attack by making it 4 months, but I don't think the attack can be prevented. To put it another way, in order to achieve consensus you mus
<fluffypony>
if you were part of the crowdsale and then sold at a high point you're fine
<bsm117532>
To put it another way, in order to achieve consensus you must assume consensus on the Casper contract. This is a circular argument. You must use assets external to the system to create consensus. Bitcoin's proof-of-work energy expenditure is precisely an asset that IS fungible between forks.
<zookolaptop>
bsm117532: you wrote a blog post about this? Link, please.
<fluffypony>
but if you're hodling and it crashes because they've burnt through nearly $20 million in 18 months...well...
<bsm117532>
No I just added a comment to Vitalik's blog above.
bramc has joined #bitcoin-wizards
<zookolaptop>
Disclosure: Ethereum paid us to do a security review of a few bits, and we did, and published our results. About a year ago.
<bsm117532>
zookolaptop: this Casper stuff is new, and they still don't have it figured out (I think because PoS doesn't work fundamentally for all the usual arguments). I doubt you reviewed this.
<bramc>
bsm117532 Yes it's kept in sorted order. Also because every terminal has a coherent thing in it proofs of exclusion only have to trace a single path rather than two.
<zookolaptop>
bsm117532: Right, we didn't review the Casper stuff, nor its predecessors that were current at the time we did our work.
<zookolaptop>
I don't really care to argue about it. I mostly spoke up just because I didn't want some
<zookolaptop>
observer to see me sitting silently by while people went on and on with "sour grapes" complaining about Ethereum.
<zookolaptop>
Oh, another disclosure: Vitalik is a member of my Technical Advisory Board and we're working together in other ways.
<bsm117532>
zookolaptop: I don't really have anything to argue. But I think Vitalik is smart and has good intentions. I know other people that I respect that think PoS isn't fundamentally impossible. So I keep an eye out, even though I disagree.
<bsm117532>
bramc: I see how to do it now but I don't understand "every terminal has a coherent thing in it" nor your description of "passthrough". I assume it's an optimization that gets you a single Merkle path for non-inclusion, which seems reasonable.
<fluffypony>
I know dogs that are smart, I saw a video the other day of a dog that has learnt to drive a car. it doesn't mean I'm going to let my Basenjis design a censorship-resistant, secure, decentralised system.
<bsm117532>
fluffypony: The set of people in the crypto-community that are worth paying attention to is small enough that I don't have to reject anyone by topic. ;-)
<fluffypony>
bsm117532: oh that set gets a LOT wider if you glance at altcoins now and then :-P
<bramc>
bsm117532 For example in the case where your tree is storing only two things but they share their first ten bits, the resulting tree will be ten layers of passthrough followed by a node which is terminal on both sides
Piper-Off is now known as Monthrect
kmels has joined #bitcoin-wizards
<bsm117532>
bramc: Aha because you're using a Patricia tree...
chjj has quit [Quit: null]
chjj has joined #bitcoin-wizards
brg444 has joined #bitcoin-wizards
satoshin has joined #bitcoin-wizards
GAit has quit [Quit: Leaving.]
<satoshin>
bramc: Hello
<bramc>
bsm117532 Right because it isn't balanced sometimes there's stuff on only one side. I should probably stop calling that case passthrough. That name made sense when it was handled by passthrough, and doesn't make sense when it isn't
<bramc>
satoshin, Good morning
gentoognuhurd has quit [Ping timeout: 276 seconds]
<satoshin>
bramc: it seems to me one can't have less than quadratic sized signatures and det. polymomial time verification without additional assumptions
<satoshin>
I didn't wrote the page 3 yet
<bramc>
satoshin, Not sure what you mean by 'quadratic' in this case. Or determininistic polynomial time verification for that matter.
<satoshin>
bramc: Let n be the nuber of bits of security we claim to offer. I claim signature size is theta(n*n) with relying only on one-way-compr.funcs. ie no better algorithm exists
<satoshin>
I don't really want to inovate something here, ECDSA worked fine in Bitcoin
<satoshin>
let's consider it "Quantum era preparations" or whatever
<bramc>
satoshin, How are regular lamport signatures not linear?
<bramc>
satoshin, amiller's nonoutsourceability uses secure hash based signatures because of their strong nonoutsourceability by the way
<satoshin>
because individual digests for each bits are in this case n-bit and the whole message to be signed is m-bits, so m*n ... again quadratic
<bramc>
I mean nonmalleability
<satoshin>
but Lamport's has huge priv. and pub. keys
<satoshin>
so that's the main result of this
<bramc>
satoshin, Oh yeah that. Winternitz compression improves it a little, but yeah, that seems to be a fairly hard limit.
<satoshin>
the main result is the tiny pub and priv keys
<bramc>
You can always make public keys small by making them be the secure hash of what you would otherwise consider the public key and putting the 'whole' public key in the signature
<bramc>
Likewise private keys can be deterministically generated from a seed, thus making them small. This of course can require extra CPU on signing
GAit has joined #bitcoin-wizards
<GGuyZ>
bsm117532: That post is missing a lot. It's an interesting idea, but I find a serious gap between his strong statement of equilibrium then the notes at the end of the article
<bramc>
hash tubes make signatures a bit bigger, because (a) You have to use half of each of n pairs, rather than k/2 of k things, that loses you about a factor of 2, and (b) You can't use winternitz compression, that loses a lot more
<satoshin>
bramc: sure that has it's uses
<GGuyZ>
Basically at the end they're saying that they need to see if this consensus can withstand byzantine faults
<GGuyZ>
And that the strategy is an equilibrium
<satoshin>
bramc: I disagree with the winternitz compression, on the grounds that the runtime seems to be exponential time
<bsm117532>
GGuyZ: Yep. I'm filing this under "doesn't work" for now.
<satoshin>
ie someone could ddos a node with bad signatures
<GGuyZ>
bsm117532: I agree. I just think it makes more sense to actually do the analysis first before implementing/posting about it/planning to roll it out in a big production system
<satoshin>
in my app this would be the miners, and that's where we absolutely cannot afford to have a congestion
* bsm117532
continues his analysis of braids...
<GGuyZ>
:D
<satoshin>
furthermore if we want to tune the signature size, we have other ways mainly 1) we can pick stronger oneway compression function f, and make n smaller
eudoxia has joined #bitcoin-wizards
<bramc>
satoshin, Winternitz is good for a small constant factor improvement in signatures size. Getting a factor of 2 doesn't cost anything at all, 4 is totally reasonable, more than 10 is not a good idea.
<satoshin>
2) we can use different oneway f at each place in the tube and shrink n even more
supasonic has joined #bitcoin-wizards
<bramc>
Using a weaker hash function in places sounds like a really bad idea
<satoshin>
3) we can make the f more slow to compute and shrink n further, but this seems to bring the assumption that nobody will optimize f to run faster
dave4925_z has quit [Remote host closed the connection]
JayDugger has quit [Ping timeout: 264 seconds]
<satoshin>
bramc: in my application, not really, since one can only start cracking that once an user signs something, at which point one is racing with the miners
<satoshin>
I think we can safely shrink the signature to few KB's
frankenmint has joined #bitcoin-wizards
<satoshin>
at this point the signature fits to one jumbo network packet
<satoshin>
bramc: but yes, I agree with you that small n asks for a trouble
frankenmint has quit [Read error: Connection reset by peer]
frankenmint has joined #bitcoin-wizards
<satoshin>
bramc: The things I've wanted to write about on the next pages, is the doublespend transaction would have to be mined
bramc has quit [Quit: This computer has gone to sleep]
GAit has quit [Quit: Leaving.]
GAit has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 250 seconds]
JayDugger has joined #bitcoin-wizards
throughnothing has joined #bitcoin-wizards
Newyorkadam has joined #bitcoin-wizards
frankenmint has quit []
sparetire_ has joined #bitcoin-wizards
GAit has quit [Read error: Connection reset by peer]
GAit has joined #bitcoin-wizards
GAit has quit [Client Quit]
satoshin has quit [Quit: satoshin]
nabu has quit [Ping timeout: 265 seconds]
desantis has joined #bitcoin-wizards
yossso has quit [Ping timeout: 276 seconds]
desantis has left #bitcoin-wizards [#bitcoin-wizards]
TBI_ has quit [Read error: Connection reset by peer]
TBI_ has joined #bitcoin-wizards
JackH has joined #bitcoin-wizards
bsm117532 has quit [Ping timeout: 240 seconds]
throughnothing has quit [Remote host closed the connection]
eudoxia has quit [Quit: Leaving]
bsm117532 has joined #bitcoin-wizards
coinoperated has joined #bitcoin-wizards
psztorc has joined #bitcoin-wizards
<psztorc>
> psztorc: i am wondering if you could elaboate on "In a complex system, it is logically defensible to say “I don’t know what the rule is for, but we should keep it right where it is anyway.” In fact, civilization practically depends on this (namely, our laws)."
<psztorc>
kanzure: There is this concept that society has a kind of evolutionary accumulation (something like "culture").
<psztorc>
Right-libertarian economist Tom Sowell has written extensively about this...one book is Intellectuals and Society.
<kanzure>
how is it different from an argument from ignorance?
<psztorc>
No single individual can possess all of the info needed to determine, for example, what to do on a romantic date. The smart thing is to just take society's knowledge, ie older friends, tv shows, etc, and just copy that.
<psztorc>
It is different because you can observe x reliably, where x = "I thought I could come up with a better way, but I could not."
<kanzure>
i don't understand that example either! many people absolutely do determine what to do on a romantic date. how else are people sharing their company?
<psztorc>
X can be generalized, leading to so-called chaos theory.
<psztorc>
I mean, guidelines like "don't talk about politics", "wear nice clothes" or "don't expect to remain friends if you break up" stuff about how to "move on", etc.
<kanzure>
and an argument from ignorance is different because you cannot reliably observe that?
<kanzure>
thanks for the elaboration.
<psztorc>
Argument from ignorance attempts to conclude something that *isn't* "I don't know". This is more of an "I reject your conclusion, that you *do* know."
<kanzure>
oh i see. that is much more clear.
<psztorc>
It is a Karl Popper falsification, negative argument.
<kanzure>
yes i could spend all day typing about popperean epistemology stuff ... (in fact yesterday i was reading up on his constraint of deductive consistency and also eliminative inference (or was that eliminative interference)).
<psztorc>
He is certainly The Man.
<coinoperated>
the map is there for the benefit of those who haven't done the travelling, not the ones who have
<psztorc>
Final thought: https://en.wikipedia.org/wiki/Double_pendulum Imagine that someone claims they know the shape of the drawn line. Your response would be not be an 'argument from ignornace' it would be an 'argument of (universal) ignorance.
<kanzure>
also, lately i have taken to calling a fallacy a proof of failure of independent verification
throughnothing has joined #bitcoin-wizards
<kanzure>
but i'll stop mentioning that because worried that petertodd is gonna show up and insist i volunteer to only consider proofs of non-failure :)
AaronvanW has joined #bitcoin-wizards
CubicEarth has joined #bitcoin-wizards
bsm117532 has quit [Ping timeout: 240 seconds]
Heliox_ has joined #bitcoin-wizards
bsm117532 has joined #bitcoin-wizards
CubicEarth has quit [Remote host closed the connection]
AaronvanW has quit [Ping timeout: 260 seconds]
bramc has joined #bitcoin-wizards
vladzamfir has joined #bitcoin-wizards
<vladzamfir>
hey wizards
<vladzamfir>
thought you might have some questions about Casper, or maybe about why PoS works
<vladzamfir>
;)
CubicEarth has joined #bitcoin-wizards
<vladzamfir>
i think the main misunderstanding that I always hear is about the authentication model, in security-deposit-based PoS
<vladzamfir>
clients must have the list of currently bonded validators, and they authenticate the consensus against that list, only ever relying on signatures from these validators
<instagibbs>
vladzamfir, was the name "validator" deliberately chosen as a delegation to validate on those bonded parties
<vladzamfir>
yes - the whole point is that you have an economic assurance that they are validating correctly (if they don't, they lose their deposit)
<instagibbs>
or can we also say "chain voter" or something, for deciding ordering, but other full nodes can still validate everything
<vladzamfir>
and the assurance exists into the future
<instagibbs>
ok
<vladzamfir>
yeah i don't like to assume that clients ever process txs
<AdrianG>
oh nice
<vladzamfir>
light client is my religion
<bsm117532>
vladzamfir: I'm not convinced PoS works at all... Would you like to address my comment on Vitalik's blog?
<vladzamfir>
i'd rather answer your question here ^_^
<bsm117532>
Ok
<vladzamfir>
lol @kanzure can't believe you linked me to Poelstra's paper
<kanzure>
have you read it?
<vladzamfir>
ofc
<vladzamfir>
see my comment about the authentication model of PoS
<kanzure>
if you are willing to use that authentication model then why bother with proof-of-stake at all?
<vladzamfir>
because PoS lets us rotate the set of validators without a network administrator
<vladzamfir>
and gives us an economic assurance that blocks in the consensus chain are valid
<vladzamfir>
that they won't be reverted
<vladzamfir>
etc
<psztorc>
even assuming that's true, PoW also allows you to do that, so you haven't answer the question
<psztorc>
I think.
<bsm117532>
Only if you have a consensus on the state of the PoS contract, which you don't have.
AaronvanW has joined #bitcoin-wizards
<vladzamfir>
yeah PoW also does that, although not as elegantly - the aim is to have a consensus protocol that is cheap for everyone to secure except for an attacker during an attack
<vladzamfir>
at least, that's the ideal - we can't get exactly that, but we can try to get as close as possible
<psztorc>
Again, though, until you define "cheap", I can say that PoW also does that.
<AdrianG>
vladzamfir: cheap for everyone except for the attacker in case of PoS sounds like automated blacklisting
<vladzamfir>
not really, PoW always spends more than attacker might at any time
<vladzamfir>
in PoS the cost most of the time will be the cost of capital (tx fees = interest rate on bonded stake)
<instagibbs>
bsm117532, I think it's along the lines of "make the time horizons really long so out of band we can pull the emergency fork lever"
<vladzamfir>
except when deposits are lost, in which case the cost is much higher
<psztorc>
That capital cost will still equal the issuance.
<instagibbs>
not that I'm satisfied with it, for other reasons. But these arguments are all quite well-worn.
<psztorc>
It will be just as "expensive" as PoW.
<vladzamfir>
assuming the issuance is the same
<vladzamfir>
but attacking it will be more expensive
<bsm117532>
instagibbs: I think that's it too, and that's centralized control. But waiting to hear from vladzamfir.
<vladzamfir>
since losing a deposit will be more expensive
<instagibbs>
bsm117532, right, and I'd agree that's what it would degenerate too, just letting you know my interpretation since I've spent time reading their blog stuff :)
<vladzamfir>
>[21:53] <bsm117532> Only if you have a consensus on the state of the PoS contract, which you don't have.
<vladzamfir>
actually, you rely on this for PoW security, too - it's only secure inasfar as the issuance has a price, which it can't have unless there's consensus
<psztorc>
If one assumes that "a large double spend destroys the value of all mining hardware" then this is, again, also true of PoW.
<vladzamfir>
this self-bootstrapping is actually the most elegant part of PoW consensus imo
<vladzamfir>
yeah sure, if double-spending makes hardware self-destruct then great
<vladzamfir>
but i don't think you can guarantee that
<vladzamfir>
i can, in-protocol
<psztorc>
Sure, that's fine -- I just think we should all agree on what exactly the point of all of this is.
<vladzamfir>
me too ^_^
<psztorc>
Which, according to you is, to make sure that { mining hardware } completely loses its value if there is a big reorg.
<psztorc>
Yes?
dave4925 has joined #bitcoin-wizards
<psztorc>
Where { mining hardware } can equal whatever you want.
<vladzamfir>
well what i want to do specifically is to cover byzantine faults with disincentives
<bsm117532>
vladzamfir: since issuance always has a price in PoW, your argument reduces to agreement on the genesis block alone.
<vladzamfir>
reorgs are one thing
<vladzamfir>
there are others
bramc has joined #bitcoin-wizards
<psztorc>
Vlad you're killing me here...."cover byzantine faults with disincentives" , again....PoW...also wants to do this.
<vladzamfir>
well no it doesn't have a price if the price of the tokens is zero, in which case the cost of the PoW will be very low, and it will be easy to attack
<vladzamfir>
but paul it doesn't do a great job
<vladzamfir>
if 80% of miners censor 20% of miners, they get a 25% raise
<bsm117532>
disincentives don't remain constant and economic argument should be used as little as possible. Marginal price can become negative, and then the maximization process needed for consensus fails. So, I'm extremely skeptical of adding incentives and disincentives.
ThomasV has joined #bitcoin-wizards
<psztorc>
What if the 20% team up with 61% of those 80%, and tell the 61% that *they* can be in charge of the extra '80 bonus'?
<psztorc>
> )
<vladzamfir>
the point is just that censorship isn't punished in-protocol
<vladzamfir>
but rather it's rewarded
<psztorc>
I can't agree.
<vladzamfir>
:)
<vladzamfir>
bsm: i think the economic argument is the main thing that ensures that things continue running smoothly into the future
<bsm117532>
That's rather imprecise.
<psztorc>
The fact that Strategy X can be optimal, doesn't change the fact that "51% are in charge".
<vladzamfir>
paul, do you agree that we have a bigger design space, in security-deposit-based PoS than you do in PoW?
<vladzamfir>
yeah so 51% is the most profitable coalition
<vladzamfir>
(for PoW, not so in Casper)
<psztorc>
But if the 49% are sufficiently screwed, they can team up with 2 of the 51%, and reward that 2% outrageously.
<psztorc>
This is what that Cornell guy doesn't understand about selfish mining.
<vladzamfir>
yeah but the 51% can all place large deposits that get slashed if they leave the coalition, before forming it
<vladzamfir>
cartels learn how to punish defection
<kanzure>
the cornell guy from in here?
<psztorc>
Bigger design space...? I'm not sure. I will admit it is possible.
<psztorc>
The "bitcoin is broken" guy.
<vladzamfir>
emin gun sirer, i assume you mean
<vladzamfir>
i <3 him
<vladzamfir>
but yeah it's a strictly bigger design space because i can say what happens to the assets that are used as an anti-sybil mechanism
<vladzamfir>
whereas in PoW they are external to the protocol
<waxwing>
human politics has an absolutely huge design space
<vladzamfir>
and the role of the protocol developer is to take responsibility away from human politics :p
<bsm117532>
There are an infinite number of ways to design something that fails to achieve consensus.
<vladzamfir>
we want to make sure that things last despite people's efforts to stop them
<AdrianG>
vladzamfir: it will boil down to arguments about what code will have to look like.
c-cex-yuriy has joined #bitcoin-wizards
<AdrianG>
sort of like we have arguments about legal "code" today.
<AdrianG>
PoW expenditures are external to software.
<vladzamfir>
are you making a "simpler is better" argument?
<waxwing>
the larger the number of parameters in a system design there are, the more brittle it is to failure
fkhan_ has quit [Ping timeout: 272 seconds]
<AdrianG>
vladzamfir: no. your entire design will be contained within your code. PoW hardware exists independently.
<vladzamfir>
yep
brg444 has quit [Ping timeout: 252 seconds]
<AdrianG>
this way, it serves as a moderating influence, external to your software. a limit on what can be done with code.
pozitrono has joined #bitcoin-wizards
<psztorc>
Ok, but, to stay on topic -- you want to make sure that { miners } are punished completely if they misbehave, and you want to "expand the design space".
<psztorc>
Yes?
kmels has quit [Ping timeout: 276 seconds]
<vladzamfir>
i think expanding the design space (specifically by giving the protocol control of the assets that act as an anti-sybil mechanism) makes it easier to make attacks expensive
<vladzamfir>
i just want it to be extremely expensive to attack
<psztorc>
So, the _entire_ purpose is to make attacks more expensive?
<vladzamfir>
and i also like the idea that the expense will benefit the people who are being attacked
<psztorc>
What about that thing where you wanted instant / guaranteed confirmations?
<vladzamfir>
that's most of the purpose ^_^
<vladzamfir>
oh yeah i want fast finality
<vladzamfir>
but that's really just the same as making things really expensive/difficult to attack
<kanzure>
why is this not solved by centralization?
<vladzamfir>
b.c. it's easy to threaten the center
<kanzure>
perhaps that is where you should look
<vladzamfir>
^_^
<bsm117532>
vladzamfir: Can you address my criticism that coins are not fungible between forks, and therefore cannot be used to bet? One needs an external source of consensus for this to work at all.
<vladzamfir>
the external source of consensus is the fact that everyone has to know who has deposits - the thing it relies on is that forks learn about each other
<vladzamfir>
i.e. if you place a bet on a block that isn't in this fork, this fork finds out so that you are punished in this fork
<bsm117532>
So it only works as long as the deposits never change?
<vladzamfir>
no, the deposits change, but people need to know who is currently bonded
<bsm117532>
Once I withdraw my bond, I can place a new one and generate two forks with different bets.
<vladzamfir>
no one cares about sigs from your unbonded validator
<bsm117532>
I'm not making unbonded sigs...
<psztorc>
You know, if you don't mind, you should really list *all* of your purposes first. That way, we know what this conversation is actually about.
<psztorc>
Is the entire purpose of Ethereum's multimillion-dollar PoS research campaign, solely an effort to make sure that, in the event of a loss of consensus, the investment in 'mining hardware' really is fully lost?
<vladzamfir>
so then you're only signing with your bonded validator? you're going to lose money by doing that
<bsm117532>
The question of fungibility is really the simplest way to state this, I think, and should be addressed directly. If there can ever exist two forks on which bonded validators have different numbers of coins, then your algorithm fails. And this must exist.
<vladzamfir>
lol paul i've been part-time the whole time, i guarantee you the pos budget is tiny
<vladzamfir>
i wish it wasn't
<bsm117532>
vladzamfir: there are multiple forks. You can't move coins between forks, and this is why betting fails to achieve consensus.
<vladzamfir>
i don't want to commit to an exhaustive list of design goals because i might be able to think of new ones ;)
<vladzamfir>
cover byzantine faults with disincentives (i.e. make attacks expensive) - and to make attackers buy coins
<vladzamfir>
bsm not following your point here - you lose coins on both forks
<bsm117532>
vladzamfir: Different forks have different values. There is no central source of "value". You can't make it "expensive" across all forks.
<bsm117532>
I don't lose coins if I'm no longer a bonded validator on the fork.
<bramc>
I looked into those techniques before and they gave me the heebie jeebies. There are contrapositive attacks where you undo branches to 'trick' other people into 'double-spending' and thus steal from them
<vladzamfir>
you can't make a fork when you aren't bonded
<vladzamfir>
i don't understand
<vladzamfir>
:p
<bramc>
People who are bonded are the ones who can do this attack
<bsm117532>
The length of the fork is the withdrawl period.
<vladzamfir>
yes, only the bonded are doing the attack
<vladzamfir>
and you release one fork after you are unbonded?
<vladzamfir>
the withdrawl period is defined in terms of RL time, not in terms of blocks, btw
<bsm117532>
Doesn't matter. The fundamental fact is that you can't move coins between forks.
<vladzamfir>
you have a deposit on both
<vladzamfir>
you can lose it on both
<vladzamfir>
lol
<bsm117532>
Not if you don't know about the other one.
<bsm117532>
So you have to also have consensus on the state of all possible forks, to have consensus on one of them?
<vladzamfir>
lol, yeah so you keep a fork private
<vladzamfir>
block finality means that clients won't accept that fork
<vladzamfir>
so the price of everything on that fork is zero
<bsm117532>
What is "block finality"?
<vladzamfir>
it's like how traditional consensus protocols commit to changes only when all correct clients will be certain that all correct clients will also make that change - they never revert
<bsm117532>
No one is ever certain. A chain of any length can be reorged in principle.
<vladzamfir>
not when you have finality
<vladzamfir>
the fork-choice rule refuses to choose forks that don't include finalized blocks
<bsm117532>
You're assuming consensus to get consensus.
<bsm117532>
"finalizing" a block is externally imposing consensus.
<vladzamfir>
yeah and if it doesn't, then no one will be upset by the reorg because they knew it was possible
<bsm117532>
What if there's a network split and the two sides finalize a different set of blocks?
<vladzamfir>
no it's subjectivity, actually
<vladzamfir>
then you have a consensus failure
<bsm117532>
Ok so you admit your algorithm doesn't work. Bitcoin would reorg in that case.
<bsm117532>
Network splits are real.
<vladzamfir>
yeah so you basically have to choose between having finality and having a reorg, in that case
<vladzamfir>
it's easy to modify casper to have a reorg, but i prefer to have finality, myself
<vladzamfir>
so that i can defend against a supermajority of the bonds making a fork in private
<psztorc>
bsm is saying that you could accidentally have two different finalities, for physics reasons
<bsm117532>
You can't just impose consensus like that!!!
<vladzamfir>
paul it's not accidental, a supermajority of the bonded stake would need to participate to cause a consensus failure
<vladzamfir>
i'm comfortable with the fact that this can happen
<vladzamfir>
every traditional consensus protocol has this problem
<bsm117532>
Bitcoin doesn't.
<vladzamfir>
which is why they rely on their fault tolerance assumptions
<vladzamfir>
yeah well bitcoin has a whole host of other problems instead
<vladzamfir>
like that 51% can revert blocks
<vladzamfir>
lol
<bsm117532>
Ok I'm done.
<helo>
bless you...
<vladzamfir>
<3
<psztorc>
Well so far the only difference is that, instead of using the military to take over large mining centers, a government will use the NSA to track down large holders of -coin.
<psztorc>
So my pointlessness-o-meter is still going off like crazy.
<vladzamfir>
if bitcoin has transaction finality it would have the consensus failure problem - you basically need to choose between blocks always possibly being reverted and having consensus failure if there's sufficient byzantine faults + a network partition
<vladzamfir>
oh it's much easier to hide coins than mining equipment
<vladzamfir>
but the difference is bigger than that
<psztorc>
What if miners installed thermite self-destructs on their miners, which they could trigger from their phone. Then no military would have anything to gain by swooping in.
<psztorc>
And I've only seriously been thinking about it for ~20 seconds.
<helo>
there is a frame of reference which will indicate some conflicting finality
<vladzamfir>
you only have conflicting finality with sufficient byzantine faults, and you still wouldn't be able to revert finalized blocks - paul i'm not seeing the point :)
<vladzamfir>
if the protocol can set off the thermite, then it's close to security-deposit based PoS
<vladzamfir>
but still not quite all the way there
<vladzamfir>
anyways paul i think the censorship thing is a good place to start, if you want to see the difference between PoS and PoW
<vladzamfir>
if 20% of the mining power is ignored, the protocol can't tell
<vladzamfir>
if 20% of the bonds are ignored, the protocol can tell
<vladzamfir>
it's actually surprising to me that you think in-protocol assets can be understood as behaving in exactly the same way as extra-protocol assets :D
<bsm117532>
By adding "block finality" you are stating by fiat, without proof, that you achieved consensus. Clearly you do not, regardless of what else your protocol does.
<AdrianG>
so is block finality some sort of checkpoint?
<vladzamfir>
no? block finality only occurs when a supermajority (80%) of the bonds claim they are certain the block won't be reverted
<vladzamfir>
yeah it's like a checkpoint in the sense that clients don't revert
<vladzamfir>
so you need consensus to have finality
<vladzamfir>
that or a very large amount of faults
<psztorc>
Hey! This is what I said about the purposes. Now you're saying that you want "to prevent { miners } from censoring".
<bsm117532>
So a much simpler algorithm is just to have nodes vote on every block and checkpoint every block. (Tendermint, I think)
<vladzamfir>
that's an example of the faulty behaviour i want to cover with disincentives
<bsm117532>
Now to shut the entire system down I just need to partition off a minority (>21%) of validators.
<bsm117532>
Bitcoin would continue in that circumstance.
<vladzamfir>
the important difference between tendermint and casper is that tendermint votes before the blocks are created, whereas casper bets afterwards
digitalmagus8 has quit [Ping timeout: 276 seconds]
<vladzamfir>
bsm, unlike tendermint, casper can have nonfinalized blocks
<vladzamfir>
it doesn't halt when 21% go offline
<psztorc>
What was the point of asking us to talk about "making it extremely expensive to attack"? What is attack supposed to mean now?
brg444 has joined #bitcoin-wizards
<vladzamfir>
there are three basic attacks - reverting history, censoring blocks, and preventing consensus
<bsm117532>
psztorc: A better question is what does "expensive" mean when there are multiple versions of the ledger. => fungibility...
<psztorc>
In 5 minutes you'll say you didn't really care about censorship and that "it is really about" X.
coinoperated has quit [Ping timeout: 264 seconds]
<bramc>
fungibility seems to be non-negotiable. As soon as that falters confidence in the system plummets.
<vladzamfir>
oh paul, i've only ever appended to the list - and i did say that i want to cover faults with disincentives - you were the one who assumed that i only meant reversion
<psztorc>
I did assume that. Now you've listed your comprehsive set of attacks?
<vladzamfir>
it's not about fungibility, it's about having deposits on all forks
<vladzamfir>
tentatively, yes :)
<psztorc>
By "preventing consensus", you don't like mean 20 other things?
<vladzamfir>
in bitcoin preventing consensus means maintaining two forks that have the same total difficulty, in tendermint it means preventing 67% of validators from commiting to a block (perhaps by taking 34% offline)
<bsm117532>
I'll take bitcoin's one-miner-online-and-it's-still-up guarantee over a 20% ddos risk.
CubicEar_ has joined #bitcoin-wizards
<vladzamfir>
in casper, we have the property that if 1 validator online then it's still up
<psztorc>
Well, you are about to move the goalposts again.
<vladzamfir>
and we also don't get the blocks slowing to 1/year, like yo might in btc
<bsm117532>
And you can't cover up consensus problems with incentives. For incentives to work, you have to start with a consensus on what the incentive is!
<vladzamfir>
well yeah the protocol defines the payouts
<vladzamfir>
we have consensus on the protocol
<bsm117532>
Ok now I'm really done. vladzamfir you've failed to convince me.
<vladzamfir>
i never could have succeeded <3
<vladzamfir>
have a nice day
CubicEarth has quit [Ping timeout: 246 seconds]
<bsm117532>
Probably not, I still don't think PoS can work at all. It's by definition circular...defining value by using its value.
<vladzamfir>
yeah that's the elegant part
* zookolaptop
reads with interest
<bsm117532>
No, that's a logical fallacy.
<psztorc>
Ok -- so the whole point of this is to 1. change from "assaulting the miners" to "assaulting the owners" and 2. make it easier to know when a { miner } is blocking someone else.
<vladzamfir>
no, bitcoin does the same thing and it worked really well - it's the best thing about nakamoto consensus
<bsm117532>
*sigh* no it doesn't.
<psztorc>
How do you know if the miner is actually censoring, vs being DoS ed or his computer caught on fire or something.
<vladzamfir>
if the price of bitcoin was fixed at zero, the hashing power would fall and consensus would be lost
hashtag has quit [Quit: Leaving]
<vladzamfir>
paul - great observation, you don't
<psztorc>
Then how is PoS doing this impossible thing cheaper that PoW would do it?
<vladzamfir>
you punish people who go offline in case they went offline, and people who stayed online in case they censored the offline party
<vladzamfir>
PoW rewards it, actually :P block time retargets and the censoring coalition get a raise
<zookolaptop>
vladzamfir: thank you for explaining this stuff.
<vladzamfir>
<3 you zooko
<zookolaptop>
❤
Burrito has joined #bitcoin-wizards
<psztorc>
PoS ... also rewards it? Didn't you just say?
<vladzamfir>
no...? we can tell when 20% drops off
<vladzamfir>
so we can punish it
<psztorc>
That DoS is same as censoring.
<vladzamfir>
yeah so, we also punish everyone when someone gets DoSd
<psztorc>
Not everyone (?) you mean all miners?
<vladzamfir>
the protocol can't tell the difference between a node going offline voluntarily and a node being censored
<vladzamfir>
yeah the validators
<psztorc>
How do you punish them?
<vladzamfir>
i can take away part of their deposits
<bsm117532>
Who gets those deposits?
<psztorc>
So...now the attacker can just DoS everyone, as long as he is not a miner?
<vladzamfir>
great question bsm - it's a funny thing, when you have a public good spending problem, rather than a public good funding problem ;) basically taking the money away is a public good, but it's not clear where it should go
<vladzamfir>
yeah paul, that's a legitimate attack
<zookolaptop>
It goes to all current holders in proportion to their holdings.
<vladzamfir>
no it doesn't, zooko
<zookolaptop>
The real value does, that is, not any nominal value.
<vladzamfir>
that's if it's burned
<zookolaptop>
Oh, that's what I assumed happened.
<vladzamfir>
if we do that then if you have a large stake then you have an incentive to DoS validators
ThomasV has quit [Ping timeout: 260 seconds]
<vladzamfir>
but that is one thing we are considering
<bsm117532>
No matter what you do with the deposits, it puts a lot of power in the hands of an attacker with the DDoS button.
<zookolaptop>
vladzamfir: what are the alternatives you're considering?
<vladzamfir>
yes, but there's a corresponding incentive not to get DoS'd
<vladzamfir>
giving it to the foundation, to a DAO, to the next set of bonded validators
<bsm117532>
Punishing the victim...
<vladzamfir>
giving it to me ;)
<vladzamfir>
yeah well it's their responsibility to be online
<vladzamfir>
when your miner get DoS'd you also lose
<bsm117532>
You're amplifying the damage.
<vladzamfir>
only other miners have a direct incentive to DoS you themselves
<zookolaptop>
bsm117532: I thought you already gave up on being persuaded that this PoS scheme is good.
<vladzamfir>
it's ok, it's just a validator - the protocol is meant to give guarantees to users, not validaotrs
<bsm117532>
zookolaptop: Yeah but to get it to stop blinking I have to leave the room or quit IRC and I don't want to be sipa. ;-) But I probably should. I posted my question on the blog, I'd still appreciate a coherent answer.
<zookolaptop>
☺
<bsm117532>
Without validators you have no system at all.
CubicEarth has joined #bitcoin-wizards
<bsm117532>
*sigh*
bsm117532 has left #bitcoin-wizards [#bitcoin-wizards]
<vladzamfir>
yeah well we certainly need enough validators
CubicEar_ has quit [Read error: No route to host]
<vladzamfir>
lolol :D
<psztorc>
I think it sounds fine to me. But the tradeoff is that total security will actually be lower tha PoW, because there will be the risk of a completely natural failure in connectivity, which will punish miners. Miners must be compensated for this risk.
<vladzamfir>
well if you believe that the average marginal return is the average marginal cost, then they will be
<vladzamfir>
no idea what you mean about the security being lower than PoW tho
<psztorc>
You've decreased the marginal revenue.
<vladzamfir>
yes but it's a known risk - the failure in connectivity also a problem for PoW miners
<vladzamfir>
since their blocks have a good chance of being orphaned
<zookolaptop>
I don't believe that's a major problem in the absence of malicious action.
<zookolaptop>
In either PoW or PoS.
<psztorc>
Your punishment is (effectively) comparable to an orphaned block?
Newyorkadam has quit [Quit: Newyorkadam]
<zookolaptop>
vladzamfir: I'm thinking about how burning the bond is problematic because it rewards
<vladzamfir>
perhaps :)
<zookolaptop>
big stakeholders and therefore can incentivize them to attack (DoS) validators,
<zookolaptop>
and your proposed alternative of giving the bond to someone else therefore
<zookolaptop>
incentivizes whoever else that is, right?
<vladzamfir>
yes, that's right
<vladzamfir>
but i certainly would never stoop to such low levels ;)
<zookolaptop>
So are you thinking by picking someone -- a DAO or whatever -- you can pick someone incorruptible by such incentives?
<vladzamfir>
it's partly a joke, but yes we are thinking about it
<zookolaptop>
Because my opinion is that the marginal benefit is so small when it is distributed evenly to all stakeholders that it won't incentivize bad behavior.
<vladzamfir>
yeah i like to assume that a supermajority of coins are owned by an adversary, because why not
<zookolaptop>
*thinks*
<zookolaptop>
I don't think the effect of that burning of bond changes their calculus much even then ?
<vladzamfir>
well they benefit more than anyone else if there are consensus problems
<zookolaptop>
Especially if you factor in that DoS'ing validators could depress the exchange rate between the coin and other things ??
<zookolaptop>
Saying they benefit more than anyone else isn't sufficient to show that this is a problem.
<vladzamfir>
well i don't like to assume that the price of the underlying asset changes in a predictable way in response to attacks
<zookolaptop>
They might still benefit so little that it isn't a problem.
<zookolaptop>
Why not?
<vladzamfir>
because it's too convenient
<vladzamfir>
and because i want to take responsibility in-protocol
<vladzamfir>
not assume away responsibilities by saying things about extra-protocol prices
<zookolaptop>
Well, even with all of those ways that you want to tie your own hands behind your back, it still boils down to whether "whoever is the biggest, or a big stakeholder", or "whoever controls this very special signing key" is more corruptible.
<zookolaptop>
IMHO the latter is more corruptible.
<vladzamfir>
yeah i understand your perspective
<zookolaptop>
It seems to me entirely reasonable and in fact inevitable that the biggest — or a big — stakeholder is more likely to be incentivized to do things that improve the value of the system than that harm it.
<vladzamfir>
but we're working from inside the ethereum community, where at least atm there are sources of trust, and this is a super rare opportunity: funds generated by a public good
<vladzamfir>
yeah i understand that
<zookolaptop>
If the opposite, then maybe that means nobody cares enough about your system and it is okay if it breaks?
<vladzamfir>
but we also have a public goods funding problem with respect to core development
<zookolaptop>
Yeah.
<vladzamfir>
so it would be cool if..
<zookolaptop>
I'm also doing a thing -- not yet publicly explained in detail but soon --
<zookolaptop>
that does something like that, although that is a time-limited thing that we're doing, for the first four years.
<vladzamfir>
interesting - yeah this might be time-limited, too
<vladzamfir>
because we have lots of hard forks to go
<zookolaptop>
I basically think the "controller of the special signing key" *is* better than a lot of options, for the first few years, but given enough time and chaos, then that is worse. :-)
<zookolaptop>
Sorry to be negative, but, you know, the center cannot hold and all that.
<vladzamfir>
yeah i feel the same way about giving it to stakeholders
<zookolaptop>
Really?
<zookolaptop>
It seems to me that large stakeholders almost always have incentives aligned with "general social good of all users"./
<zookolaptop>
Am I being naive?
<zookolaptop>
Wait
<zookolaptop>
I don't mean *all* incentives,
<vladzamfir>
yeah of course - the longer things go, the more likely the coins are to fall into the hands of an adversary, and the less the coin's price will react to DDoS'
<zookolaptop>
I mean just with regard to "stuff that increases or reduces the value of the system to everyone at once".
<bramc>
Large thieving stakeholders are incentivized to not thieve so much that they kill the whole system
<zookolaptop>
Which I *think* is roughly what we're talking about here wrt DoS of validators, but I could be oversimplifying.
<vladzamfir>
yeah i just don't like to assume that the people who hold the coins have the protocol's guarantees in mind
<vladzamfir>
i treat everyone but users as potential adversaries
<vladzamfir>
(especially validators)
<zookolaptop>
vladzamfir: well it sounds like currently your choice is assuming that, or else assuming that the holders of a few special signing keys have?
<vladzamfir>
but i treat users as gods ^_^
<zookolaptop>
Have the protocol's best interests in mind?
<vladzamfir>
yeah
<vladzamfir>
it's either that or burning it :/
<zookolaptop>
Also I think it is likely that there won't be any single entity/coalition that has a huge stake compared to everyone-else.
<vladzamfir>
really?
<MRL-Relay>
[othe] exchanges will have.
<zookolaptop>
That's the "inequality metric". How does it apply to Bitcoin today?
<vladzamfir>
yeah, exchanges, large stakeholders
CubicEarth has quit [Remote host closed the connection]
<vladzamfir>
i think probably there will be <50 people with >80% of the stake for a long time
<zookolaptop>
The largest stakeholder is the so-called Satoshi mined coins -- about ⓑ1M ?
<vladzamfir>
just a power law thing
<zookolaptop>
Out of about ⓑ15M?
<vladzamfir>
that's a lot, and there are a large handful of people with >100K
<zookolaptop>
vladzamfir: I agree with that, but that's consistent with my claim that there's no single person/org/coalition with, like, .. a lot.
<zookolaptop>
I mean, if it has that sort of power law distribution, like current Bitcoin, or current USD, or whatever,
<vladzamfir>
yeah so that means that there's a small coalition with a lot, doesn't it?
<zookolaptop>
then the person/coalition with the *most* stake still gives like 80% or 90% of the reward to random other people, in the "burn the bond" scenario. Right?
<zookolaptop>
I guess we're differing on our ideas about how much "a lot" is, and how big effective coalitions could be for this purpose.
<vladzamfir>
oh no so the people with stake are not the people with deposits
<zookolaptop>
Oh, right.
<vladzamfir>
ideally deposits would be a teeny tiny fraction of the coins
<zookolaptop>
That changes it, because someone who controls "merely" 1% of all the Vladcoin can invest and get 90% of all the bonds?
<zookolaptop>
No, wait.
<vladzamfir>
yeah sure
<zookolaptop>
The transfer of value in the burn-the-bonds approach is to *all* holders of all Vladcoins!
<vladzamfir>
yep :p
<zookolaptop>
So yeah, it seems to me unlikely that any particular org or coalition would receive more than a small fraction of that largess.
Souptacular has joined #bitcoin-wizards
<vladzamfir>
assuming that an adversary doesn't have a large stake yeah
<vladzamfir>
or, i mean, a small coalition
<zookolaptop>
IIUC you earlier said you want to design for the case that an adversary controls a great majority of all the Vladcoins?
<vladzamfir>
yep :)
<zookolaptop>
I don't think I'm very interested in defending in that scenario. Doesn't that basically mean your adversary already won? He's by far the richest person on planet Vlad?
<zookolaptop>
He can just retire to an island fortress and torture Vlad day and night for fun?
<vladzamfir>
well no, winning means censoring, reverting blocks or preventing consensus
<zookolaptop>
Oh I privmsged you a while back but I don't know if freenode servers send those through in all cases ...
<zookolaptop>
Well, I think if he's the richest person on planet Vlad, then he's going to succeed at those other goals if he wants to.
Jeremy_Rand_2 has joined #bitcoin-wizards
<vladzamfir>
well i want to make it as expensive for him as possible
<zookolaptop>
Okay, but you still lose?
<vladzamfir>
yeah ^_^
<vladzamfir>
but he can't revert finalized blocks
<zookolaptop>
Hm.
<zookolaptop>
Okay, my brain is tired. Thanks for patiently explaining this much.
<phantomcircuit>
vladzamfir, can you describe the exact changes to the security model
<phantomcircuit>
compared to bitcoin that is
<vladzamfir>
sure, the main thing is that clients must know the set of currently bonded validators, instead of the genesis block
<vladzamfir>
well, that really is the only fundamental change
<vladzamfir>
economic proofs in PoW are chains of work, in PoS they are signatures that affect the payoffs of validators
<vladzamfir>
the affect of faults is different, too - you can't just revert arbitrarily many blocks with 51% (or 33% if selfish mining ;) ), it's more complicated than that
<vladzamfir>
but really the different authentication model is the critical thing to understand
<vladzamfir>
having current information is arguably more difficult than having a genesis block
<vladzamfir>
but it also makes economic proofs much more concise
<vladzamfir>
and we don't need to store the whole blockchain
<vladzamfir>
which is a relief
go1111111 has quit [Ping timeout: 255 seconds]
Alopex has joined #bitcoin-wizards
kmels has joined #bitcoin-wizards
Jeremy_Rand_2 has quit [Ping timeout: 265 seconds]
Jeremy_Rand_2 has joined #bitcoin-wizards
<phantomcircuit>
<vladzamfir> and we don't need to store the whole blockchain
<phantomcircuit>
if bitcoin nodes were to make the same trade off that you have describes your PoS system uses then they wouldn't have to either
<vladzamfir>
not sure i agree - you do need to store the block headers
<vladzamfir>
i have to go to bed, tho - it's past my bedtime in europe :) gn heros
go1111111 has joined #bitcoin-wizards
coinoperated has joined #bitcoin-wizards
<phantomcircuit>
vladzamfir, no actually you dont
jeremyrubin has quit [Quit: Lost terminal]
neha_ has quit [Quit: Lost terminal]
go1111111 has quit [Ping timeout: 250 seconds]
AaronvanW has quit [Ping timeout: 260 seconds]
tripleslash has joined #bitcoin-wizards
tripleslash_q has quit [Ping timeout: 260 seconds]
GGuyZ has quit [Read error: Connection reset by peer]
GGuyZ has joined #bitcoin-wizards
jcorgan is now known as jcorgan|away
Souptacular has quit [Quit: Page closed]
go1111111 has joined #bitcoin-wizards
NewLiberty has quit [Ping timeout: 260 seconds]
throughnothing has quit [Quit: Leaving...]
cheetah2 has joined #bitcoin-wizards
cheetah2 has quit [Remote host closed the connection]
cheetah2 has joined #bitcoin-wizards
NewLiberty has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
cheetah2 has quit [Remote host closed the connection]
cheetah2 has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 260 seconds]
wallet42 has quit [Ping timeout: 240 seconds]
<bramc>
Preliminary results of my going over petertodd's selfish mining stuff: His exact calculation is wrong, but his central thesis - that a miner or coalition of miners can get ahead by withholding successful blocks strategically - is basically correct. The threshold appears to be 1/3 (I'm using monte carlo so it isn't entirely clear) and things get gnarly by 40%. It isn't the case that slowing propagation helps though. I'll
<bramc>
make a much more detailed writeup when I'm done with this.