1 2011-07-22 00:05:43 <CIA-103> bitcoin:� Matt Corallo� master� * r643160f� �/ src/main.cpp :� Actually use mapAlreadyAskedFor. ... https://github.com/bitcoin/bitcoin/commit/643160f6e7e5e8ca84bc7d2c1a0f37d9cf43a6e1�
2 2011-07-22 00:09:02 <gmaxwell> b4epoche_: Yes?
3 2011-07-22 00:09:26 <b4epoche_> JSTOR? PRSL?
4 2011-07-22 00:28:33 <Joric> how to merge a whole bunch of tiny-commits into the one feature? it looks ridiculous for now
5 2011-07-22 00:29:43 <Joric> it's not a mainstream bitcoin client, don't worry :)
6 2011-07-22 00:29:48 <BlueMattBot> Project Bitcoin-Test build #12: STILL FAILING in 11 sec: http://www.bluematt.me/jenkins/job/Bitcoin-Test/12/
7 2011-07-22 00:30:03 <coderrr> Joric, git rebase -i ?
8 2011-07-22 00:31:44 <coderrr> or maybe just git reset up to the commit u want and then recommit everything in one commit
9 2011-07-22 00:32:12 <Joric> yeah that probably will do the trick
10 2011-07-22 00:32:56 <Joric> it's really bad for now, a shitpile of commits adding or removing a single line
11 2011-07-22 00:45:53 <gmaxwell> "Seemingly in solidarity with Swartz, someone called Gregory Maxwell has uploaded to 33 GB of journal articles" I wonder if the journalists would be more likely to believe my name if I called myself Satoshi Nakamoto.
12 2011-07-22 00:49:50 <coderrr> hah
13 2011-07-22 00:54:19 <jrmithdobbs> gmaxwell: lol, ya i saw that too
14 2011-07-22 00:56:22 <nanotube> gmaxwell: what's that stuff about 33gb of journal articles?
15 2011-07-22 00:57:28 <gmaxwell> nanotube: https://thepiratebay.org/torrent/6554331
16 2011-07-22 00:58:38 <nanotube> gmaxwell: oh nice
17 2011-07-22 00:59:09 <jrmithdobbs> haha, i've been harassing way too many people lately
18 2011-07-22 00:59:21 <jrmithdobbs> safari has finally added pastebin.com to my Top Sites
19 2011-07-22 00:59:30 <jrmithdobbs> chrome too
20 2011-07-22 01:01:20 <b4epoche_> seriously, gmaxwell, what got you upset enough to risk doing that?
21 2011-07-22 01:33:01 <copumpkin> gmaxwell++
22 2011-07-22 01:36:13 <jrmithdobbs> gmaxwell: hey what's a damned headless bt client that does the dht stuff so i can put this on a box with bandwidth
23 2011-07-22 01:36:37 <b4epoche_> so, the copyright's had expired on these?
24 2011-07-22 01:37:31 <gmaxwell> jrmithdobbs: rtorrent.
25 2011-07-22 01:38:29 <b4epoche_> is it PTRS or PRSL that has stuff online from like 1800?
26 2011-07-22 01:38:38 <gmaxwell> b4epoche_: Yes, though in the past varrious parties have claimed that scanning something makes a copyrightable work. This is so obviously untrue under US law at this point that it's a joke, but many large instutions still claim it.
27 2011-07-22 01:38:59 <accel> anyone has great wisdom to share?
28 2011-07-22 01:39:14 <copumpkin> gmaxwell: is your identity easily traceable? do you except JSTOR to track you down and sue you?
29 2011-07-22 01:39:23 <copumpkin> you didn't exactly try very hard to mask your name :)
30 2011-07-22 01:39:30 <gmaxwell> PTRS has about 100 documents online: http://trailblazing.royalsociety.org/?p=1
31 2011-07-22 01:39:54 <accel> dumb queston: if someone is stealing documents to torrent
32 2011-07-22 01:40:06 <b4epoche_> about three years ago the CIC (the Big Ten schools and UChicago) came up with a 'copyright' addendum to include when you submit the paperwork for a paper to be published
33 2011-07-22 01:40:08 <accel> why is it academicjournals, and not porn?
34 2011-07-22 01:40:22 <IO-> very good question
35 2011-07-22 01:40:37 <b4epoche_> that got debated and debated, and eventually the faculty senate decided not to endorse it. pussies.
36 2011-07-22 01:40:41 <gmaxwell> Because you can already get all the porn you'll ever need very easily?
37 2011-07-22 01:41:04 <IO-> ya but i can't rsync porn yet :(
38 2011-07-22 01:41:12 <IO-> there's still avenues to explore
39 2011-07-22 01:41:17 <b4epoche_> and porn actors get paid
40 2011-07-22 01:42:04 <nhodges> why can't you rsync porn
41 2011-07-22 01:42:28 <gmaxwell> copumpkin: of course it's easily traceable. They're welcome to try. I am hoping they do not, but I intend to win if they do. If they fail or fail to try it will embolden other people. I don't think it would have been as politically powerful if I'd published anonymously.
42 2011-07-22 01:42:54 <copumpkin> very ballsy, and I hope you succeed
43 2011-07-22 01:42:57 <IO-> i need rsync share's of porn
44 2011-07-22 01:42:59 <b4epoche_> +1
45 2011-07-22 01:42:59 <gmaxwell> copumpkin: also, sharing >30GB of data anonymously is actually really hard.
46 2011-07-22 01:42:59 <IO-> mass
47 2011-07-22 01:43:25 <copumpkin> gmaxwell: cowardly academics everywhere are silently cheering for you
48 2011-07-22 01:43:30 <copumpkin> :)
49 2011-07-22 01:43:35 <b4epoche_> hear, hear
50 2011-07-22 01:43:40 <gmaxwell> copumpkin: and not that silently, I've had hundreds of emails.
51 2011-07-22 01:44:01 <gmaxwell> And there are some excellent posts on the news articles.
52 2011-07-22 01:44:04 <copumpkin> gmaxwell: I hope more of them write publicly about it
53 2011-07-22 01:44:16 <copumpkin> I just tweeted about it, which isn't much :P
54 2011-07-22 01:45:08 <b4epoche_> but you have to realize most academics are just interested in advancing their careers&
55 2011-07-22 01:45:36 <b4epoche_> I know people that are all excited to get in bed with Elsevier and start a new general
56 2011-07-22 01:45:38 <vragnaroda> s/academics/people/
57 2011-07-22 01:45:59 <gmaxwell> ya, thats everyone. But also it's not "just interested" ... it's "foremost interested".
58 2011-07-22 01:46:06 <b4epoche_> true, but academics are not really much more noble than 'people'
59 2011-07-22 01:46:16 <copumpkin> or at all :)
60 2011-07-22 01:46:32 <copumpkin> it attracts lots of pretty average people, in my experience
61 2011-07-22 01:47:07 <b4epoche_> my department head about flipped when I said that
62 2011-07-22 01:47:29 <b4epoche_> she's all about advancing her career and can't understand why it means nothing to me
63 2011-07-22 01:47:31 <vragnaroda> well, that is pretty pathetic
64 2011-07-22 01:48:09 <copumpkin> b4epoche_: dude, you should be striving to be The John Smith Professor Of Awesomeness
65 2011-07-22 01:48:16 <copumpkin> or some other endowed professorship
66 2011-07-22 01:49:02 <copumpkin> oh excellent
67 2011-07-22 01:49:10 <b4epoche_> hmm& maybe I should make it IS^2
68 2011-07-22 01:51:42 <b4epoche_> a very smart colleague told me one time that you consider what you do either a job, a career, or a calling
69 2011-07-22 01:51:55 <b4epoche_> unfortunately most professors fall into the career category
70 2011-07-22 01:57:42 <b4epoche_> for my take: http://dl.dropbox.com/u/1041468/Description.pdf
71 2011-07-22 01:59:41 <b4epoche_> see also: http://imechanica.org/blog/1075
72 2011-07-22 02:00:12 <Joric> i see you've merged a plenty of pull requests today
73 2011-07-22 02:05:05 <jrmithdobbs> b4epoche_: you know dropbox has backdoor keys to decrypt your data rite? just sayin
74 2011-07-22 02:08:04 <copumpkin> even before that information leaked out
75 2011-07-22 02:08:16 <copumpkin> I was encrypting anything I cared about them not seeing before putting it on there
76 2011-07-22 02:08:40 <upb> well it was obvious anyway since they de-dupe the data
77 2011-07-22 02:08:41 <copumpkin> it's kind of dumb to take a third party's word about something like that, even if it's a hip and cool company
78 2011-07-22 02:08:49 <copumpkin> upb: they didn't start doing that for a while though
79 2011-07-22 02:08:53 <upb> oh
80 2011-07-22 02:09:04 <copumpkin> at least, I don't remember seeing it in the earlier days
81 2011-07-22 02:09:12 <copumpkin> even with what I'm sure were pretty common files
82 2011-07-22 02:10:15 <b4epoche_> yea, it's amazing how quickly those iOS5 dev releases upload, eh?
83 2011-07-22 02:11:53 <copumpkin> :P
84 2011-07-22 02:13:04 <upb> lol
85 2011-07-22 02:13:15 <Joric> is there any iphone bitcoin client that supports qr codes?
86 2011-07-22 02:14:32 <copumpkin> I don't think there's any iphone bitcoin client
87 2011-07-22 02:14:34 <copumpkin> at all
88 2011-07-22 02:14:38 <copumpkin> is there?
89 2011-07-22 02:14:45 <copumpkin> or did the rejected one end up on cydia?
90 2011-07-22 02:15:01 <Joric> nope just useless chart watchers
91 2011-07-22 02:16:36 <Joric> i used to be an iphone developer in 2008-2011 don't really like it though, it's pretty inconvenient
92 2011-07-22 02:18:03 <Joric> not quite sure how to port it, official client weights a ton and eats a ton of traffic
93 2011-07-22 02:18:38 <Joric> android uses bitcoinj afaik
94 2011-07-22 02:19:14 <Joric> heard it doesn't download a whole blockchain
95 2011-07-22 02:20:34 <copumpkin> I'd be quite happy to have it be a remote interface to a real client running on my home computer
96 2011-07-22 02:20:38 <copumpkin> or something along those lines
97 2011-07-22 02:20:46 <copumpkin> I don't really want my actual wallet on a mobile device anyway
98 2011-07-22 02:20:57 <b4epoche_> I don't see the issue with downloading the whole block chain.
99 2011-07-22 02:21:25 <b4epoche_> there are plenty of games that use twice as much space.
100 2011-07-22 02:21:47 <b4epoche_> and don't most 'magazines' weigh in at like 0.5 GB?
101 2011-07-22 02:21:58 <copumpkin> I'd expect so
102 2011-07-22 02:22:55 <Joric> iphone thread http://forum.bitcoin.org/index.php?topic=17626.0
103 2011-07-22 02:24:03 <b4epoche_> btw, that entire 'reject for using alternative currencies' has got to be crap&
104 2011-07-22 02:25:03 <copumpkin> yeah
105 2011-07-22 02:26:19 <Joric> wat?
106 2011-07-22 02:26:53 <Joric> oh well ios5 has 'backround tasks' now, right
107 2011-07-22 02:27:43 <Joric> since ios4 even if i remember right
108 2011-07-22 02:28:40 <jrmithdobbs> not really
109 2011-07-22 02:28:43 <jrmithdobbs> kind of
110 2011-07-22 02:29:04 <Joric> well downloading blocks in the backround shouldnt be a problem
111 2011-07-22 02:30:09 <Joric> atleast it's possible to keep tcp connection alive
112 2011-07-22 02:34:55 <lfm> do you have unlimited data?
113 2011-07-22 02:35:22 <lfm> on your phone?
114 2011-07-22 02:36:26 <Joric> i pay 25c per MB
115 2011-07-22 02:37:12 <Joric> luckily i'm not using gprs connection much
116 2011-07-22 02:38:56 <lfm> so you wouldnt want live btc on your phone
117 2011-07-22 02:39:43 <lfm> itd be like a mb every hour
118 2011-07-22 02:41:34 <jrmithdobbs> netatalk 2.2.0-p6 liberated from it's closed source ransom
119 2011-07-22 02:41:35 <jrmithdobbs> https://github.com/jrmithdobbs/netatalk-2-2-0-p6
120 2011-07-22 02:41:50 <jrmithdobbs> (works with lion time machine)
121 2011-07-22 02:45:13 <moa7> +1 gmaxwell on JSTOR upload ... bittorrent is for grown-ups to!
122 2011-07-22 03:02:36 <lfm> can you restrict an app to wifi only, never to use cell data link(is it called gprs or something)
123 2011-07-22 03:05:44 <Joric> you may turn it off in the menu
124 2011-07-22 03:06:26 <lfm> joric thats for all apps tho?
125 2011-07-22 03:06:50 <lfm> or not?
126 2011-07-22 03:07:26 <lfm> and which phone is that?
127 2011-07-22 03:08:07 <Joric> any iphone allows turing cell data off, in the options
128 2011-07-22 03:08:29 <lfm> for each app individually or for the whole phone?
129 2011-07-22 03:08:56 <Joric> for the whole phone, not sure about a specific api for that
130 2011-07-22 03:10:49 <lfm> cuz if bitcoin was in the background and only updating the block chain when it could get a free connect, that would be ok.
131 2011-07-22 03:11:26 <lfm> so long as it fit in memory
132 2011-07-22 03:16:18 <copumpkin> gmaxwell: too cool for #haskell-blah?
133 2011-07-22 03:18:32 <gmaxwell> 227 irssi windows too many. :-/
134 2011-07-22 03:19:28 <copumpkin> oh man
135 2011-07-22 03:19:35 <jrmithdobbs> lol
136 2011-07-22 03:19:38 <Joric> whoa it's like a real life matrix
137 2011-07-22 03:21:56 <jgarzik> jrmithdobbs: what happened with net-atalk?
138 2011-07-22 03:22:50 <jrmithdobbs> jgarzik: current maintainer was holding the updates that makes it work with 10.7's timemachine ransom to try and force oem nas manufacturers to buy support from his company
139 2011-07-22 03:22:56 <jrmithdobbs> even though it is gplv2
140 2011-07-22 03:23:20 <jrmithdobbs> jgarzik: see: http://www.netafp.com/open-letter-to-the-netatalk-community-501/
141 2011-07-22 03:23:26 <jgarzik> jrmithdobbs: what is a "10.7's timemachine ransom"?
142 2011-07-22 03:24:40 <jrmithdobbs> jgarzik: 10.7 == tiger == new OS X released yesterday
143 2011-07-22 03:24:55 <jrmithdobbs> jgarzik: he was holding the code updates that made netatalk work with time machine (apple's backup stuff) ransom
144 2011-07-22 03:25:03 <vragnaroda> jrmithdobbs: no
145 2011-07-22 03:25:07 <jrmithdobbs> yes
146 2011-07-22 03:25:13 <jrmithdobbs> err s/tiger/lion/
147 2011-07-22 03:25:30 <vragnaroda> yeah, tiger was released in 2005
148 2011-07-22 03:25:53 <jrmithdobbs> jgarzik: apple broke using timemachine with nfs/cifs by adding a ioctl() in backupd (the timemachine process) that only works on afp shares
149 2011-07-22 03:26:13 <jrmithdobbs> jgarzik: so until this noone using 10.7 could backup to anything but apple-supplied devices
150 2011-07-22 03:26:51 <jrmithdobbs> because the available version of netatalk did not quite have a functioning afp3.3 implementation which is required for time machine to function now on afp now
151 2011-07-22 03:27:00 <jrmithdobbs> s/now//
152 2011-07-22 03:27:57 <cjdelisle> gmaxwell: I looked at your determinent wallet idea, I think it is provably safe. You can prove it's security by simplifying it. Suppose instead of a PRNG you use a counter, privateKey_n = privateKey + n, publicKey_n = publicKey + n * point. The security of generating public keys is trivial to prove since you should never be able to derive the private key from only the public. The security of making multiple signatures with sequencial
153 2011-07-22 03:28:45 <jrmithdobbs> jgarzik: this was cc'ed to gpl-violations@gnu.org and the netgear opensource@ addresses is what changed his mind
154 2011-07-22 03:28:50 <jrmithdobbs> jgarzik: http://sourceforge.net/mailarchive/message.php?msg_id=27835003
155 2011-07-22 03:29:24 <gmaxwell> cjdelisle: yes, _except_ if there is a weakness in ECDSA you could exploit a known relationship between private keys used to sign messages.
156 2011-07-22 03:29:48 <gmaxwell> cjdelisle: no� no such weakness is known to exist, none seems likely, but it also doesn't seem likely that there will be a proof that one doesn't exist.
157 2011-07-22 03:30:02 <iddo> cjdelisle: why use non-random counter, that's much worse than PRNG, no?
158 2011-07-22 03:30:09 <gmaxwell> Well other than the obvious ones.
159 2011-07-22 03:30:18 <gmaxwell> It makes a proof simpler.
160 2011-07-22 03:30:28 <iddo> cjdelisle: it's not provably secure
161 2011-07-22 03:30:37 <gmaxwell> (and makes it clear that the security doesn't come from the hash function)
162 2011-07-22 03:30:39 <cjdelisle> How is that?
163 2011-07-22 03:31:05 <AndyBr> wow, these people love to write long letters
164 2011-07-22 03:31:14 <cjdelisle> Is there a way it could be insecure even if every assumption I gave is still correct?
165 2011-07-22 03:31:46 <iddo> cjdelisle: your long msg was cut at the end?
166 2011-07-22 03:32:05 <cjdelisle> It ended with this: The security of making multiple signatures with sequencial keys is secure if making multiple signatures with the same key is secure.
167 2011-07-22 03:32:34 <iddo> but you're not signing with same key, you're signing with related keys
168 2011-07-22 03:32:37 <cjdelisle> That is something I would have to give some thought to proving but I think it could be done.
169 2011-07-22 03:32:55 <gmaxwell> cjdelisle: try for the case where one key is the multiplicate inverse of another key.
170 2011-07-22 03:32:59 <iddo> alas it cannot be done, no free lunch... :(
171 2011-07-22 03:33:40 <iddo> there's now famous related key attack on aes256
172 2011-07-22 03:34:01 <cjdelisle> Yea, AES is fortunately not much like ECDSA.
173 2011-07-22 03:34:16 <cjdelisle> I think that it comes down to "if m is really a random number"
174 2011-07-22 03:34:55 <iddo> signing multiple msgs with same key is secure (using standard assumptions like factoring or discrete log hardness), signing with related keys is shaky
175 2011-07-22 03:35:34 <cjdelisle> Of course, that's because I have not written any proof :)
176 2011-07-22 03:36:08 <iddo> you shouldnt expect to be able to generate related public keys for free, without any security implications... no free lunch
177 2011-07-22 03:36:28 <lfm> you can use one way hashes to isolate them
178 2011-07-22 03:36:35 <gmaxwell> Well, they aren't related if H() is a random oracle.
179 2011-07-22 03:37:04 <iddo> ECDSA has much more 'structure' than AES, so in terms of security the situation here could be even worse
180 2011-07-22 03:37:30 <gmaxwell> I always required the assumption that H() was secure, ideally it would be provable without that assumption, but I agree with iddo that that probably isn't possible.
181 2011-07-22 03:37:41 <cjdelisle> This reliance on the hash disturbs me. Hashes are by their nature a strange beast, they don't take well to proving. IMO if it's not safe for a counter it's not safe for a hash.
182 2011-07-22 03:38:03 <lfm> well rsa isnt proved either
183 2011-07-22 03:38:47 <cjdelisle> RSA is hard because it boils down to discrete periodic functions and people don't know how to algbraicly solve for sine waves very well.
184 2011-07-22 03:39:02 <gmaxwell> cjdelisle: there are a lot of security protocols that require the hash to be a random oracle.
185 2011-07-22 03:39:18 <iddo> cjdelisle: in practice hash sounds much more safe than counter, any non-random quirks of H() that could be exploited in theory might be very hard in practice
186 2011-07-22 03:39:23 <lfm> in fact I dont think anything except a one time pad has any proof of security
187 2011-07-22 03:39:56 <gmaxwell> lfm: oh thats not so, there are lots of proofs that just depend on particular assumptions.
188 2011-07-22 03:40:26 <lfm> ya depend on unproven assumtions like factoring is np hard and stuff
189 2011-07-22 03:40:33 <cjdelisle> I totally agree re the hash in practice. If for no other reason because confidentality (public keys not all being one point apart) depends on it.
190 2011-07-22 03:40:35 <gmaxwell> like H() is a random oracle, or that H() is collision resistant. (ECDSA's security depends on the latter)
191 2011-07-22 03:41:20 <gmaxwell> The funny thing is that the "provably secure" hash fucntions have mostly turned out to be insecure. :)
192 2011-07-22 03:42:48 <cjdelisle> With hashes and ciphers, it's difficult to nail down exactly what makes them hard to break.
193 2011-07-22 03:42:49 <iddo> the provably secure hash functions are secure against collisions i think? it wouldnt help for a proof here
194 2011-07-22 03:43:23 <lfm> what you need is provably irreversable
195 2011-07-22 03:43:52 <iddo> i dont think thats what you need either....
196 2011-07-22 03:44:43 <iddo> you need random behavior, which obviously you cannot prove because it's not random
197 2011-07-22 03:44:44 <lfm> the one way nature is the main point. collisions are unavoidable
198 2011-07-22 03:45:13 <gmaxwell> It's provable if you assume the hash is a random oracle. But yea, the hash isn't.
199 2011-07-22 03:45:29 <iddo> i dont see how resistance to preimage attacks can help to prove anything here
200 2011-07-22 03:45:49 <gmaxwell> Since we don't really have an attack in mind against ECDSA is hard to say the property we need.
201 2011-07-22 03:47:59 <iddo> btw i raised this issue because i say it on bitcoin show on youtube, the guy who made the short bitcoin movie took it as a done deal that deterministic wallet is obviously good idea for his smartphones implementation etc.
202 2011-07-22 03:48:21 <lfm> then theres stuf like man in the middle which is kinda like subverting the assumptions.
203 2011-07-22 03:50:09 <iddo> the disclaimer should be that (a) it's not provably as secure as single instance of ECDSA, and (b) if you break it at some point, then all the next keys might be easily broken
204 2011-07-22 03:50:34 <lfm> iddo ya deterministic wallet just relies on the same hash functions we are already relying on for the main bitcoin blocks and txn
205 2011-07-22 03:51:03 <iddo> but not relying on it in the same way
206 2011-07-22 03:51:36 <cjdelisle> if it's not provably as secure as single instance of ECDSA then it should not be available or there should be a loud warning to the user before they use it.
207 2011-07-22 03:51:43 <iddo> bitcoin relies on hardness of (partial) preimage attack on random block data
208 2011-07-22 03:52:32 <lfm> Im not sure what (partial) preimage attacks are.
209 2011-07-22 03:52:59 <cjdelisle> getting lots of 0000 at the beginning of a sha256 hash
210 2011-07-22 03:53:06 <gmaxwell> cjdelisle: there are all kinds of things which can't be proven to be as secure.
211 2011-07-22 03:53:20 <iddo> i just meant you dont need to find preimage which is all 0s, just partial according to current difficulty
212 2011-07-22 03:53:23 <gmaxwell> cjdelisle: For example, a single bitflip during signing can prettymuch disclose your private key.
213 2011-07-22 03:53:57 <gmaxwell> cjdelisle: so should bitcoin validate every signature attempt 50 times because thats (provably, in fact) more secure than only validating it twice?
214 2011-07-22 03:54:53 <iddo> lfm: here the assumption is more shaky compared to bitcoin sha256, you assume that signing multiple TXs with related keys that are different from one another by hash function that could have non-random quirks cannot be exploited
215 2011-07-22 03:55:04 <gmaxwell> The message signing functionality will expose users to signing message text which is _completely_ chosen by an attacker. Should that get a big warning?
216 2011-07-22 03:55:11 <cjdelisle> I don't care about "provably more secure" I only care that people aren't being shipped software which uses "roll your own" cryptography. Even if it's on the back of a napkin there shoulf be *some* kind of paper written on this first.
217 2011-07-22 03:55:12 <TuxBlackEdo> wut
218 2011-07-22 03:55:18 <TuxBlackEdo> *lol*
219 2011-07-22 03:55:24 <TuxBlackEdo> _lol+
220 2011-07-22 03:55:27 <TuxBlackEdo> _lol_
221 2011-07-22 03:55:29 <TuxBlackEdo> oh
222 2011-07-22 03:55:31 <TuxBlackEdo> thats cool
223 2011-07-22 03:55:38 <gmaxwell> Even though if an attacker can perform a preimage attack he can spend all your money?
224 2011-07-22 03:55:38 <TuxBlackEdo> i didn't know my irc client did that
225 2011-07-22 03:55:53 <gmaxwell> cjdelisle: who's being shipped anything?
226 2011-07-22 03:56:13 <iddo> gmaxwell: is there article about specific bug attack on ECDSA ?
227 2011-07-22 03:56:26 <cjdelisle> Oh, I thought you wanted the deterministic wallet to end up in trunk. You don't?
228 2011-07-22 03:56:30 <gmaxwell> We do have professional cryptographers on the forums, I commented on it precisely so they could sound alarms before I went further.
229 2011-07-22 03:56:31 <lfm> gmaxwell: any message signing should add timestamps and random bits to the message to be signed.
230 2011-07-22 03:56:35 <gmaxwell> cjdelisle: _someday_
231 2011-07-22 03:56:51 <gmaxwell> lfm: I proposed that, and bytecoin really didn't like that.
232 2011-07-22 03:57:07 <lfm> their loss
233 2011-07-22 03:57:20 <gmaxwell> http://forum.bitcoin.org/index.php?topic=6428.msg283958#msg283958
234 2011-07-22 03:58:01 <cjdelisle> I myself am all for it, it's just that without some attempt at a paper, tinkering with crypto algorithms is a bad joke and it will be taken that way.
235 2011-07-22 03:58:34 <TuxBlackEdo> how do we make namecoin be able to tell us how many getworks are being pulled per minute (lets say_
236 2011-07-22 03:58:38 <luke-jr> [01:55:04] <gmaxwell> The message signing functionality will expose users to signing message text which is _completely_ chosen by an attacker. Should that get a big warning? <-- false
237 2011-07-22 03:58:38 <TuxBlackEdo> i mean
238 2011-07-22 03:58:40 <TuxBlackEdo> bitcoin
239 2011-07-22 03:59:11 <gmaxwell> luke-jr: What input to the signing message is unknown to the attacker?
240 2011-07-22 03:59:11 <Joric> http://jcryptool.sourceforge.net/JCrypTool/Home.html elliptic curve cryptography visualization
241 2011-07-22 03:59:27 <luke-jr> gmaxwell: unknown or unchosen?
242 2011-07-22 03:59:27 <TuxBlackEdo> how can i tell how many getworks (or better yet hash/sec) my bitcoind is doing (with all my miners connected)?
243 2011-07-22 03:59:34 <Joric> want to try visualizing keys i have, just for fun
244 2011-07-22 03:59:44 <TuxBlackEdo> totalhash/sec says 0 even though its generating blocks
245 2011-07-22 04:00:10 <lfm> TuxBlackEdo: is it an external miner program?
246 2011-07-22 04:00:32 <TuxBlackEdo> yeah I use external miners, I was just wondering how to get bitcoind to tell me the totalhash/sec
247 2011-07-22 04:00:36 <TuxBlackEdo> or do i need pushpool?
248 2011-07-22 04:00:42 <luke-jr> TuxBlackEdo: it can't.
249 2011-07-22 04:00:43 <gmaxwell> luke-jr: It really needs to have unknown. Because since the input is hashed, if there is unchosen then they can "simply" (assuming hash weaknesses) search for a chosen part that makes it do what they want.
250 2011-07-22 04:00:45 <lfm> TuxBlackEdo: the totalhash/sec is only ofr internal hashing
251 2011-07-22 04:00:57 <TuxBlackEdo> well
252 2011-07-22 04:01:08 <gmaxwell> luke-jr: E.g. consider security if our hash was MD5 instead.
253 2011-07-22 04:01:10 <TuxBlackEdo> if i ran verbose mode i could see how many getworks per minute its getting, right?
254 2011-07-22 04:01:20 <luke-jr> gmaxwell: if SHA256 is broken, bitcoin is already dead
255 2011-07-22 04:01:32 <cjdelisle> http://www.tarsnap.com/scrypt.html <-- This is a perfect example of someone who wanted to make up his own hash and so he wrote a paper on it. He's not an academic but he put it on paper first and that's what is important.
256 2011-07-22 04:01:44 <gmaxwell> luke-jr: not so, it depends on how it's broken.
257 2011-07-22 04:01:44 <lfm> TuxBlackEdo: maybe, depends on version. prolly pushpool stats are your vbest bet.
258 2011-07-22 04:01:49 <TuxBlackEdo> and if i know how many getworks it is pulling per minute, i should be able to calculate total hash/sec externally?
259 2011-07-22 04:02:07 <luke-jr> TuxBlackEdo: no
260 2011-07-22 04:02:17 <TuxBlackEdo> how does pushpool get this information? through getwork counting?
261 2011-07-22 04:02:22 <luke-jr> TuxBlackEdo: it doesn't
262 2011-07-22 04:02:26 <TuxBlackEdo> how?
263 2011-07-22 04:02:34 <lfm> TuxBlackEdo: you cant really tell how much work is done on a single getwork.
264 2011-07-22 04:02:39 <luke-jr> pushpool has no idea what the hashrate is
265 2011-07-22 04:02:54 <luke-jr> usually your miner sw tells you
266 2011-07-22 04:02:57 <TuxBlackEdo> how come i can see how fast my miners are going on a pool but i cant when i solo
267 2011-07-22 04:03:07 <gmaxwell> luke-jr: in any case, see my post I stated the case there. The fact that an attacker knows all the inputs lets them choose messages whos hashes have certian properties. I don't like that, but I admit it's just a theoretical risk.
268 2011-07-22 04:03:10 <luke-jr> TuxBlackEdo: pools estimate based on shares you submit
269 2011-07-22 04:03:19 <luke-jr> TuxBlackEdo: solo doesn't have shares
270 2011-07-22 04:03:29 <TuxBlackEdo> oh you are right, that makes sense
271 2011-07-22 04:04:25 <TuxBlackEdo> so i have to run pushpool and make all my miners work on 1 difficulty blocks
272 2011-07-22 04:05:05 <TuxBlackEdo> hmm
273 2011-07-22 04:05:13 <iddo> gmaxwell: which article is about single bit-flip attack on ECDSA ?
274 2011-07-22 04:05:40 <iddo> the article linked in forum you mentioned seems more general
275 2011-07-22 04:05:43 <luke-jr> TuxBlackEdo: or just join a pool
276 2011-07-22 04:05:46 <TuxBlackEdo> i dont even know if i want to know how many hash/sec my solo pool is doing anymore
277 2011-07-22 04:06:29 <TuxBlackEdo> i might have to try pushpool, but i am too lazy
278 2011-07-22 04:06:35 <luke-jr> TuxBlackEdo: use Eligius
279 2011-07-22 04:06:40 <gmaxwell> iddo: sorry,
280 2011-07-22 04:06:41 <iddo> "some lattice attacks on DSA and ECDSA"
281 2011-07-22 04:06:44 <gmaxwell> iddo: one sec
282 2011-07-22 04:06:44 <luke-jr> TuxBlackEdo: http://yourbitcoinaddress:x@mining.eligius.st:8337
283 2011-07-22 04:07:01 <TuxBlackEdo> yeah luke-jr i haven't forgot about your pool :)
284 2011-07-22 04:07:03 <Joric> i wrote an ecdsa reverser lately ;) http://bitcointools.appspot.com
285 2011-07-22 04:11:55 <gmaxwell> iddo: this is weaker than I remember but it's what I was thinking of, I think, http://www.google.com/url?sa=t&source=web&cd=8&ved=0CFEQFjAH&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.139.1652%26rep%3Drep1%26type%3Dpdf&rct=j&q=ecdsa%20fault%20secp256k1%20pdf&ei=DRQpTsO_M8zTgQeV9NmqCw&usg=AFQjCNGqCAMzTqlfXgzWXZT-TsiSroeyVg&cad=rja
286 2011-07-22 04:12:00 <gmaxwell> oh screw you google!
287 2011-07-22 04:12:16 <gmaxwell> iddo: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.139.1652&rep=rep1&type=pdf
288 2011-07-22 04:12:46 <iddo> ok i'll look, thanks
289 2011-07-22 04:14:33 <Joric> jcryptool won't visualize sec256k - "Large elliptic curves are used in professional cryptography. Because of the size of the curves, it's not possible to display a grid or the points of the curve"
290 2011-07-22 04:22:53 <cjdelisle> here it is: s = (k^�1 * (H(m) + x * r)) mod q r is the private key, x, H(m), and q are public, s is part of the signature and k is the secret nonrepeating unpredictable number.
291 2011-07-22 04:23:41 <cjdelisle> It looks to me like it would be trivial to prove.
292 2011-07-22 04:29:07 <iddo> what do you mean by unpredictable? PRNG?
293 2011-07-22 04:30:42 <cjdelisle> Nonrepeating, unpredictable number is the requirement. It's usually a PRNG and if you want to attack ECDSA, you want to attack the random function which makes k
294 2011-07-22 04:30:42 <gmaxwell> iddo: it's the nonce in ECDSA.
295 2011-07-22 04:31:27 <cjdelisle> That's what sony messed up, they used the same k for all of their signatures and as you can see from that, knowing k is ruinous.
296 2011-07-22 04:31:47 <uberjar> what is a fair btc value to pay someone for answering a programming question in an IRC channel ?
297 2011-07-22 04:31:48 <iddo> is this still in the context of type2 deterministic wallet, or you're talking about something more general?
298 2011-07-22 04:32:28 <cjdelisle> I am trying to prove that type2 is as secure as a single key signing everything.
299 2011-07-22 04:32:38 <uberjar> let me rephrase.. what would be about $0.20 in btc ?
300 2011-07-22 04:33:23 <cjdelisle> uberjar: how about asking your question, I can try to answer it and you're free to tip ;)
301 2011-07-22 04:33:24 <iddo> even if all the bits except one bit for the next value in the sequence are unpredictable, you couldnt prove it
302 2011-07-22 04:33:37 <upb> what is a fair btc value to pay someone to divide a number by the current price of btc is usd ?
303 2011-07-22 04:33:56 <cjdelisle> hehe
304 2011-07-22 04:34:01 <uberjar> cjdelisle: you're too late this time someone already helped me I'm just trying to figureo ut what to tip him
305 2011-07-22 04:34:15 <cjdelisle> iddo: are you talking about k or r?
306 2011-07-22 04:34:24 <uberjar> nice 1 upb
307 2011-07-22 04:34:54 <iddo> from what you wrote i think k ?
308 2011-07-22 04:35:22 <cjdelisle> Any predictability in k is very very bad. type2 depends on r being related to the last r.
309 2011-07-22 04:35:30 <cjdelisle> k = random, r = key
310 2011-07-22 04:35:46 <cjdelisle> why they use those letters is o_O
311 2011-07-22 04:35:54 <cjdelisle> I copy/pasted from a paper
312 2011-07-22 04:36:18 <iddo> so k should be both deterministic and completely unpredictable ? :)
313 2011-07-22 04:36:46 <cjdelisle> k is random per signature, it needs to be "unpredictable and nonrepeating"
314 2011-07-22 04:37:00 <cjdelisle> r is deterministic, it's the private key
315 2011-07-22 04:37:26 <iddo> so k is public ?
316 2011-07-22 04:37:36 <cjdelisle> noooo if k is public ten you are sony
317 2011-07-22 04:37:56 <cjdelisle> even if k is the same for 2 signatures then you are sony
318 2011-07-22 04:37:57 <Joric> they can't use latin, it's both "c" key - clavis, random - casualis :)
319 2011-07-22 04:38:12 <iddo> i fail to understand the scenario
320 2011-07-22 04:38:13 <upb> he just integrated the deterministic wallet into ecdsa
321 2011-07-22 04:38:27 <upb> so its the whole scheme in one
322 2011-07-22 04:38:29 <iddo> if k is private and random, how is it a deterministic sequence ?
323 2011-07-22 04:38:45 <cjdelisle> it's not, r is.
324 2011-07-22 04:38:59 <cjdelisle> r is the private key which is the deterministic sequence
325 2011-07-22 04:39:13 <cjdelisle> k is a number which is secret, and random per signature.
326 2011-07-22 04:39:46 <cjdelisle> sorry about the confusing names, blame certicom, I copied it from their paper.
327 2011-07-22 04:40:10 <iddo> ahh ok i didnt understand, s is the signature
328 2011-07-22 04:40:18 <cjdelisle> yup
329 2011-07-22 04:41:02 <iddo> so what makes you think you can prove anything, if signatures are related because r's are related ?
330 2011-07-22 04:41:52 <cjdelisle> signatures will not be related because r is multiplied by k^-1
331 2011-07-22 04:42:38 <luke-jr> uberjar: 16 mBTC
332 2011-07-22 04:42:39 <iddo> i dont think that means that they're unrelated
333 2011-07-22 04:43:41 <iddo> if that meant they're completely unrelated, it would mean that r is unneeded for signing...?
334 2011-07-22 04:43:57 <cjdelisle> k^�1 * (public + public * r)
335 2011-07-22 04:44:42 <cjdelisle> after the multiplication by k^-1, there's no more way to derive r from differences of signatures
336 2011-07-22 04:44:44 <luke-jr> ;;bc,blocks
337 2011-07-22 04:44:45 <gribble> 137449
338 2011-07-22 04:45:45 <cjdelisle> and it's quite clear that it's secure because people sign multiple documents with the same private key so you have
339 2011-07-22 04:45:53 <cjdelisle> k^�1 * (public + public * constant)
340 2011-07-22 04:46:19 <iddo> and we're probably trying to prove something too strong, should try to prove that signing multiple msgs with related keys is as secure as signing the same number of msgs with the same key (because providing mutiple signatures can be less secure than providing single signature)
341 2011-07-22 04:46:44 <iddo> s/the same key/a single key
342 2011-07-22 04:47:00 <cjdelisle> Yes, that is what I am trying to do. Prove that it is at least as strong as signing everything with the same key.
343 2011-07-22 04:47:11 <Joric> enourmous brains, pls take a look at this http://bitcoin-kamikaze.com
344 2011-07-22 04:47:14 <Joric> they use custom salt and md5 in a 'honesty proof', how do you think it can be forged?
345 2011-07-22 04:48:18 <iddo> cjdelisle: it seems that you claim that s doesnt leak any info on r ?
346 2011-07-22 04:48:22 <gmaxwell> Joric: you mean a committment? MD5 is vulnerable to both preimage and collision attacks if the attacker can freely choose the end of the hashed message.
347 2011-07-22 04:49:04 <cjdelisle> iddo: that is correct, if it did then signing multiple messages with the same r would equal death.
348 2011-07-22 04:49:25 <Joric> yeah its vulnerable, but how fast it would be?
349 2011-07-22 04:50:21 <iddo> cjdelisle: but it cannot be correct, only computationally hard
350 2011-07-22 04:50:44 <cjdelisle> you mean computationally hard like trying every key?
351 2011-07-22 04:51:49 <Joric> anyway it can't be considered as a honesty proof
352 2011-07-22 04:52:03 <gmaxwell> Joric: the md5 attacks are pretty much instant now, but they are obvious if you manually inspect the messages.
353 2011-07-22 04:52:33 <iddo> the assumption is semantic security i think? given two signatures, one signed with the correct r and the other signed with a random private key, you cannot distinguish between them with an efficient algorithm
354 2011-07-22 04:53:01 <gmaxwell> E.g. someone could make two messages "I bet heads ????????????'??????6y5f5?????????????????????????????????J??????JJ??????j2" and "I bet tails y????????rrfi'???tf??tgd??45??j5" that have the same MD5.
355 2011-07-22 04:53:49 <gmaxwell> Joric: but they can't likely create two message like "1234567 I bet heads" and "3457673 I bet tails" with the same hash.
356 2011-07-22 04:54:01 <gmaxwell> (Just due to the nature of the available attacks)
357 2011-07-22 04:54:07 <iddo> distinguish = have non-negligible probability (higher than 1/2)
358 2011-07-22 04:54:40 <cjdelisle> I don't think that's necessary, all I need to prove is that the multiplication by 2/k leaves no way to compare 2 signatures and derive r
359 2011-07-22 04:54:42 <denisx> http://www.wtfnoway.com/ US Debt in pictures
360 2011-07-22 04:54:59 <JFK911> the us government should have invested in bitcoins
361 2011-07-22 04:55:10 <cjdelisle> It's already proven for a single r, I want to prove it for related r.
362 2011-07-22 04:55:10 <Joric> i think is't not a honesty proof, it's a joke, anybody can precalculate a set of identical hashes for every possible case
363 2011-07-22 04:55:31 <gmaxwell> Joric: you can't, of course.
364 2011-07-22 04:56:05 <gmaxwell> I mean the MD5 attacks are bad and you shouldn't use md5 for this.
365 2011-07-22 04:56:24 <gmaxwell> But I don't think there are any freeform enough that they'd pass human inspection.
366 2011-07-22 04:56:39 <moa7> JFK911: how do you know they didn't?
367 2011-07-22 04:56:46 <gmaxwell> "err why does your commitment string contain 400 bits of random binary garbage?"
368 2011-07-22 04:56:58 <iddo> cjdelisle: is given s it is completely impossible to tell if it was signed with r or with another random private key, then it doesnt make sense because you wouldnt need your private key for signing
369 2011-07-22 04:57:08 <iddo> s/is/if
370 2011-07-22 04:58:02 <cjdelisle> There's another part to the signature as well.
371 2011-07-22 04:58:25 <cjdelisle> It's (G^k mod p) mod q
372 2011-07-22 04:58:38 <cjdelisle> G, p and q are also public
373 2011-07-22 04:59:17 <cjdelisle> but determining k from that is the hard problem that makes dsa unfeasable to break.
374 2011-07-22 05:01:18 <iddo> ok so you're saying there's one part that is completely random assuming that k is random, but then you say that some f(k) is public
375 2011-07-22 05:02:35 <cjdelisle> yes but that f() is point multiplication which is not reversable
376 2011-07-22 05:02:37 <Joric> gmaxwell, long story short, how easy it would be to make 2 strings "(1,2,3,4,5)randomgarbage" and "(2,1,3,4,5)anothergarbage" with identical md5 hashes?
377 2011-07-22 05:04:02 <iddo> computationally not reverable ?
378 2011-07-22 05:04:23 <cjdelisle> What it boils down to is there's a function which is not reversable because we don't really know how to do it yet. That is a sad fact but it is all that holds up all modern cryptography.
379 2011-07-22 05:04:46 <cjdelisle> *public key cryptography
380 2011-07-22 05:05:32 <cjdelisle> And fortunately, related keys do not affect this guarantee because they do not affect this function.
381 2011-07-22 05:07:11 <cjdelisle> I have said before that I am more afraid of a bald guy with a few reams of paper and too much free time than I am of a quantum computer.
382 2011-07-22 05:10:32 <JFK911> moa7: because it's bankrupt
383 2011-07-22 05:11:11 <abishai> cjdelisle: this guy? :) -> http://theoriginalwinger.com/2010-03-24-russian-math-genius-solves-100-year-old-problem-then-turns-down-1m-prize
384 2011-07-22 05:11:28 <iddo> cjdelisle: something seems a little dubious, are you claiming that signing mutiple msgs with single private key is as secure as signing a single msg ?
385 2011-07-22 05:12:01 <moa7> JFK911: but tht doesn't stop them mining btc in the early days if they were "in the know"
386 2011-07-22 05:12:13 <iddo> it seems that that's what you claim, because k is chosen at random each time
387 2011-07-22 05:13:03 <cjdelisle> abishai: that guy is awesome :)
388 2011-07-22 05:13:12 <gmaxwell> Joric: trivial if the garbage can be long and binary. I think it's not easy if you tightly constrain the garbage.
389 2011-07-22 05:13:45 <cjdelisle> iddo: No, I don't claim that signing multiple messages is as secure as a single one, I didn't develop DSA so there is no reason why I should bother trying to claim that.
390 2011-07-22 05:14:13 <cjdelisle> I claim that signing with related keys is as secure as signing with the same key.
391 2011-07-22 05:14:46 <iddo> cjdelisle: but this claim seems to follow from your other claims
392 2011-07-22 05:15:53 <cjdelisle> I don't see how it depends on that. Did I make a mistake?
393 2011-07-22 05:16:33 <iddo> if k is random, you provide signature whose first part is completely random for random k, and second part is f(k) and not f(k,r), then signing multiple msgs is as secure as signing a single msg, no?
394 2011-07-22 05:17:19 <cjdelisle> It would seem so but that is something for the DSA people to deal with.
395 2011-07-22 05:17:45 <iddo> s/it would seem so/it must be so
396 2011-07-22 05:17:46 <iddo> ?
397 2011-07-22 05:17:47 <iddo> :)
398 2011-07-22 05:18:09 <iddo> i think it means that one of your other claims could be wrong
399 2011-07-22 05:18:33 <cjdelisle> Even if signing multiple messages with the same key is marginally less secure (and it probably is) if related keys are as secure as the same key then type2 can go forward.
400 2011-07-22 05:19:28 <iddo> but your proof implies that signing multiple msgs is as secure as single msg
401 2011-07-22 05:20:12 <iddo> at least one of us is saying something wrong here....
402 2011-07-22 05:20:16 <cjdelisle> It is arguably less secure simply because the cryptoanalyst has more information to look at, he has twice as much signature and he knows they are related (same key)
403 2011-07-22 05:21:03 <iddo> but you said they're unrelated, you said first part is completely random if k is completely random, and second part depends only on k
404 2011-07-22 05:21:15 <iddo> this makes the signatures unrelated
405 2011-07-22 05:22:25 <cjdelisle> hmm no multiple sigs is definitely less secure.
406 2011-07-22 05:22:46 <iddo> i'm saying that either your proof says that signing multiple msgs with related keys or with same key or just signing single msg are all as secure as each other, or there's something wrong with your claims
407 2011-07-22 05:23:49 <cjdelisle> I am willing to claim that related keys are as secure as the same key, I am not willing to claim that the same key is as secure as only one sig for a given key.
408 2011-07-22 05:24:00 <iddo> if first part of signature is completely random if k is completely random, and second part depends only on k, how multiple sigs less secure?
409 2011-07-22 05:25:07 <iddo> your proof implies what you're unwilling to claim?
410 2011-07-22 05:25:08 <cjdelisle> Because there might be a way to apply the sig verification function to the difference between sigs.
411 2011-07-22 05:25:40 <cjdelisle> That would not be applicable if there was only one sig.
412 2011-07-22 05:26:32 <cjdelisle> But to apply it to the difference between sigs with related keys cannot be easier than applying it to the difference between sigs with the same key.
413 2011-07-22 05:28:30 <iddo> i think that i see maybe where i'm wrong, using the second part of signatures you can discover something first of the signatures, even without reversing k
414 2011-07-22 05:29:08 <iddo> if you had to find k, then it would mean that multiple signatures are as secure as single signature
415 2011-07-22 05:29:36 <cjdelisle> yea, signing generates x from k and y from r and k. verification generates v from r and k without finding k and then compares v to x
416 2011-07-22 05:29:57 <cjdelisle> erm
417 2011-07-22 05:30:15 <cjdelisle> I broke it
418 2011-07-22 05:31:41 <iddo> s/discover something first/discover something about first part
419 2011-07-22 05:32:00 <cjdelisle> signing generates x from k and y from r, k, and the message. verification generates v from x, y and the message then it compares v to x.
420 2011-07-22 05:33:37 <cjdelisle> so because it can't reverse the point multiply to get k from x, it point multiplies the other side and compares it to x
421 2011-07-22 05:34:34 <cjdelisle> all I need to do is determine that any attack on a sequence of keys would also apply to many sigs with the same key.
422 2011-07-22 05:36:59 <cjdelisle> hm I'm using the letters backwards, it doesn't matter for the example since I was consistent but it's confusing as hell.
423 2011-07-22 05:37:51 <iddo> so you say that y is completely random for k that is completely random, but x isn't ?
424 2011-07-22 05:39:19 <cjdelisle> I would suggest that x is also unpredictable and marginally less non-repeating than is k
425 2011-07-22 05:40:01 <iddo> if (x,y) were completely random, it would mean that signing multiple msgs is as secure
426 2011-07-22 05:40:14 <iddo> so are you claiming that y is completely random ?
427 2011-07-22 05:40:57 <cjdelisle> I wouldn't use the word "random" I would say: "unpredictable and marginally less non-repeating than is k"
428 2011-07-22 05:41:27 <cjdelisle> Because it is multiplied and modded so it may repeat when k does not.
429 2011-07-22 05:42:24 <iddo> by random i mean: if k is chosen as a completetly random value, then y is a completely random value (i.e. if you keep y and discard k)
430 2011-07-22 05:43:52 <cjdelisle> yes that sounds right
431 2011-07-22 05:43:59 <iddo> aren't k and y belong to same domain ?
432 2011-07-22 05:44:16 <iddo> s/arent/dont
433 2011-07-22 05:44:33 <cjdelisle> domain as in "as random as k?"
434 2011-07-22 05:44:59 <iddo> no domain i just meant {1,2,3,...,N} or something?
435 2011-07-22 05:45:21 <cjdelisle> yea they're both mod q so they will be in the same range
436 2011-07-22 05:46:33 <iddo> so didnt you say that multiplying any value by 1/k for random k gives a random value?
437 2011-07-22 05:48:01 <cjdelisle> it would end up random over a different range but if it's modded then that's a moot point.
438 2011-07-22 05:48:24 <iddo> it should be true if this range is a group and k is random
439 2011-07-22 05:49:25 <iddo> so the claims still seem fishy, you choose random k, then (x,y) are random as well, so signing many times is as secure?
440 2011-07-22 05:50:34 <cjdelisle> well we know that from y you can't determine k neither with multiple sigs with the same key nor multiple sigs with different keys.
441 2011-07-22 05:50:46 <cjdelisle> s/different/related/
442 2011-07-22 05:51:01 <iddo> for x, G^k should also be random when G is a generator
443 2011-07-22 05:51:43 <cjdelisle> G is publicly known but if you can reverse that, it's not our fault.
444 2011-07-22 05:53:12 <iddo> but if G^k is random then s=(x,y) is random, so sigs are unrelated?
445 2011-07-22 05:54:15 <cjdelisle> x_1 is unrelated to x_n, y_1 is unrelated to y_n
446 2011-07-22 05:54:59 <cjdelisle> The problem is that {x, y}_1 is related to {x, y}_n because you can verify them both as good signatures.
447 2011-07-22 05:56:10 <cjdelisle> dammit and I thought this would be *easy* to prove :P
448 2011-07-22 06:01:36 <iddo> i think that my faulty logic is that there's no implication from saying that random k means random (x,y) to saying that partial knowledge of k doesnt leak anything
449 2011-07-22 06:02:44 <cjdelisle> ``leaking even a few bits of k in each of several signatures, is enough to break DSA''
450 2011-07-22 06:02:51 <iddo> and of course also (x,y) isnt random, because they were generated from same k
451 2011-07-22 06:02:54 <cjdelisle> from the wiki machine
452 2011-07-22 06:04:24 <iddo> yeah leaking few bits each time is the article that gmaxwell mentioned
453 2011-07-22 06:04:58 <cjdelisle> yea power glitching little chips that do it will get k out of them
454 2011-07-22 06:08:32 <cjdelisle> I'm going to get something to eat and think on it some more, see ya later.
455 2011-07-22 06:08:50 <iddo> so y_1,y_n are unrelated, but (x1,y1),(xn,yn) are related
456 2011-07-22 06:10:17 <iddo> so could it be that for determisitic r sequence, (x1,y1),(xn,yn) are related in a worse way?
457 2011-07-22 06:11:18 <iddo> compared to constant r
458 2011-07-22 06:11:51 <iddo> cannot be proved i think?
459 2011-07-22 06:30:47 <Ketzer> hi @ll
460 2011-07-22 06:35:11 <Ketzer> Is there anyone who has the problem by using Xenlands mining pool: if you log in with your registered username (email-verified) that you will be sent to the index.php and it won't show you the menu for your workers and account details? It's just looking as if you weren't logged in.
461 2011-07-22 07:41:07 <Joric> did anyone try to store the entire blockchain on a google app engine account? it allows up to 1 GB
462 2011-07-22 07:42:17 <MrSam> bc;stats;
463 2011-07-22 07:42:19 <MrSam> hmm
464 2011-07-22 07:42:24 <MrSam> bc;stat
465 2011-07-22 07:42:27 <MrSam> bc;stats
466 2011-07-22 07:43:18 <MrSam> hmm , 1'779'117.44 it seems
467 2011-07-22 07:45:51 <Joric> another blockexplorer: http://abe.john-edwin-tobey.org
468 2011-07-22 07:56:39 <prof7bit> i read somewhere the app engine is very restrictive when it comes to using sockets and non-standard ports but I have never tried myself, it might be wrong information or outdated.
469 2011-07-22 08:00:11 <Joric> well there is a 30 seconds timeout on all connections
470 2011-07-22 08:01:05 <cjdelisle> heh re http://abe.john-edwin-tobey.org I know john.
471 2011-07-22 08:03:18 <cjdelisle> He was telling me that he's interested in some other blockchain currencies and is taking a "may the best currency win" attitude. Re why he made a multicoin compatable blockexplorer.
472 2011-07-22 08:16:12 <moa7> http://abe.john-edwin-tobey.org/ seems weird than NMC has better transaction volume than btc eh?
473 2011-07-22 08:17:52 <lfm> they have over a million txn?
474 2011-07-22 08:18:11 <cjdelisle> Perhaps because there's a rush to grab up nmc in case they jump to 10 like btc did?
475 2011-07-22 08:19:26 <cjdelisle> Pretty soon every tom dick and harry is going to be starting a block chain :/ It's great if they introduce a different payout rate or something but just for the hell of it...
476 2011-07-22 08:23:02 <mtrlt> yea, and?
477 2011-07-22 08:23:18 <mtrlt> nobody will use most of those chains anyway
478 2011-07-22 08:23:59 <cjdelisle> I tend to agree, unless one has a compelling reason why people should want to use it, it will not find much adoption.
479 2011-07-22 08:24:01 <moa7> not many tom, dicks or harry's can even read the source ... so probably not.
480 2011-07-22 08:24:49 <moa7> the first chain that encorporates strong anonymity in the tx signing will win ...
481 2011-07-22 08:25:08 <moa7> better fungibility
482 2011-07-22 08:26:14 <cjdelisle> Indeed. The only thing I am really worried about is merchants ending up with btc which is treated as "stolen property" and then getting out of btc all together.
483 2011-07-22 08:27:51 <AndyBr> hmm, switching between c#, cshtml and t-sql all the time has made me confused. now i can't remember if AND in C# is && or &. need break :-||
484 2011-07-22 08:28:04 <cjdelisle> But you don't need a new chain to make it more anonymous, that can be done just by having a swarm of nodes cooperate to create one transaction where an external viewer can't tell who paid who. (One big transaction per block)
485 2011-07-22 08:29:01 <iddo> if you deposit and then withdraw from mtgox, does that give you anonymity?
486 2011-07-22 08:29:26 <cjdelisle> I imagine if mtgox is asked, they will turn over the records.
487 2011-07-22 08:29:46 <moa7> all are fix-ups, better to just do it properly from the get go ...
488 2011-07-22 08:29:53 <cjdelisle> Otherwise that would be umm.. attackable.
489 2011-07-22 08:30:55 <cjdelisle> I think the best thing btc has going for it is that it exists now. We can sit around and imagine perfect scenarios but that's not going to make a community.
490 2011-07-22 08:31:35 <cjdelisle> And I am just as guilty as the next guy of liking to sit around imagining the perfect code.
491 2011-07-22 08:32:10 <lfm> sit around dreaming that mining will make you rich.
492 2011-07-22 08:34:03 <cjdelisle> I will say that if I had 10 or 20k btc to my name, I would be offering an award to whoever can invent a program which uses btc and gets more than X number of installs.
493 2011-07-22 08:35:23 <iddo> all the developers here probably have 10k or 20k btc ? :)
494 2011-07-22 08:35:52 <lfm> depends when they started
495 2011-07-22 08:36:01 <lfm> and what hardware they have
496 2011-07-22 08:36:05 <erus`> maybe i should learn to who wants a game of blindfold connect four? i will start: d
497 2011-07-22 08:36:18 <lfm> doesnt matter much if theyre a developer or not.
498 2011-07-22 08:36:44 <iddo> i guess developers were among the early adapters
499 2011-07-22 08:37:01 <lfm> some are some arnt
500 2011-07-22 08:38:35 <iddo> i didnt really understand the anonymous tx problem, what's the scenario exactly?
501 2011-07-22 08:39:38 <cjdelisle> iddo: suppose someone has their computer hacked and loses a bunch of btc, they can see where it went in the chain so it's easy to say "nobody accept money from that wallet!"
502 2011-07-22 08:39:50 <lfm> iddo well you understand that all txn are essentially public. the only thing that isnt automaticlly know is who owns which btc address.
503 2011-07-22 08:40:36 <cjdelisle> But if somebody does, do you then treat them as holders of stolen property? It all gets to be a mess and nobody wants to accept btc because it might have a bad history.
504 2011-07-22 08:40:45 <moa7> the only thing that really needs to be public is the total amount of coin in circulation
505 2011-07-22 08:41:10 <cjdelisle> If you have a blacklist of "bad wallets" then the goobermint will demand that you add a bunch more because they don't like people and judges will demand that you add more...
506 2011-07-22 08:41:20 <moa7> conceptually
507 2011-07-22 08:41:39 <lfm> moa7: well thats not how it is. every txn amount to every address is public. thats how btc works
508 2011-07-22 08:41:41 <mtrlt> that doesn't work if there's no way to unblacklist
509 2011-07-22 08:42:02 <moa7> yes, i know, it is flawed like that ... bad fungibility
510 2011-07-22 08:42:45 <cjdelisle> Once you start doing that, it all just falls apart. Nobody can trust anybody, you might aswell go back to credit cards where all you have to worry about is chargebacks.
511 2011-07-22 08:42:46 <moa7> nuff said, the discussion was about alternate chains winning.
512 2011-07-22 08:43:32 <iddo> not sure i understood in that scenario how do you claim that the stolen address belonged to you...
513 2011-07-22 08:43:33 <cjdelisle> I don't see any alt chain ever "winning", btc was the first and it will always have the prestige even if it does prove not to be the most efficient.
514 2011-07-22 08:43:44 <lfm> well it works, we have to accept it now, to late to change btc even if it was possible. alternate block chains may be different but they dont have the acceptance of btc.
515 2011-07-22 08:44:03 <cjdelisle> ^
516 2011-07-22 08:44:31 <moa7> early days.
517 2011-07-22 08:44:58 <cuqaa> submit_work json_rpc_call failed ... JSON-RPC call failed ... anyone cann tell me what causes this?
518 2011-07-22 08:45:12 <cuqaa> bitcoind seems to work
519 2011-07-22 08:45:24 <lfm> iddo ya stolen btc, people kinda have to take your word. You would need more trust in the community than the theif.
520 2011-07-22 08:45:34 <cuqaa> but I get this message couple of times per hour
521 2011-07-22 08:45:58 <cjdelisle> However, suppose I was about to develop a groundbreaking piece of software which would use btc as a micropayment system. It is going to make 10,000,000 people adopt btc over the next 5 years. Why should I use btc instead of an alt chain? What incentive is there for me to enrich the early adopters instead of starting fresh?
522 2011-07-22 08:46:21 <lfm> cuqaa: some sort of communications fail. maybe internet conjestion or something, or maybe a bug.
523 2011-07-22 08:46:47 <iddo> ahh so blacklists based on voluntarism, this doesnt seem to be a big issue
524 2011-07-22 08:47:31 <lfm> iddo and black market btc laundering will probably still work for the theif.
525 2011-07-22 08:47:44 <Eliel> cjdelisle: how would you know your system really is a groundbreaking system that can succeed on it's own?
526 2011-07-22 08:48:09 <lfm> Eliel: only way is to try and succeed or fail
527 2011-07-22 08:48:35 <Eliel> would you really risk the success of the system by trying to use your own currency for it?
528 2011-07-22 08:48:46 <lfm> or trust expert advice (but that can be mistaken too)
529 2011-07-22 08:49:04 <iddo> maybe new blockchain based on sha3 would be nice? or bitcoin itself can transition to sha3
530 2011-07-22 08:49:06 <cjdelisle> Eliel: The assumption is that it doesn't depend on btc, it just uses it to settle internal debts as part of a fairness algorithm. Users don't really even have to know they're invested in btc, they just use it and it works. Think bittorrent.
531 2011-07-22 08:49:34 <Eliel> cjdelisle: that sounds a bit like ripple
532 2011-07-22 08:50:14 <cjdelisle> Ripple has some problems too. It shouldn't be called 'ripple', it should be called 'packet tsunami'
533 2011-07-22 08:50:48 <iddo> would be hard to compete with bitcoin unless you can also convert the new blockchain coins to fiat dollars (or to bitcoins)
534 2011-07-22 08:51:02 <Eliel> cjdelisle: yes, personally, I believe that bitcoin, at least in short term (few years) has a better chance of success.
535 2011-07-22 08:51:13 <iddo> we will see if namecoin is a bubble that would implode soon...
536 2011-07-22 08:52:21 <lfm> iddo a transition to a new hash would be a major step. almost everyone would need to agree to it, but it is theoreticlly possible, just so hard that no one wants to tackle the job without a very good reason, like maybe if weakness are found in sha2.
537 2011-07-22 08:53:14 <iddo> lfm: yeah, but another reason can be that someone else plans to start a competing blockchain based on sha3, so maybe bitcoin better start first?
538 2011-07-22 08:53:40 <lfm> I'd say naw, let them.
539 2011-07-22 08:53:43 <iddo> will take a year until sha3 is announced anyway
540 2011-07-22 08:55:01 <iddo> it's also possible to transition from ECDSA if needed? assuming an attack that is only theoretical for now
541 2011-07-22 08:55:38 <iddo> you generate stronger (pk,sk) and sign with your old sk (only you can do it because the attack isnt practical yet)
542 2011-07-22 08:55:44 <lfm> ya, like you could use RSA but the keys are larger so it would make the packets and the disk files larger
543 2011-07-22 08:56:23 <iddo> s/sign/sign them
544 2011-07-22 08:56:39 <lfm> or maybe DSA signatures , not sure
545 2011-07-22 08:56:41 <AndyBr> why convert to a new system? just start a new currency =)
546 2011-07-22 08:57:22 <iddo> actually, sign the new pk with the old sk
547 2011-07-22 08:57:23 <Joric> is it possible to draw a nice chart with keys on the sec256k curve? jcryptool says 'Large elliptic curves are used in professional cryptography. Because of the size of the curves, it's not possible to display a grid or the points of the curve'
548 2011-07-22 08:57:39 <lfm> AndyBr: substructure. all the other services designed around BTC would have to transit to a new system also.
549 2011-07-22 08:57:51 <diki> lfm, diffcalc works great, thanks
550 2011-07-22 08:58:04 <lfm> diki great, you're welcome
551 2011-07-22 08:59:27 <AndyBr> hmm, i wonder if there is something in this world more boring than writing unit tests
552 2011-07-22 08:59:28 <lfm> joric weel you can show a grid, just not at the finest level of detail.
553 2011-07-22 08:59:54 <AndyBr> when i write tests, i daydream about folding laundry or ironing
554 2011-07-22 09:00:25 <lfm> AndyBr: silly boy! :-)
555 2011-07-22 09:11:42 <Eliel> gmaxwell: there's an article about your torrent on a Finnish newspaper.
556 2011-07-22 09:11:49 <Eliel> http://www.uusisuomi.fi/ymparisto/114111-mies-suuttui-%E2%80%9Dtiede-kuuluu-kaikille-tassa-102-000-%E2%82%AClla-ilmaiseksi%E2%80%9D
557 2011-07-22 09:27:48 <Joric> how does merged mining work? i didn't get it... it's breaking the law of conservation of energy :)
558 2011-07-22 09:27:52 <Joric> https://github.com/vinced/namecoin/blob/mergedmine/doc/README_merged-mining.md
559 2011-07-22 09:33:21 <Joric> looks like vinced just going to link namecoin blockchain to the btc blockchain
560 2011-07-22 09:36:14 <Habbie> hi
561 2011-07-22 09:36:35 <Habbie> this tx http://blockexplorer.com/tx/7aab70214bf04ba3b9c16671760d6a59c2e13b6d865e0288ae0e40e56f92a7cf causes two *identical* entries in 'bitcoind listtransactions' - is there anything i can do to distinguish those?
562 2011-07-22 09:40:09 <cjdelisle> Joric: merged mining is described pretty well here: https://en.bitcoin.it/wiki/Alternative_Chains
563 2011-07-22 09:40:41 <lfm> Habbie: do you know where the other one is?
564 2011-07-22 09:40:47 <Habbie> lfm, what other one?
565 2011-07-22 09:41:08 <cjdelisle> You mine btc but you add a "message" to the coinbase transaction which is a hash of a block from the alternate chain.
566 2011-07-22 09:41:27 <lfm> what this txn is in the block shain twice? I dont think that can be.
567 2011-07-22 09:41:51 <Habbie> lfm, the txn is not in the block chain twice. it's one tx that sends to the same address twice. Outputs 0 and 2 are to the same address.
568 2011-07-22 09:42:08 <Habbie> Joric, you dropped out of #bitcoin while i was trying to discuss cheating at bitcoin-kamikaze with you :)
569 2011-07-22 09:42:41 <BlueMatt> ;;seen gmaxwell
570 2011-07-22 09:42:41 <gribble> gmaxwell was last seen in #bitcoin-dev 4 hours, 29 minutes, and 29 seconds ago: <gmaxwell> Joric: trivial if the garbage can be long and binary. I think it's not easy if you tightly constrain the garbage.
571 2011-07-22 09:42:52 <lfm> Habbie: oh, ok thats normal, you just have to distinguish them by their possintion in the txn
572 2011-07-22 09:43:07 <lfm> position
573 2011-07-22 09:43:15 <Habbie> lfm, i know, but 'bitcoind listtransaction' does not include the position. if it did, i would be done :)
574 2011-07-22 09:43:57 <Joric> Habbie, their md5 'honesty proof' is a complete bullshit
575 2011-07-22 09:44:05 <BlueMatt> ;;seen sipa
576 2011-07-22 09:44:06 <gribble> sipa was last seen in #bitcoin-dev 1 day, 22 hours, 29 minutes, and 37 seconds ago: <sipa> i suppose there will always be some nodes keeping all blocks, forever
577 2011-07-22 09:44:21 <Habbie> Joric, i read what you said, but from what i can gather online, generating a 'fake' proof would involve 2^50 md5 attempts
578 2011-07-22 09:44:26 <Habbie> Joric, it doesn't seem feasible for a game
579 2011-07-22 09:44:58 <lfm> the way the txn input do the Previous output well the txn has a hash and any txn that use it will have their own hash
580 2011-07-22 09:46:34 <lfm> Habbie: two "outputs" are not two transactions.
581 2011-07-22 09:47:03 <Habbie> lfm, that is in fact my whole point :)
582 2011-07-22 09:47:36 <lfm> so you get both outputs if you ask for that transaction. you dont need anything else.
583 2011-07-22 09:47:39 <Habbie> in bitcoind listtransactions, this single transaction generates this output: https://p.6core.net/p/iqrd22qb26g5f757
584 2011-07-22 09:48:14 <Habbie> i would like to be able to stick the output of listtransactions in a database, but to do that i'd need something to uniquely identify the items in the output
585 2011-07-22 09:48:20 <Habbie> and i'm wondering if i'm missing a trick for that, or not :)
586 2011-07-22 09:48:58 <Joric> Habbie, collision attack on md5 finds collisions within seconds
587 2011-07-22 09:49:07 <Habbie> Joric, do you have a reference for that
588 2011-07-22 09:49:22 <Joric> total complexity is 2^24.1, not 2^50
589 2011-07-22 09:49:42 <lfm> Habbie: nope you're not missing anything. perhaps that should also return the output number
590 2011-07-22 09:50:22 <Habbie> lfm, that would fix it, indeed. i do notice that 'bitcoind gettransaction xxxx' returns a list that i can index into.. i could always make sure i check transactions with that one
591 2011-07-22 09:50:30 <Joric> Habbie, http://www.win.tue.nl/hashclash/On%20Collisions%20for%20MD5%20-%20M.M.J.%20Stevens.pdf
592 2011-07-22 09:50:32 <Habbie> lfm, or alternatively i should patch my bitcoind to include the output number
593 2011-07-22 09:51:52 <Joric> and of course it doesnt need to be realtime
594 2011-07-22 09:52:03 <Habbie> true
595 2011-07-22 09:52:07 <Habbie> they could have a database full of 'em
596 2011-07-22 09:52:15 <Habbie> and even reuse them between players (slight risk there, of course)
597 2011-07-22 09:55:10 <lfm> Habbie: that txn is kinda special since most cases would just have one output to the sum of the values.
598 2011-07-22 09:55:21 <Habbie> Joric, i'm convinced that kamikaze's proof is not very strong :)
599 2011-07-22 09:55:39 <Habbie> lfm, oh i know, but when i write code i try to deal with all possible situations
600 2011-07-22 09:55:53 <Habbie> lfm, i have to admit i generated this txn on purpose (after a few people told me they'd seen it before)
601 2011-07-22 09:56:09 <lfm> hehe ok, good luck with that
602 2011-07-22 09:56:22 <Habbie> :)
603 2011-07-22 10:00:03 <Habbie> basically 'listtransactions' returns a list of mutations to address balances, with the tx as a foreign key. it's not actually a list of transactions
604 2011-07-22 10:04:41 <Habbie> hmm, getreceivedbyaddress only counts additions to the balance, it ignores subtractions. this is perfect for my purposes
605 2011-07-22 10:05:31 <sneak> hi
606 2011-07-22 10:05:38 <sneak> does anyone know the date of the original release of bitcoin.pdf?
607 2011-07-22 10:05:41 <sneak> all i have is "2009"
608 2011-07-22 10:08:12 <Habbie> sneak, metadata on the pdf says Mar 24
609 2011-07-22 10:08:28 <Habbie> sneak, (2009)
610 2011-07-22 10:09:17 <sneak> thanks
611 2011-07-22 10:38:22 <genjix> i noticed that blockexplorer reports the input scripts for a coinbase transaction ([4 bytes] [1 byte]) in a "coinbase" field where it joins the fields together; 04: [ff ff 00 1d] 01: [04] goes to 04ffff001d0104
612 2011-07-22 10:38:31 <genjix> is there any significance to this?
613 2011-07-22 10:39:05 <genjix> or does it just store it like that since the input script for a coinbase generation is a useless field and there's no point parsing it.
614 2011-07-22 10:40:49 <lfm> genjix: they are just extra nonces, not much point in parsing them for sure
615 2011-07-22 10:41:25 <genjix> ok thanks
616 2011-07-22 10:41:48 <genjix> they still have to be in a valid format though
617 2011-07-22 10:42:08 <genjix> (if you use them as a nonce :p)
618 2011-07-22 10:42:54 <lfm> well ya I guess if oyu want to put some sort of info in there (like a copy of the compressed target) the legth coded format is usefull
619 2011-07-22 10:53:17 <diki> will nmc and btc be merged?
620 2011-07-22 10:54:49 <lfm> I doubt it
621 2011-07-22 10:57:05 <vragnaroda> diki: that's kinda like asking if english and russian will merge.
622 2011-07-22 10:58:22 <diki> interesting you mention russian
623 2011-07-22 10:58:29 <diki> since your name does sound a lot russian
624 2011-07-22 10:58:43 <diki> s/name/nick
625 2011-07-22 10:58:50 <erus`> vragnaroda: like spanglish?
626 2011-07-22 10:59:42 <diki> your nick, to me, means "Enemy to the people"
627 2011-07-22 10:59:54 <diki> that's how i interpret it based on my language
628 2011-07-22 11:02:05 <vragnaroda> diki: yes, �enemy of the people� is the normal translation. but spanglish is not a merging of english and spanish; it's adding to both of them from the other.
629 2011-07-22 11:05:14 <diki> sorry, i dont get the spanglish thing
630 2011-07-22 11:07:10 <vragnaroda> diki: spanglish is not merging the two together. it's adding to both english and spanish, but they're not converging at all.
631 2011-07-22 11:07:28 <vragnaroda> they're not moving toward a common middle at all when spanglish is used
632 2011-07-22 11:08:02 <diki> example?
633 2011-07-22 11:11:18 <AndyBr> como estas muthafuckah
634 2011-07-22 11:11:20 <senseles> is it possible for bitcoin to give mining clients different blocks to work on?
635 2011-07-22 11:11:37 <senseles> seems to me if you had 600ghash/s with each 100ghash/s going after a different block
636 2011-07-22 11:11:39 <AndyBr> in this example, i combined a common phrase in spanish with vernacular from american english
637 2011-07-22 11:11:53 <senseles> your luck value might increase instead of having 600ghash/s churning away at the same block for 24 hours
638 2011-07-22 11:12:24 <diki> senseles
639 2011-07-22 11:12:26 <diki> nope
640 2011-07-22 11:12:30 <senseles> or is it only possible to work on the current block?
641 2011-07-22 11:12:31 <diki> you work on one block
642 2011-07-22 11:12:32 <senseles> ah
643 2011-07-22 11:19:16 <s13013> anyone doing openbsd in esxi?
644 2011-07-22 11:19:21 <s13013> oops, wrong channel.
645 2011-07-22 11:28:03 <prof7bit> they are all trying *different* hashes on the same block, the chances increase that *one* of them will find a valid hash in the same time.
646 2011-07-22 11:28:25 <lfm> Linux 3.0!
647 2011-07-22 11:28:47 <genjix> lfm: yep pretty cool huh :)
648 2011-07-22 11:29:22 <erus`> the semantic penguin
649 2011-07-22 11:29:24 <lfm> Ya like 2.0 is 10 years old or something
650 2011-07-22 11:31:10 <Habbie> senseles, working on 6 different potential blocks at 100ghash/sec each gives you the same odds as working on one potential block at 600ghash/sec
651 2011-07-22 11:35:17 <lfm> sensless note that each block has inside it the hash of the previous block. there is no way to know the hash of the previous block untill after the previous block has been found.
652 2011-07-22 11:37:54 <mtrlt> "going after a different block" is meaningless
653 2011-07-22 11:40:49 <lfm> that said, all miners are working on different blocks in that the payout address is different for the coinbase and (barring bugs) the extra noces can also be used to make different next blocks so no effort at finding a block is replicated.
654 2011-07-22 11:41:15 <lfm> extra nonces
655 2011-07-22 11:42:42 <lfm> so barring bugs all those millions and billions of hashes the miners test will every one be different.
656 2011-07-22 11:43:43 <lfm> ok plus a very slim chance of a hash collision
657 2011-07-22 11:46:14 <dragon720> hi there is italian people?
658 2011-07-22 11:57:08 <Joric> mi scusi
659 2011-07-22 11:59:21 <UukGoblin> mi na tavla fo la italian.
660 2011-07-22 12:03:40 <lfm> he signed off about 10 sec after he asked
661 2011-07-22 12:19:09 <UukGoblin> well yeah my answer was supposed to be a joke... but it was a bad one, I guess
662 2011-07-22 12:21:13 <lfm> I am certainly no judge of jokes in Italian
663 2011-07-22 12:21:29 <UukGoblin> well, part of the joke was that it wasn't italian ;-]
664 2011-07-22 12:21:30 <mtrlt> but it was lojban :P
665 2011-07-22 12:21:46 <mtrlt> anything is awesome in lojban!
666 2011-07-22 12:21:51 <UukGoblin> ;-]
667 2011-07-22 12:22:06 <lfm> I am certainly no judge of jokes in lojban
668 2011-07-22 12:22:47 <copumpkin> italian!
669 2011-07-22 12:25:30 <lfm> hmm google translate doesnt handle lojban either
670 2011-07-22 12:25:42 <doublec> he said he doesn't speak italian
671 2011-07-22 12:26:15 <copumpkin> not sure what is going on though :)
672 2011-07-22 12:26:35 <lfm> in fact google translate seems to think it is Esperanto!
673 2011-07-22 12:27:22 <doublec> what did it think it said?
674 2011-07-22 12:27:47 <lfm> We are not yet able to translate from Esperanto into English.
675 2011-07-22 12:27:54 <doublec> sad
676 2011-07-22 12:27:54 <UukGoblin> lol
677 2011-07-22 12:35:02 <gmaxwell> Hm. Seems that blockexplorer is frequently behind.
678 2011-07-22 12:35:21 <gmaxwell> I wonder if it's peering off of a pre .24 node which is disconnecting it.
679 2011-07-22 12:37:31 <prof7bit> is this still a problem once it has all recent blocks and doesn't need to make huge downloads?
680 2011-07-22 12:38:05 <prof7bit> when its running 24/7?
681 2011-07-22 12:38:46 <gmaxwell> It's a problem if if ever ends up more than a couple MB behind.
682 2011-07-22 12:43:24 <BlueMatt> b4epoche: ping
683 2011-07-22 12:43:29 <b4epoche_> yep
684 2011-07-22 12:43:40 <BlueMatt> do you, by any chance, happen to have virtualbox installed on your mac?
685 2011-07-22 12:44:03 <b4epoche_> no, but have vmware fusion
686 2011-07-22 12:44:11 <BlueMatt> m, nevermind
687 2011-07-22 12:44:14 <b4epoche_> had vb at point
688 2011-07-22 12:44:20 <b4epoche_> can install if you want
689 2011-07-22 12:44:45 <BlueMatt> no, its fine
690 2011-07-22 12:45:02 <BlueMatt> I need to do more research first anyway...
691 2011-07-22 12:45:12 <b4epoche_> what you up to?
692 2011-07-22 12:45:25 <BlueMatt> lion
693 2011-07-22 12:45:35 <BlueMatt> oh, I did some looking at coca
694 2011-07-22 12:45:41 <BlueMatt> it looks good, but I saw a couple bugs
695 2011-07-22 12:45:56 <b4epoche_> apparently the license allows Lion to be virtualized now.
696 2011-07-22 12:46:08 <BlueMatt> well server has always been legal, but now you can on client too
697 2011-07-22 12:46:16 <b4epoche_> should prevent having to hack around
698 2011-07-22 12:46:18 <BlueMatt> (only on apple hardware though obviously)
699 2011-07-22 12:46:20 <Joric> most ugly ui i've seen. ever. :) http://forum.bitcoin.org/index.php?topic=15276.0
700 2011-07-22 12:46:39 <BlueMatt> first, some of the settings (specifically upnp, not sure about others) dont always update
701 2011-07-22 12:46:50 <BlueMatt> ie change setting, close window, open settings, old value is there
702 2011-07-22 12:47:06 <b4epoche_> ah, yea, haven't messed with that much...
703 2011-07-22 12:47:18 <b4epoche_> Joric: somewhat agreed
704 2011-07-22 12:47:22 <BlueMatt> Joric: on windows...oh god
705 2011-07-22 12:48:22 <b4epoche_> well, that's really old
706 2011-07-22 12:48:31 <BlueMatt> yea
707 2011-07-22 12:48:36 <BlueMatt> hopefullt it has been changed
708 2011-07-22 12:48:45 <b4epoche_> have they gotten feedback?
709 2011-07-22 12:48:55 <BlueMatt> a ton judging by the thread
710 2011-07-22 12:49:01 <Joric> he says it would be merged into 0.4, really?
711 2011-07-22 12:49:08 <BlueMatt> Id like to get that merged with cocoa, but gim hasnt been around for some reason...
712 2011-07-22 12:49:12 <BlueMatt> Joric: not 0.4, but 0.4.X
713 2011-07-22 12:49:27 <BlueMatt> it looks really good to me, just the background on the windows one...
714 2011-07-22 12:49:43 <Joric> so were going (L)GPL after all?
715 2011-07-22 12:49:50 <BlueMatt> no
716 2011-07-22 12:49:58 <BlueMatt> well, he would have to relicense it in MIT
717 2011-07-22 12:50:11 <abishai> guys both the current and the linked ui are awfull, at least for anyone except hardcore geeks
718 2011-07-22 12:50:41 <TD> gmaxwell: it may be that theymos has not upgraded
719 2011-07-22 12:50:53 <TD> gmaxwell: iirc he refused to upgrade past a certain point because of some fee related change
720 2011-07-22 12:51:02 <FellowTraveler> Hi all. FYI, I just posted some new builds of Open-Transactions, server + Java client API: https://github.com/FellowTraveler/Open-Transactions/downloads
721 2011-07-22 12:51:08 <b4epoche_> before anyone starts bad mouthing the Cocoa UI, I just tried to copy the Wx UI
722 2011-07-22 12:51:08 <FellowTraveler> (Win32, Mac64, and Ubuntu 32)
723 2011-07-22 12:51:10 <BlueMatt> why are people so obsessed with the fee thing
724 2011-07-22 12:51:37 <b4epoche_> BlueMatt: I think it has to do with a loss of control more than anything
725 2011-07-22 12:51:59 <b4epoche_> BlueMatt: you have to remember the early adopters are 'rebels'
726 2011-07-22 12:52:02 <BlueMatt> yea, though it really only effects those who deal with a /ton/ of /tiny/ transactions
727 2011-07-22 12:52:24 <FellowTraveler> It's not a fully install program (yet) but should save people a lot of hassle not to have to build OT.
728 2011-07-22 12:53:13 <gmaxwell> Is the import/export stuff expected for 0.4.0?
729 2011-07-22 12:53:21 <BlueMatt> gmaxwell: yes
730 2011-07-22 12:53:30 <random_cat> in some cases the fee is very annoying
731 2011-07-22 12:53:33 <BlueMatt> that is, I think, everything major that has to get merged for 0.4.0
732 2011-07-22 12:55:23 <imsaguy> I ran into a thing the other day where the .02 wasn't being picked up by anybody because it didn't have a fee attached
733 2011-07-22 12:55:29 <ersi> Joric: I'd have to agree. That looks horrible.
734 2011-07-22 12:56:25 <BlueMatt> imsaguy: if you are using the latest version, it will force a fee if necessary to get it picked up
735 2011-07-22 12:56:36 <imsaguy> this was a mobile version
736 2011-07-22 12:57:08 <imsaguy> so I had to reprocess the chain, add more funds and then redo the transfer for a larger amount
737 2011-07-22 12:57:35 <imsaguy> kinda sucked, but it worked
738 2011-07-22 12:57:37 <TD> one of the android apps, yeah
739 2011-07-22 12:57:39 <Joric> http://goo.gl/7JkhX, totally
740 2011-07-22 12:57:45 <imsaguy> yeah td
741 2011-07-22 12:57:47 <imsaguy> bitcoin wallet
742 2011-07-22 12:57:55 <imsaguy> glad I figured it out though
743 2011-07-22 12:57:59 <TD> sorry about that. it says on the bitcoinj page since forever that some spends may never confirm
744 2011-07-22 12:58:08 <TD> i wish the mobile apps came with stronger health warnings
745 2011-07-22 12:58:09 <imsaguy> I reset the chain in the app
746 2011-07-22 12:58:19 <imsaguy> it still showed the outgoing transaction
747 2011-07-22 12:58:21 <imsaguy> but reset my balance
748 2011-07-22 12:58:25 <imsaguy> so I added more funds
749 2011-07-22 12:58:30 <imsaguy> and then sent a larger transaction
750 2011-07-22 12:58:39 <imsaguy> uninstalled/reinstalled the app to reset the wallet
751 2011-07-22 12:58:51 <TD> i think eventually the tx may have confirmed anyway due to the inputs aging
752 2011-07-22 12:58:52 <imsaguy> they just need to add fee support
753 2011-07-22 12:58:57 <TD> i've forgotten the exact formula used
754 2011-07-22 12:58:59 <TD> imsaguy: why not you?
755 2011-07-22 12:59:01 <imsaguy> nah, no peers were relaying
756 2011-07-22 12:59:08 <TD> ah right, good point
757 2011-07-22 12:59:15 <imsaguy> it was dying before it got to pending
758 2011-07-22 12:59:21 <imsaguy> I watched for hours
759 2011-07-22 12:59:24 <TD> i'm on holidays from a week and a half so i don't think anyone will implement fees for at least a few weeks yet
760 2011-07-22 12:59:26 <imsaguy> tried setting trusted peers
761 2011-07-22 12:59:28 <TD> but patches are welcome
762 2011-07-22 12:59:45 <imsaguy> who are you?
763 2011-07-22 12:59:47 <imsaguy> :-x
764 2011-07-22 13:00:10 <TD> i wrote bitcoinj
765 2011-07-22 13:00:14 <TD> on which the mobile apps are based
766 2011-07-22 13:00:15 <imsaguy> ok
767 2011-07-22 13:00:23 <imsaguy> I don't do java
768 2011-07-22 13:00:36 <TD> too bad
769 2011-07-22 13:00:37 <imsaguy> I'm newer to the bitcoin arena so I don't know many of the names
770 2011-07-22 13:00:46 <imsaguy> but I've been mining for a while
771 2011-07-22 13:00:49 <TD> BlueMatt: seems somebody is generating empty blocks
772 2011-07-22 13:00:59 <imsaguy> oops
773 2011-07-22 13:01:01 <TD> doh
774 2011-07-22 13:01:12 <UukGoblin> their loss... isn't it?
775 2011-07-22 13:01:35 <TD> not really. generating empty blocks will probably become more common in future
776 2011-07-22 13:01:39 <Joric> TD, do you work for google?
777 2011-07-22 13:01:51 <TD> because people aren't attaching fees, and processing the chain is getting more expensive (disk seeks, cpu, etc)
778 2011-07-22 13:01:53 <TD> Joric: yes
779 2011-07-22 13:03:22 <b4epoche_> what happened to BlueBoy?
780 2011-07-22 13:03:51 <UukGoblin> TD, their loss cause they didn't earn the tx fees that they could
781 2011-07-22 13:04:05 <TD> UukGoblin: you're assume there were any fees to collect
782 2011-07-22 13:04:12 <UukGoblin> yeah
783 2011-07-22 13:04:15 <TD> or that the fees available were worth more than the cost of keeping up with the chain
784 2011-07-22 13:04:34 <erus`> what are < 1 bitcoins called
785 2011-07-22 13:04:43 <erus`> do people count in cents or satoshis or what?
786 2011-07-22 13:05:06 <imsaguy> actually issue 58 is similar to what I was experiencing
787 2011-07-22 13:05:07 <UukGoblin> erus`, no consensus
788 2011-07-22 13:05:16 <b4epoche_> OT but this is going to be really good: http://www.wolfram.com/broadcast/screencasts/cdf_intro/
789 2011-07-22 13:05:37 <erus`> also can someone download the client and use it without having to download the entire block chain yet?
790 2011-07-22 13:05:57 <UukGoblin> erus`, nope, at least not the mainstream one
791 2011-07-22 13:06:10 <erus`> that really needs to be sorted
792 2011-07-22 13:06:27 <UukGoblin> works is being done on it I believe
793 2011-07-22 13:06:32 <UukGoblin> s/works/work/
794 2011-07-22 13:06:58 <UukGoblin> the big problem imho is that miners really have very little incentive to include transactions without fees in the blocks
795 2011-07-22 13:07:23 <UukGoblin> the only incentive is "to keep users happy and hope that if they're happy I'll indirectly gain more from their happiness later"
796 2011-07-22 13:09:54 <Joric> what 1 btc would be in satoshis? 100 megasatoshi? :)
797 2011-07-22 13:10:07 <copumpkin> yep
798 2011-07-22 13:12:06 <Joric> it's... beautiful... http://img59.imageshack.us/img59/6594/bitcoinqt5.png
799 2011-07-22 13:13:11 <copumpkin> I demand a fork of the official client that counts in satoshis
800 2011-07-22 13:13:15 <copumpkin> it makes me feel richer
801 2011-07-22 13:13:42 <imsaguy> do it yourself!
802 2011-07-22 13:13:47 <b4epoche_> Joric: if you insist
803 2011-07-22 13:13:58 <gmaxwell> I was in italy during the switch to the euro and there were people on TV whining about how they'd no longer be millionaires.
804 2011-07-22 13:14:10 <copumpkin> b4epoche_: can you have an option in your client to do that?
805 2011-07-22 13:14:22 <b4epoche_> done
806 2011-07-22 13:14:27 <copumpkin> gmaxwell: yeah, there used to be the "who wants to be a billionaire" show on TV
807 2011-07-22 13:14:34 <copumpkin> it turned into a millionaire later :(
808 2011-07-22 13:14:41 <b4epoche_> what's the symbol for a satoshi? $?
809 2011-07-22 13:14:43 <copumpkin> it was pretty easy to be a millionaire in italy before the switch :)
810 2011-07-22 13:14:49 <TD> Joric: well it's not like the current client is a work of art :)
811 2011-07-22 13:15:33 <imsaguy> Go to mexico
812 2011-07-22 13:15:34 <Joric> TD, this work of art would be merged into 0.4.x
813 2011-07-22 13:15:39 <b4epoche_> if I use $ for a satoshi that might make you feel richer
814 2011-07-22 13:15:40 <imsaguy> you can be a millionaire there pretty easy
815 2011-07-22 13:15:45 <b4epoche_> BlueBoy is back...
816 2011-07-22 13:15:47 <TD> *shrug*
817 2011-07-22 13:15:54 <gmaxwell> (or maybe it was billionaire... millionaire would have been .. not much)
818 2011-07-22 13:15:58 <TD> if it's easier to evolve the UI in Qt and there's a guy who is actively doing so, i'm all for it
819 2011-07-22 13:16:04 <b4epoche_> BlueMatt: bug fixed, next?