sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
<Taek>
The push for negative interest rates adds a whole new dimension as well
Dizzle has joined #bitcoin-wizards
alpalp has joined #bitcoin-wizards
alpalp has joined #bitcoin-wizards
alpalp has quit [Changing host]
mdavid613 has joined #bitcoin-wizards
laurentmt has quit [Quit: laurentmt]
TheSeven has quit [Ping timeout: 250 seconds]
TheSeven has joined #bitcoin-wizards
<mdavid613>
hey all, I'm wondering if anyone knows why libsecp256k1 chose to implement ECDH the way they did, using SHA256(ECDH(X)-ECDH(Y)). I would like to use a standardized implementation for ECDH key-derivation, but I need 512 bits of entropy. Also, does anyone know of any plans to have a variable sized ECDH function in libsecp256k1 that would provide dynamic digest sizes?
<sipa>
mdavid613: there is no way it can give you 512 bits of entropy, as only 256 bits went in
<sipa>
if you need to expand the output from ECDH, feed it as seed to a stream cipher
<sipa>
and why it's implemented that way is to prevent certain malleability attacks (which don't usually matter, but in some cases they may)
<sipa>
dynamic digest sizes: certainly not, but we may add an ecdh_unsafe that just returns the point
<sipa>
also, see #secp256k1
<mdavid613>
sipa: got it, my issue here is that I'm feeding a DRBG so the entropy for initialization needs to be able to be reproducible on both sides and I'm not sure if a stream cipher will provide that
<sipa>
mdavid613: that's the point of a stream cipher
<sipa>
if it's not deterministic it's broken
<sipa>
the easiest way (if you're certain 512 bits is enough) is just SHA512(ecdh output)
<sipa>
where ecdh output is the sha256 result
<mdavid613>
ok, that sounds like the best way to go for me, I appreciate the help @sipa
<mdavid613>
512 is enough, because the largest result I need from DRBG is 256 bits, so really I only _need_ 384
frankenmint has quit []
MaxSan_ has quit [Ping timeout: 265 seconds]
Ylbam has quit [Quit: Connection closed for inactivity]
NewLiberty has joined #bitcoin-wizards
Emcy has quit [Ping timeout: 240 seconds]
hashtag_ has joined #bitcoin-wizards
Emcy has joined #bitcoin-wizards
Emcy has quit [Changing host]
Emcy has joined #bitcoin-wizards
dgenr8 has quit [Quit: Leaving]
MaxSan_ has joined #bitcoin-wizards
bsm1175321 has quit [Read error: Connection reset by peer]
bsm1175321 has joined #bitcoin-wizards
dgenr8 has joined #bitcoin-wizards
wazzard has joined #bitcoin-wizards
bsm1175321 has quit [Read error: No route to host]
laurentmt has joined #bitcoin-wizards
laurentmt has quit [Client Quit]
Dizzle has quit [Remote host closed the connection]
<rusty>
Mutually untrusting parties releasing hashes of secrets has the problem that you'd need timelock puzzles to force them to reveal. Which seems suboptimal.
<bsm1175321>
amiller and I had an interesting conversation regarding blockchain randomness. He suggested the use of an oracle involving threshold signatures which can guarantee (up to collusion among of the random oracle contributors) a non-gameable random value for use in things like lotteries. I admit I'm still fuzzy on the details.
<bsm1175321>
But it's very clear that if the lottery were large enough, there's an economic incentive to withhold blocks and keep mining until you have a block which favors you in the lottery *in*addition* to winning the block reward.
<bsm1175321>
No one should be using the block hash as a source of randomness.
<bsm1175321>
A lot of Ethereum contracts are... :-(
<bsm1175321>
A similar mechanism was used in amiller's Honey Badger paper...
<kanzure>
rusty: i remember this paper but not the title or any of the details that would let me find it. sorry.
<rusty>
bsm117532: yes, that's close to "mutually untrusted parties provide hashes", but then they can withhold if they don't like the result, so you also need them to be timelock puzzles AFAICT.
<bsm1175321>
kanzure: I can't believe that's worth of an article...I would have thought it totally obvious...
<rusty>
kanzure, MRL-Relay thanks!
<rusty>
bsm1175321: it's nice to have something to point at though.
<bsm1175321>
rusty: amiller claimed to have a solution to the missing-contributor problem in his honey badger paper.
<bsm1175321>
AFAICT it's the same as Shamir's Secret Sharing...
<bsm1175321>
So you need a secure multiparty computation to set up the secret sharing...
<rusty>
Hmm....
<bsm1175321>
Honestly this issue has been blocking me for some time...DPoS uses a hash-and-reveal mechanism to choose the next block creator, but can't tolerate a loss of any participant, and loss of participants is gameable.
<bsm1175321>
(DPoS = delegated Proof of Stake a la BitsharesX)
JHistone has joined #bitcoin-wizards
<bsm1175321>
The existence of a SMPC system for the setup may be more than I'm willing to assume... but maybe I didn't fully understand amiller's idea.
<bsm1175321>
I think this is the Asynchronous Common Subset (ACS) primitive in that paper, section 4.4.
Dizzle has quit [Quit: Leaving...]
jtimon has quit [Ping timeout: 276 seconds]
hashtag_ has joined #bitcoin-wizards
hashtag_ has quit [Read error: Connection reset by peer]
hashtagg has quit [Ping timeout: 244 seconds]
pro has quit [Quit: Leaving]
JHistone has quit [Ping timeout: 250 seconds]
Giszmo has quit [Quit: Leaving.]
CubicEarth has quit [Remote host closed the connection]
CubicEarth has joined #bitcoin-wizards
mountaingoat has quit [Quit: WeeChat 1.4]
mountaingoat has joined #bitcoin-wizards
alpalp has quit [Ping timeout: 276 seconds]
Iriez has quit [Ping timeout: 252 seconds]
MaxSan_ has quit [Ping timeout: 276 seconds]
Newyorkadam has joined #bitcoin-wizards
<bsm1175321>
It strikes me that a Honey Badger-like implementation, combined with a PoW system, provides a way to couple real-world assets into a system. The problem with leader-like systems (PBFT, PAXOS, HoneyBadger, etc) is that they don't represent real-world value in a cryptographic way. The UTXO set might as well be the attendance list for a 3-year old's birthday party.
<bsm1175321>
Absent PoW, one must rely on trusted parties to couple real-world value into the system (because all classical existing real-world value exists because of attestations by trusted parties -- governments, banks, etc).
<bsm1175321>
Such an idea entirely divorces PoW from the consensus process, and makes it only a proof-of-value...
GAit has quit [Quit: Leaving.]
<bsm1175321>
That makes Satoshi's algorithm a conflation of THREE things (I used to think it was two): (1) a RNG to select the next state (block producer), (2) an incentive to update the state, and (3) a means to couple real-world value into the crypto-asset. A Honey Badger + PoW would be 1+3 with (2) implicit -- anyone participating in either 1 or 3 already has an incentive to update the state...
bustd_soket has quit [Ping timeout: 240 seconds]
sipa has left #bitcoin-wizards [#bitcoin-wizards]
go1111111 has quit [Ping timeout: 276 seconds]
<mr_burdell>
can you verify that something is a timelock puzzle? what if someone uses random data instead of a valid timelock puzzle?
<mr_burdell>
you wouldn't know until it's too late, right?
Iriez has joined #bitcoin-wizards
go1111111 has joined #bitcoin-wizards
<bsm1175321>
The idea behind Honey Badger (and most CS literature on the subject) is not to use time at all. It's not something that is agreed upon by all parties, nor cryptographically proveable.
mrkent has quit []
<bsm1175321>
That said, I'm having dreams of defining "network time" using a crypto-currency. It would drift WRT "real" time, but who cares? As long as consensus marches forward linearly...
<amiller>
hi
<amiller>
this threshold signature thing isn't new in honey badger
<amiller>
threshold signatures have been used to make "common coins" for a while
<amiller>
common coin is basically a stream of random values that get released one at a time, when the parties release them
<funkenstein_>
even a permissioned ledger is still publicly viewable
Samdney has joined #bitcoin-wizards
dEBRUYNE has quit [Read error: Connection reset by peer]
dEBRUYNE_ has joined #bitcoin-wizards
Burrito has joined #bitcoin-wizards
dEBRUYNE_ has quit [Client Quit]
dEBRUYNE has joined #bitcoin-wizards
laurentmt has quit [Quit: laurentmt]
laurentmt has joined #bitcoin-wizards
Giszmo has joined #bitcoin-wizards
c-cex-yuriy has quit [Quit: Connection closed for inactivity]
<kanzure>
.wik ulam spiral
<EmmyNoether>
"The Ulam spiral or prime spiral (in other languages also called the Ulam cloth) is a simple method of visualizing the prime numbers that reveals the apparent tendency of certain quadratic polynomials to generate unusually large numbers of primes." - https://en.wikipedia.org/wiki/Ulam_spiral
<yoleaux>
"The Ulam spiral or prime spiral (in other languages also called the Ulam cloth) is a simple method of visualizing the prime numbers that reveals the apparent tendency of certain quadratic polynomials to generate unusually large numbers of primes." — https://en.wikipedia.org/wiki/Ulam_spiral
Starduster has quit [Read error: Connection reset by peer]
<kanzure>
who's bot is that other one
Starduster has joined #bitcoin-wizards
hashtag has joined #bitcoin-wizards
* funkenstein_
wonders if numbers below "sloane's gap" would show a pattern on such a spiral
earlest has joined #bitcoin-wizards
muuqwaul has quit [Ping timeout: 240 seconds]
roconnor has joined #bitcoin-wizards
hashtag_ has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
tromp_ has joined #bitcoin-wizards
Giszmo has quit [Ping timeout: 260 seconds]
laurentmt has quit [Quit: laurentmt]
tromp_ has quit [Ping timeout: 260 seconds]
Giszmo has joined #bitcoin-wizards
alferz has joined #bitcoin-wizards
Ylbam has quit [Quit: Connection closed for inactivity]
eaxdigitalhash has quit [Remote host closed the connection]
DougieBot5000 has joined #bitcoin-wizards
funkenstein_ has quit [Ping timeout: 244 seconds]
gill3s has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
funkenstein_ has joined #bitcoin-wizards
funkenstein_ is now known as Guest50086
bowler_ has joined #bitcoin-wizards
bowler_ has quit [Changing host]
bowler_ has joined #bitcoin-wizards
bowler_ is now known as funkenstein_
Guest50086 has quit [Ping timeout: 240 seconds]
Guest13916 has quit [Ping timeout: 244 seconds]
Starduster has quit [Read error: Connection reset by peer]
Starduster has joined #bitcoin-wizards
Starduster_ has joined #bitcoin-wizards
t800 has joined #bitcoin-wizards
t800 is now known as Guest61372
Starduster_ has quit [Client Quit]
Starduster has quit [Ping timeout: 240 seconds]
gill3s has joined #bitcoin-wizards
gill3s has quit [Client Quit]
Giszmo has quit [Ping timeout: 276 seconds]
CubicEarth has joined #bitcoin-wizards
<bsm117532>
r0ach: I wouldn't worry about permissioning, Iota doesn't have any kind of consensus or UTXO set...it's entirely unworkable.
mdavid613 has joined #bitcoin-wizards
johnwhitton has joined #bitcoin-wizards
<funkenstein_>
out of curiosity what was the 2nd coin "from russia" referred to in the OP of that thread?
<r0ach>
ethereum
Giszmo has joined #bitcoin-wizards
ybit has quit [Quit: leaving]
ybit has joined #bitcoin-wizards
BonyM has quit [Ping timeout: 246 seconds]
Ylbam has joined #bitcoin-wizards
zooko has quit [Ping timeout: 252 seconds]
BonyM has joined #bitcoin-wizards
<Taek>
bsm117532, rusty: there's been discussions before about making a lottery using blokc hashes
<Taek>
The general idea being that you could get -ev mining that way, as people with gambling habits are okay playing -ev games
<Taek>
I'm pretty sure you can get a full 32 bytes of entropy from a mined bitcoin block, with the one caveat that miners can opt to burn 25btc and re-roll, though due to competition there's a chance the re-roll won't succeed
<Taek>
well, and if you get 51% hashrate you can re-roll as many times as you want
<Taek>
also, the cost of re-rolling reduces as we switch from coinbase heavy subsidies to fee heavy subsidies, as you can reuse the same txns
<Taek>
It would be pretty easy I think to structure a lottery that pays out much heavier for outlier lucky blocks (1-in-1000) in such a way that it's always against your interest to withhold blocks
<funkenstein_>
i built block-roulette.com using block hashes for entropy
<bsm117532>
Taek: the number of bytes of entropy in the block hash is a function of the lottery reward. It should not be relied upon in this manner.
<Taek>
bsm117532: I don't understand what you are saying there. Getting a block hash with low entropy is only possible with an excessive amount of work. You can't just find one that way
<bsm117532>
Taek: it doesn't matter how you evaluate the bits of the block hash. For a large enough expected winnings, I will just withhold blocks for which I'm not the winner.
<Taek>
you can structure the lottery such that withholding a block always results in lower actual return
<Taek>
for example, pay $100 for normal block, $150 for 1-in-4 block, $100,000 for 1-in-25,000 block
<Taek>
there's no reason to withhold a normal block there
<Taek>
you still get paid, and you still have the same chance of finding a 1-in-25,000 block
<bsm117532>
You'll never know I withheld a block...
<Taek>
true, but why would you ever do that?
<bsm117532>
Because my expectation value from lottery winnings is larger than the block reward.
kmels has joined #bitcoin-wizards
ManfredMacx has joined #bitcoin-wizards
Guyver2 has joined #bitcoin-wizards
<kanzure>
@bramc: we need way better command-line torrenting tools. i know you're watching.
<bsm117532>
Block-hashes-as-entropy changes the game theory for miners. They should evaluate the expected block reward plus the expectation value of lotteries they win with the block they mine. (And there may be multiple lotteries)
rustyn has quit [Read error: Connection reset by peer]
rustyn has joined #bitcoin-wizards
kmels has quit [Ping timeout: 252 seconds]
<Taek>
The idea is that the two would be intertwined, such that you get a single reward which scales as you have luckier hashes
<Taek>
if there's a third party lottery that's using some other system it does change the dynamic
<Taek>
but you can't prohibit that type of lottery anyway
hashtag has quit [Read error: Connection reset by peer]
kmels has joined #bitcoin-wizards
tromp_ has joined #bitcoin-wizards
<bsm117532>
You can loudly proclaim that such lotteries break the incentive model and may break the system they run on, so don't do it. But no you can't strictly prohibit it... The other type of lottery you mention is precisely what the block reward is, already.
tromp_ has quit [Ping timeout: 252 seconds]
Don_John has joined #bitcoin-wizards
Don_John has quit [Remote host closed the connection]
murch has quit [Quit: Leaving.]
zooko has joined #bitcoin-wizards
Newyorkadam has joined #bitcoin-wizards
kmels has quit [Ping timeout: 252 seconds]
priidu has joined #bitcoin-wizards
mrkent has joined #bitcoin-wizards
roconnor has quit [Ping timeout: 260 seconds]
roconnor has joined #bitcoin-wizards
bysherper has joined #bitcoin-wizards
copumpkin has quit [Ping timeout: 276 seconds]
earlest has quit [Ping timeout: 240 seconds]
copumpkin has joined #bitcoin-wizards
rustyn has quit [Ping timeout: 260 seconds]
rustyn has joined #bitcoin-wizards
roconnor has quit [Ping timeout: 276 seconds]
bit2017 has joined #bitcoin-wizards
funkenstein_ has quit [Ping timeout: 244 seconds]
roconnor has joined #bitcoin-wizards
bit2017 has quit [Ping timeout: 265 seconds]
Aranjedeath has joined #bitcoin-wizards
gill3s has joined #bitcoin-wizards
Emcy has quit [Read error: Connection reset by peer]
gill3s has quit [Client Quit]
funkenstein_ has joined #bitcoin-wizards
funkenstein_ has quit [Changing host]
funkenstein_ has joined #bitcoin-wizards
ManfredMacx has quit [Quit: Leaving]
Emcy has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 260 seconds]
gill3s has joined #bitcoin-wizards
blackwraith has joined #bitcoin-wizards
priidu has quit [Ping timeout: 265 seconds]
nuke1989 has joined #bitcoin-wizards
gill3s has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
kmels has joined #bitcoin-wizards
zooko has quit [Ping timeout: 260 seconds]
Aranjedeath has quit [Ping timeout: 260 seconds]
Newyorkadam has quit [Remote host closed the connection]