1 2012-04-26 00:33:10 <etotheipi_> sipa: do you have any test vectors I can use to verify my new HD wallet format against yours?
2 2012-04-26 00:34:07 <etotheipi_> right now, I just need HMAC, but eventually, we should have a multi-chain test case with like 5 addresses on each chain
3 2012-04-26 00:48:54 <etotheipi_> sipa, for the HD wallet: whereever you have EC points, are you encoding them as compressed or uncompressed?
4 2012-04-26 01:20:44 <JWU42> https://github.com/bitcoin/bitcoin/issues/273
5 2012-04-26 01:20:58 <JWU42> any chance for some help on this request?
6 2012-04-26 01:21:11 <JWU42> oops
7 2012-04-26 01:22:35 <JWU42> the other ws a dupe...
8 2012-04-26 01:24:00 <luke-jr> JWU42: could get a reasonably competent router <.<
9 2012-04-26 01:24:29 <JWU42> I have one thank you - just not anting to do the traffic shaping
10 2012-04-26 01:24:42 <JWU42> if there was something simple in the daemon
11 2012-04-26 01:24:52 <neofutur> JWU42: added a 1 and some links
12 2012-04-26 01:25:08 <neofutur> s/1/+1
13 2012-04-26 01:27:22 <JWU42> neofutur: thks
14 2012-04-26 01:27:48 <neofutur> the shared blockchain is probably even better than just throttle
15 2012-04-26 01:27:59 <neofutur> saving diskspace _and_ network usage
16 2012-04-26 01:28:02 <JWU42> agreed - for vps especially
17 2012-04-26 01:28:26 <JWU42> I am finding my upstream getting totally hosed 4-5 times a day for 1-2 hours at a time
18 2012-04-26 01:28:39 <neofutur> yup ( we already talked of this on #bitcoin-hosting ) , many people need this
19 2012-04-26 01:29:09 <JWU42> just need to learn the QoS settings in pfsense in the interim
20 2012-04-26 01:29:13 <neofutur> forvpsand even for servers, i run bitcoind on 20 dedicated servers, bigwaste of diskspace and bandwith
21 2012-04-26 01:29:20 <JWU42> agreed
22 2012-04-26 01:29:44 <freewil> what is the blockid that is supposed to be passed to listsinceblock
23 2012-04-26 01:30:23 <neofutur> also there are linux tools to limit a program s bandwidth
24 2012-04-26 01:32:29 <JWU42> I will try and do this on the router for now
25 2012-04-26 01:32:39 <JWU42> which is FBSD
26 2012-04-26 01:34:25 <sipa> etotheipi_: the source code in my detwallet branch has hmac test vectors
27 2012-04-26 01:34:51 <sipa> etotheipi_: and ec points in a chain are either all compressed, or all uncompressed
28 2012-04-26 01:35:14 <sipa> though i expect compressed ones to be more common
29 2012-04-26 01:35:35 <neofutur> JWU42: you could try http://monkey.org/~marius/pages/?page=trickle and http://klicman.org/throttle/
30 2012-04-26 01:36:22 <neofutur> but forsure better have an option in bitcoind
31 2012-04-26 01:36:37 <JWU42> agreed
32 2012-04-26 01:36:41 <neofutur> and trickle is not working with all programs
33 2012-04-26 01:38:53 <sipa> why try to implement bandwidth management inside specific programs, when it can be done by implementing it once in common?
34 2012-04-26 01:39:26 <neofutur> also found http://stromberg.dnsalias.org/~strombrg/slowdown/
35 2012-04-26 01:42:03 <sipa> etotheipi_: not sure other test vecors in there are still up to date with the draft
36 2012-04-26 01:44:13 <TuxBlackEdo> sipa, utorrent has a bandwidth limiter
37 2012-04-26 01:46:14 <etotheipi_> sipa: wouldn't it make more sense to just pick one and stick with it? specify that all public keys used in HMAC calcs will be uncompressed... remove the uncertainty
38 2012-04-26 02:01:11 <etotheipi_> sipa: also: why "key[n] ^= 0x5c ^ 0x36;" for the inner HMAC op? the HMAC wiki says is should only be "key[n] ^= 0x36;"
39 2012-04-26 03:49:57 <paulo_> is there another way to solve the double spend problem?
40 2012-04-26 03:54:26 <copumpkin> the only other approach to it (I don't know of actual implementations or details of how/if it would work) that I've heard of is to arrange things so that a spend reveals a part of a secret, so that if you spend the same money multiple times, you somehow reveal enough of your secret that the recipients of your double-spent funds could collude to screw you somehow.
41 2012-04-26 04:03:06 <nanotube> copumpkin: you forgot another approach. centralized bookkeeper. :)
42 2012-04-26 04:03:12 <copumpkin> well yeah :P
43 2012-04-26 04:03:25 <nanotube> so make that 'the only two other approaches' hehe
44 2012-04-26 04:10:26 <paulo_> the difficulty is determined by averaging the amount of time it took to generate blocks, right?
45 2012-04-26 04:28:17 <wumpus> yes you really need to add 'decentralized' to the requirements, that's what makes it difficult
46 2012-04-26 04:28:59 <wumpus> otherwise I suggest opentransactions
47 2012-04-26 04:32:12 <wumpus> or loom: https://loom.cc/help
48 2012-04-26 04:38:11 <neofutur> wow stillonly 2 confirmatimation after morethan one hour, never seen so slow
49 2012-04-26 04:39:06 <weex> neofutur: stop with your badluck spells!
50 2012-04-26 04:39:21 <neofutur> http://blockchain.info/tx-index/4411981/1d2811e912708b2a2c399307762551bc6dbfd9fe892ceb22bd4767353aa0281e
51 2012-04-26 04:51:59 <neofutur> http://blockchain.info/
52 2012-04-26 04:52:06 <neofutur> 1 hour / block
53 2012-04-26 04:52:39 <neofutur> 1-2 hours / block ! is this normal ? orsonething is happening ?
54 2012-04-26 05:32:11 <Takyoji> Any reason for no IPv6 support yet (in the mainstream client)?
55 2012-04-26 05:35:39 <neofutur> concerning ipv6, fyi : http://www.christopher-parsons.com/blog/technology/ipv6-and-the-future-of-privacy/
56 2012-04-26 05:38:09 <neofutur> ( i dont say ipv6 is bad, those are just some interesting thoughts and questions )
57 2012-04-26 05:38:13 <Takyoji> and yes, I'm very familiar with IPv6 and implementation, and help others get it integrated. If privacy is such an issue, there's always the option of temporary addresses (as Windows has privacy extensions active by default)
58 2012-04-26 05:38:46 <Dagger2> or alternately, SOCKS proxies work just fine with IPv6
59 2012-04-26 05:39:10 <Dagger2> and so does NAT (although why you would want to subject yourself to that...)
60 2012-04-26 05:39:41 <Takyoji> or even IPsec, which is included in IPv6, and required to be implemented to be "IPv6 compliant"
61 2012-04-26 05:40:09 <Dagger2> so the people who are really concerned about that can go ahead and make their own lives awkward if they want, whereas the rest of us can continue with our properly-functional networks
62 2012-04-26 05:40:38 <Dagger2> you don't have that choice in v4 because there aren't enough addresses to do it, but you *do* have the choice in v6
63 2012-04-26 05:41:01 <Takyoji> It's just that it comes to a shock to me that, all modern web technologies support IPv6, and yet the Bitcoin clients do not.
64 2012-04-26 05:48:28 <gribble> New news from bitcoinrss: davout opened issue 1149 on bitcoin/bitcoin <https://github.com/bitcoin/bitcoin/issues/1149>
65 2012-04-26 06:19:47 <Graet> Takyoji, maybe ipv6 is great for you, but most isps in my country dont support it yet so doesnt matter if cutting edge tech uses it, i cant....
66 2012-04-26 06:20:30 <Dagger2> Graet: sure you can... what OS?
67 2012-04-26 06:21:18 <Takyoji> That's not a very practical mindset of rollout, also, anyone can get IPv6 connectivity anytime, anywhere.
68 2012-04-26 06:22:09 <Graet> really? even tho my isp says no and they dont yet support ipv6?
69 2012-04-26 06:23:22 <neofutur> yes you can using briges / over ipv4
70 2012-04-26 06:23:45 <Takyoji> In fact, EVERY Windows Vista and Windows 7 installation have an active IPv6 connection by default, Microsoft just doesn't have the DNS resolver set to resolve IPv6 addresses, yet.
71 2012-04-26 06:23:49 <neofutur> but I m also not interested in adding unstable layers and bridges
72 2012-04-26 06:23:57 <Takyoji> (known as Teredo)
73 2012-04-26 06:24:06 <Dagger2> ^ that
74 2012-04-26 06:24:37 <Dagger2> which is why I was asking for OS. Graet: try `ping 2a00:1450:4007:802::1010` at the commandline, assuming you're on Vista/7
75 2012-04-26 06:24:38 <neofutur> + itsnt _that_ easy to setyup yet
76 2012-04-26 06:25:03 <Dagger2> neofutur: better than dealing with NAT though
77 2012-04-26 06:25:05 <Takyoji> There's also http://gogonet.gogo6.com/page/freenet6-services for the non-technical
78 2012-04-26 06:25:45 <Takyoji> where all you need is a username/password
79 2012-04-26 06:25:54 <Takyoji> No router configuration or anything
80 2012-04-26 06:26:15 <Graet> transmit failed. general failure in win7. unknown host inh ubuntu oneric
81 2012-04-26 06:26:31 <Takyoji> I'm plain tired of "oh, well, let's just not do it"
82 2012-04-26 06:26:50 <Graet> ie ping fails
83 2012-04-26 06:27:02 <Takyoji> By the way, it's ping6 on Unix-like systems
84 2012-04-26 06:27:50 <Dagger2> hm, not sure about the win7 error, but for Ubuntu, `apt-get install miredo` (and use ping6 instead of ping) and it should work
85 2012-04-26 06:27:51 <Takyoji> also, Ubuntu doesn't have a Teredo client active by default, you can install miredo.
86 2012-04-26 06:28:18 <Dagger2> ... unless the error on Win7 is caused by Teredo being broken on your network, in which case miredo isn't likely to have much more luck
87 2012-04-26 06:29:11 <Graet> even tho my isp says no and they dont yet support ipv6, is more likely, someone said MS didnt do ipv6 dns yet, maybe my isp hasnt either....
88 2012-04-26 06:29:23 <Dagger2> apparently doing "netsh interface teredo set state enterpriseclient" on Windows may enable Teredo
89 2012-04-26 06:30:12 <Takyoji> It all supports IPv6 DNS resolution. It's just that Microsoft's resolver won't resolve to an IPv6 address unless: the program specifically asks, or, you have a native (non-Teredo) IPv6 connection.
90 2012-04-26 06:30:22 <Dagger2> Graet: `ping` gives "unknown host" on Linux becaues Linux has separate ping/ping6 tools for v4/v6 (for god knows what reason)
91 2012-04-26 06:32:31 <freewil> ;;bc,tslb
92 2012-04-26 06:32:32 <gribble> Time since last block: 24 minutes and 23 seconds
93 2012-04-26 06:34:06 <Graet> yer i saw
94 2012-04-26 06:35:41 <Takyoji> As it stands, I don't even comprehend why the client lacks IPv6 support; something must be done horrendously wrong for it to have that kind of limitation.
95 2012-04-26 06:37:01 <Takyoji> There doesn't need to be anything manipulated with an IPv6 address, it can even just be stored as a string. There's no 'binary operations' or anything that are relevant to the client in any way to my understanding
96 2012-04-26 06:38:15 <Takyoji> You just pass either a IPv4 or IPv6 address to connect() command, that's all. I don't see how that can get confused or screwed up
97 2012-04-26 06:40:33 <Takyoji> and considering the protocol itself supports it: https://en.bitcoin.it/wiki/Protocol_specification#Network_address
98 2012-04-26 06:40:40 <Dagger2> in fairness, Bitcoin does have additional issues to deal with
99 2012-04-26 06:41:15 <Takyoji> is there a bug tracker somewhere then?
100 2012-04-26 06:42:02 <Dagger2> e.g. someone flooding the network with addresses from their /64; you want your client to be connected to multiple remote nodes, not to the same node over different addresses
101 2012-04-26 06:43:15 <freewil> Takyoji, https://github.com/bitcoin/bitcoin/pull/1021
102 2012-04-26 06:44:11 <freewil> https://github.com/bitcoin/bitcoin/issues/search?q=ipv6
103 2012-04-26 06:47:02 <Takyoji> Seems to be a commit that's close to succession
104 2012-04-26 06:51:46 <freewil> ;;bc,tslb
105 2012-04-26 06:51:47 <gribble> Time since last block: 4 minutes and 13 seconds
106 2012-04-26 06:51:58 <freewil> ;;bc,tslb
107 2012-04-26 06:51:58 <gribble> Time since last block: 4 minutes and 25 seconds
108 2012-04-26 07:52:41 <UukGoblin> anyone know a good inexpensive lawyer that could write up T&Cs for my piece of GPL software? :-P
109 2012-04-26 07:53:05 <sipa> etotheipi_: somehow i don't like "committing" to compressed keys yet; who knows what legal trouble appeaars still
110 2012-04-26 07:57:04 <da2ce7> sipa: how is your HD wallet spec comming along?
111 2012-04-26 08:39:52 <sipa> etotheipi_: and if you first xored in-place with 0x5c to calculate the inner hash, you need to xor with (0x36 xor 0x58) to end up with the data that needs to be fed to the outer hash no? (the code passes the RFC's HMAC test vectors, so i'm pretty sure they're correct)
112 2012-04-26 08:44:06 <sipa> da2ce7: need a few short sections still; https://raw.github.com/gist/1799467/e7cfe5b757530719627dc2ff75feea5f926f995a/gistfile1.txt
113 2012-04-26 10:41:05 <etotheipi_> sipa, looking at the HMAC pseudo-code, that does not look correct. There's a hash and a concatenation separating the 0x5c and 0x36 padding
114 2012-04-26 10:43:11 <sipa> etotheipi_: ?
115 2012-04-26 10:43:52 <sipa> etotheipi_: you hash ((key xor 0x5c) | ...) and ((key xor 0x36) | ...)
116 2012-04-26 10:44:18 <sipa> as the xoring in my implementation is done in place, you need to a) revert the 0x5c padding, and b) apply the 0x36 padding
117 2012-04-26 10:44:33 <sipa> which equals xoring with 0x5c xor 0x36
118 2012-04-26 10:45:03 <etotheipi_> ooh, you're reverting the the 0x5c because it's in place
119 2012-04-26 10:45:12 <etotheipi_> I should've looked at that closer
120 2012-04-26 10:57:19 <etotheipi_> sipa, in the spec, you first specifcy the CKD function as taking two inputs, a key/chain pair, and an index, n
121 2012-04-26 10:57:55 <etotheipi_> then under the key tree, you specify only CKD(m,n), where m is...
122 2012-04-26 10:58:29 <etotheipi_> so is the master key 32-bytes message, and 32-bytes of extra entropy?
123 2012-04-26 10:59:47 <sipa> etotheipi_: CKD has two inputs, an extended private key, and an index
124 2012-04-26 11:00:05 <etotheipi_> so "extended key" means ECDSA key + chaincode
125 2012-04-26 11:00:09 <sipa> yes
126 2012-04-26 11:00:28 <sipa> We represent an extended private key as (k,c), with k the normal private key, and c the chain code. An extended public key is represented as (K,c), with K the normal public key and c the chain code.
127 2012-04-26 11:01:47 <etotheipi_> okay, and "accounts" are essentially key-tree-branches, right?
128 2012-04-26 11:02:03 <sipa> basically, yes
129 2012-04-26 11:02:16 <sipa> it's a subtree with an internal and an external chain
130 2012-04-26 11:03:00 <sipa> hmm, i should be consistent in using secret key and private key
131 2012-04-26 11:03:11 <etotheipi_> okay, I got it (I think)
132 2012-04-26 11:03:25 <etotheipi_> this new wallet format is going to be more complicated than I thought
133 2012-04-26 11:03:32 <sipa> m = entire tree
134 2012-04-26 11:03:39 <sipa> m/i = account number i
135 2012-04-26 11:03:48 <sipa> m/i/0 = public chain of account number i
136 2012-04-26 11:03:51 <etotheipi_> but at least I don't have to implement storing multiple chaincodes
137 2012-04-26 11:04:06 <etotheipi_> everything is derived from the room m=(key,chain)
138 2012-04-26 11:04:15 <etotheipi_> *root
139 2012-04-26 11:04:27 <sipa> yes, and the root is derived from a seed that is even shorter
140 2012-04-26 11:05:31 <etotheipi_> and I can give someone the public root of any "account" or just the external chain of that account
141 2012-04-26 11:05:37 <sipa> indeed
142 2012-04-26 11:05:45 <etotheipi_> why a move towards shorter seeds?
143 2012-04-26 11:06:10 <etotheipi_> oh, because a 256-bit ECDSA key only offers about 128 bits of security?
144 2012-04-26 11:06:14 <sipa> yes
145 2012-04-26 11:06:23 <sipa> so 512 bit keys seem totally overkill
146 2012-04-26 11:08:50 <sipa> etotheipi_: basically to allow brainwallet-like things (with randomly generated word strings)
147 2012-04-26 11:08:57 <etotheipi_> so then msg=S in the key generation part is much like a "password" in the case that no key data is ever stored on disk
148 2012-04-26 11:09:16 <sipa> right
149 2012-04-26 11:09:43 <etotheipi_> or rather, you can leave the "bitcoin seed" on disk, and protect it with msg S... though the see would probably be protected by an encryption requiring a passphrase...
150 2012-04-26 11:09:56 <etotheipi_> isn't that slightly redundant?
151 2012-04-26 11:10:10 <sipa> "Bitcoin seed" is intended to just be a fixed string
152 2012-04-26 11:10:34 <sipa> just to make the derivation application-specific
153 2012-04-26 11:10:49 <etotheipi_> "Bitcoin Seed" is fixed for everyone?
154 2012-04-26 11:10:51 <sipa> yes
155 2012-04-26 11:10:55 <etotheipi_> I mean, everyone uses the same seed?
156 2012-04-26 11:10:57 <sipa> yes
157 2012-04-26 11:11:07 <sipa> well, no
158 2012-04-26 11:11:17 <sipa> "Bitcoin seed" is not the seed, it's just a fixed string
159 2012-04-26 11:11:22 <sipa> S is the seed, and is secret
160 2012-04-26 11:11:34 <sipa> maybe it's confusion wording
161 2012-04-26 11:11:44 <etotheipi_> I = HMAC-SHA512(key="Bitcoin seed", msg=S)
162 2012-04-26 11:11:52 <sipa> yes
163 2012-04-26 11:12:12 <sipa> "Bitcoin seed" is not a variable there, it's just the fixed string constant "Bitcoin seed"
164 2012-04-26 11:12:15 <etotheipi_> so everyone uses the same "key" but each person will have a different seed?
165 2012-04-26 11:12:20 <sipa> yes
166 2012-04-26 11:12:37 <sipa> the alternative was just using SHA512, and have no fixed string
167 2012-04-26 11:12:57 <sipa> but there are potential length-extension weaknesses there, so you use HMAC
168 2012-04-26 11:12:58 <etotheipi_> okay, now I think I get it
169 2012-04-26 11:13:23 <etotheipi_> this is eerily similar to my actual job: taking specifications written by other people and writing matching code
170 2012-04-26 11:13:39 <etotheipi_> although those specifications are written by idiots...
171 2012-04-26 11:13:58 <sipa> etotheipi_: when i have finished the implementation i'll add a test vectors section with intermediate calculation results
172 2012-04-26 11:14:05 <sipa> that will probably clarify a lot
173 2012-04-26 11:14:07 <etotheipi_> sipa: perfect
174 2012-04-26 11:14:14 <etotheipi_> I'm going to get started implementing it...
175 2012-04-26 11:14:21 <etotheipi_> I have other details to work out with my wallet
176 2012-04-26 11:14:25 <etotheipi_> so I'm not in any hurry
177 2012-04-26 11:15:22 <etotheipi_> btw, I don't know you're organizing your new wallets... but I realized that I need to store comments and P2SH scripts outside the wallet itself (or both inside and out)
178 2012-04-26 11:16:01 <etotheipi_> so that users can put their comments and scripts into a file that can be backed up regularly (dropbox?) so they don't have to backup all their key data with it (which may be on a printed backup somewhere)
179 2012-04-26 11:17:16 <sipa> and account names, if you'd support those
180 2012-04-26 11:17:39 <sipa> but indeed, there is certainly non-secret but important information in wallets
181 2012-04-26 11:18:41 <etotheipi_> oh, in Armory I use "comments" to describe all the text info
182 2012-04-26 11:18:48 <etotheipi_> I have address comments and tx comments
183 2012-04-26 11:19:02 <etotheipi_> but maybe I should use "label" for the addresses
184 2012-04-26 11:20:07 <etotheipi_> it's all thrown into a single BST of address and tx hashes: if there's a tx-hash in the tree, display the text for it... if not, look for the recipient address comment and use that if avail
185 2012-04-26 11:22:15 <etotheipi_> I'm wondering now, if it's worth offering encryption on even non-private data...
186 2012-04-26 11:23:02 <etotheipi_> if I have 10k BTC... even if I'm using a watching-only wallet for security: someone who accesses that wallet will know I have a lot of money and might make me a target (and they're already on my computer, so they can probably get all my info)
187 2012-04-26 12:11:51 <gribble> New news from bitcoinrss: gavinandresen opened pull request 1150 on bitcoin/bitcoin <https://github.com/bitcoin/bitcoin/pull/1150>
188 2012-04-26 12:33:24 <delt0r__> etotheipi_: if I have access to your computer, how can any encryption really help? I can always go all keylogger on you
189 2012-04-26 12:37:15 <etotheipi_> delt0r__: because the computer holding this wallet doesn't actually have the private keys
190 2012-04-26 12:37:31 <etotheipi_> compromise the computer all you want, but all you're getting is a bunch of public keys
191 2012-04-26 12:37:45 <etotheipi_> that's the point of offline wallets & watching-only wallets
192 2012-04-26 12:38:12 <etotheipi_> oh, nm.... I misunderstood
193 2012-04-26 12:39:11 <etotheipi_> delt0r__: there's various levels of attacks... just because someone gains access to a file on your system doesn't mean they can/know how to install a keylogger
194 2012-04-26 12:39:17 <delt0r__> right... yea.. but you have a point... watching only wallets
195 2012-04-26 12:39:23 <delt0r__> or two key stuff
196 2012-04-26 12:39:56 <etotheipi_> but most of the time, you're right: the attacks are close enough: if they are close enough to snatch a file, they could easily install a keylogger
197 2012-04-26 12:40:00 <gmaxwell> delt0r__: for example, they might obtain your disk only after you've upgraded to a new computer and thrown out the disk. Encryption provides useful protection there (well, with the iffy assumption that your key is actually any good)
198 2012-04-26 12:40:28 <delt0r__> etotheipi_: I don't think there is much of a credible thread model where there is computer access without keylogger access TBH... esp when the original access is not legit
199 2012-04-26 12:40:45 <gmaxwell> I just gave you one.
200 2012-04-26 12:41:16 <Diablo-D3> remember: vote: https://bitcointalk.org/index.php?topic=78052.0
201 2012-04-26 12:41:28 <gmaxwell> Or another spin on that: Your disk fails. You send it off for RMA replacement. The repair shop now has your wallet. Congrats, you lost.
202 2012-04-26 12:41:29 <delt0r__> gmaxwell: i don't disagree generally... but i am talking about a compromised computer, not hard drive
203 2012-04-26 12:41:55 <gmaxwell> delt0r__: you can also realize that you've been compromised before starting the wallet again.
204 2012-04-26 12:42:15 <etotheipi_> delt0r__: here's a very direct, important reason:
205 2012-04-26 12:42:34 <etotheipi_> I want my watching only wallet and all of the P2SH scripts and comments/labels to be backed up regularly
206 2012-04-26 12:42:42 <etotheipi_> I want to back them up to dropbox
207 2012-04-26 12:42:47 <delt0r__> I use full disk encryption. But its good to be clear about what that does not protect against
208 2012-04-26 12:42:50 <etotheipi_> someone compromising dropbox does not give them keylogger access
209 2012-04-26 12:42:55 <etotheipi_> to my computer
210 2012-04-26 12:43:11 <drizztbsd> new bitcoin supports wallet encryption
211 2012-04-26 12:43:16 <delt0r__> etotheipi_: does a watch only wallet even need the private keys?
212 2012-04-26 12:43:23 <gmaxwell> drizztbsd: by new you mean .. like a year old?
213 2012-04-26 12:43:31 <drizztbsd> yeah :P
214 2012-04-26 12:43:36 <etotheipi_> delt0r__: the watching-only wallet doesn't have the private keys
215 2012-04-26 12:43:43 <delt0r__> yea...
216 2012-04-26 12:44:01 <etotheipi_> but my concern was that if you have a lot of money, someone who compromises your watching-only wallet might see that you have $100k in funds and then make you a target
217 2012-04-26 12:44:03 <delt0r__> ahh.. but you don't like the idea they can work out you have 10k bitcoins
218 2012-04-26 12:44:25 <etotheipi_> exactly
219 2012-04-26 12:45:15 <delt0r__> everything i care about on the "cloud" (hate that term) I always encrypt.
220 2012-04-26 12:45:24 <etotheipi_> so perhaps I can keep all address/tx comments and P2SH scripts in both the main wallet and a separate file
221 2012-04-26 12:45:35 <Eliel> as in, make it the most likely scenario that if you find a watch-only wallet that it's a decoy
222 2012-04-26 12:45:48 <etotheipi_> the main wallet will always hold that data unencrypted, the extra file will hold it encrypted with a private key in the wallet
223 2012-04-26 12:46:32 <etotheipi_> the encryption can be done even with a watching-only wallet
224 2012-04-26 12:46:45 <etotheipi_> and that extra file can be sync'd to dropbox, etc
225 2012-04-26 12:48:01 <etotheipi_> that way if my hard-drive dies, I can restore the wallet keys from paper backup, and then restore all the comments/P2SH-scripts using the encrypted file and my wallet
226 2012-04-26 12:50:34 <etotheipi_> thoughts?
227 2012-04-26 12:51:03 <etotheipi_> actually, the encryption doesn't even have to be done with a private key: it can be done with the root public key
228 2012-04-26 12:52:03 <etotheipi_> or rather, a key derived from your root public key
229 2012-04-26 12:54:29 <etotheipi_> sipa: if there are patent issues with compressed public keys in the HD wallet spec, why not patent issues using it in the main BTC client?
230 2012-04-26 12:54:46 <etotheipi_> s/client/protocol/g
231 2012-04-26 12:55:27 <gmaxwell> etotheipi_: because the use in the client can be optional. And to the extent that it's not optional (chain validation) we didn't get a say in that OpenSSL screwed us there.
232 2012-04-26 12:56:36 <etotheipi_> well if that's the case, why not just make the HD wallet spec always use full public keys and then not deal with storing extra flags?
233 2012-04-26 12:56:44 <etotheipi_> (or patent issues)
234 2012-04-26 12:57:24 <etotheipi_> you can still compressed public keys for the resulting addresses it produces
235 2012-04-26 13:00:54 <paulo_> i'm bored
236 2012-04-26 13:02:34 <delt0r__> regarding patents, What about public key recovery from a ECDSA sig then check that its the correct public key... constrain public keys to only use the largest of the 2 possible y values
237 2012-04-26 13:02:59 <delt0r__> you lose half the possible key pairs.. but that is not a large loss
238 2012-04-26 13:03:25 <delt0r__> Clearly i don't mean for a already defined standard such as bitcoin current
239 2012-04-26 13:03:38 <delt0r__> just Generally..
240 2012-04-26 13:05:31 <delt0r__> In fact you don't need the positive what ever thing about the second coordinate
241 2012-04-26 13:06:01 <delt0r__> if public keys are hashes of the public key Point
242 2012-04-26 13:08:42 <gmaxwell> delt0r__: that has unclear security implications.
243 2012-04-26 13:09:07 <gmaxwell> (or at least it clearly looks like it reduces the keyspace by several bits)
244 2012-04-26 13:09:32 <Diablo-D3> gmaxwell: you havent made your case on the poll thread
245 2012-04-26 13:10:01 <gmaxwell> what poll thread?
246 2012-04-26 13:12:01 <Diablo-D3> https://bitcointalk.org/index.php?topic=78052.0
247 2012-04-26 13:12:03 <etotheipi_> delt0r__: that would also require a protocol change... the compressed keys were already supported because the main client uses OpenSSL which recognized them anyway
248 2012-04-26 13:14:38 <etotheipi_> does the Satoshi client automatically register itself to handle "bitcoin:" URLs? because I don't think it did on my Ubuntu system
249 2012-04-26 13:14:55 <sipa> etotheipi_: hmm, that's possibility, always do the derivation using uncompressed keys
250 2012-04-26 13:15:11 <Diablo-D3> etotheipi_: no
251 2012-04-26 13:15:12 <delt0r__> gmaxwell: It is fairly easy to prove equivalence to the standard check with the standard collision hash length trade off
252 2012-04-26 13:15:32 <delt0r__> etotheipi_: don't mean for a current protocol... but if there was a new one..
253 2012-04-26 13:16:42 <sipa> delt0r__: if we'd change the protocol anyway, i wouldn't keep using ECDSA :)
254 2012-04-26 13:16:52 <gmaxwell> ^ that
255 2012-04-26 13:16:54 <etotheipi_> sipa: what would you use?
256 2012-04-26 13:16:58 <sipa> Ed25519
257 2012-04-26 13:17:10 <delt0r__> sipa: this is ECDSA, just avoids the patent compression issues
258 2012-04-26 13:17:16 <gmaxwell> sipa: modified Ed25519.
259 2012-04-26 13:17:23 <delt0r__> at least that is the question
260 2012-04-26 13:17:28 <gmaxwell> delt0r__: it doesn't, you're confused there.
261 2012-04-26 13:17:40 <delt0r__> gmaxwell: ? why whouldn't it...
262 2012-04-26 13:17:59 <sipa> Ed25519 is certainly similar to ECDSA, but it has a number of advantages
263 2012-04-26 13:18:17 <delt0r__> gmaxwell: modified ed25519? modified in what way (I am awear of the ec25519)
264 2012-04-26 13:18:18 <gmaxwell> delt0r__: because there isn't any issue with using key recovery with simply adding the extra bits.
265 2012-04-26 13:18:33 <gmaxwell> delt0r__: modified to make key recovery possible.
266 2012-04-26 13:19:03 <delt0r__> gmaxwell: as in there are no issues with patents? if so cool.. i was under the impression that this is not clear legally
267 2012-04-26 13:19:11 <delt0r__> oh.. sorry
268 2012-04-26 13:19:18 <delt0r__> gmaxwell: right
269 2012-04-26 13:19:30 <sipa> there is EC key compression, which has unclear legal status
270 2012-04-26 13:19:43 <delt0r__> interleaving my conversions... is confusing me
271 2012-04-26 13:19:55 <delt0r__> conversations
272 2012-04-26 13:20:04 <sipa> there is ECDSA key recovery, which requires EC key compression, but doesn't actually fit the patent claim on EC key compression
273 2012-04-26 13:20:14 <delt0r__> right
274 2012-04-26 13:20:24 <delt0r__> that is what i was getting at
275 2012-04-26 13:20:51 <sipa> and, if we'd switch protocol, one choice would be using EC signatures + extra bit to make key recovery possible
276 2012-04-26 13:20:56 <delt0r__> how much faster is ec25519 compared to the current curve used in bitcoin?
277 2012-04-26 13:21:13 <sipa> depends on the implementation, i have some benchmarks somewhere
278 2012-04-26 13:21:32 <jrmithdobbs> magnitudes in several cases though isn't it?
279 2012-04-26 13:21:57 <gmaxwell> It was a pretty big speedup comparing our current and the optimized Ed25519 Note that ec25519 and ed25519 are _not_ the same thing.
280 2012-04-26 13:22:11 <delt0r__> I expect that this is the slowest part of validation by a pretty large margin
281 2012-04-26 13:22:26 <delt0r__> gmaxwell: right...
282 2012-04-26 13:22:41 <gmaxwell> We don't have an equally well optimized implementation for our current curve which would reduce the margin somewhat I expect.
283 2012-04-26 13:23:22 <gmaxwell> delt0r__: dunno about your assumption there e.g. 8ms media rotational delay per input could easily dwarf validating one signature per input.
284 2012-04-26 13:23:24 <sipa> jrmithdobbs: the clean C implementation of Ed25519 is about 10x as slow as the current OpenSSl implementation secp256k1-ECDSA
285 2012-04-26 13:23:26 <delt0r__> is it over a GF or Z_p?
286 2012-04-26 13:23:40 <delt0r__> wow
287 2012-04-26 13:23:40 <sipa> jrmithdobbs: the amd64-assembly optimized one is about 8 times faster
288 2012-04-26 13:24:32 <sipa> delt0r__: Z_p
289 2012-04-26 13:24:41 <sipa> with p = 2^255-19
290 2012-04-26 13:24:43 <gmaxwell> (I do wish the protocol allowed you to optionally have one signature when the input scripts are identical)
291 2012-04-26 13:27:10 <delt0r__> sipa: I mean the current curve used in bitcoin
292 2012-04-26 13:27:37 <delt0r__> sorry feeling lazy
293 2012-04-26 13:29:25 <sipa> delt0r__: Z_p as well
294 2012-04-26 13:29:44 <sipa> delt0r__: http://www.secg.org/index.php?action=secg,docs_secg
295 2012-04-26 13:29:52 <sipa> SEC 2 defines the parameters of secp256k1
296 2012-04-26 13:29:57 <delt0r__> yea
297 2012-04-26 13:30:01 <delt0r__> just found it
298 2012-04-26 13:30:03 <delt0r__> thanks
299 2012-04-26 13:31:22 <delt0r__> I would expect HW implementations to be fast with curves over F_2^m
300 2012-04-26 13:31:40 <delt0r__> don't have much of a feeling for software however
301 2012-04-26 13:32:16 <sipa> oclvanitygen implements an EC addition over secp256k1 in OpenCL
302 2012-04-26 13:32:23 <sipa> i believe it's very fast
303 2012-04-26 13:32:28 <sipa> compared to software
304 2012-04-26 13:32:39 <Diablo-D3> what are we doing?
305 2012-04-26 13:36:23 <gmaxwell> sipa: they only step by one, however. So I assumed that it wasn't generally useful.
306 2012-04-26 13:36:43 <sipa> gmaxwell: yes, so it's an addition, not a multiplication
307 2012-04-26 13:37:07 <gmaxwell> And yes, it's very fast.
308 2012-04-26 13:37:32 <gmaxwell> on a single gpu they can do something like 15 million address candidates (ec+two hashes) per second.
309 2012-04-26 13:38:04 <sipa> but since multiplication is really just a loop of 256 additions and quadratures
310 2012-04-26 13:38:17 <sipa> oh, doubling, not quadrature of course
311 2012-04-26 13:38:29 <sipa> i would expect a multiplication to also be very fast
312 2012-04-26 13:38:41 <gmaxwell> Fair enough.
313 2012-04-26 13:39:36 <sipa> If properly implemented :)
314 2012-04-26 14:51:54 <gribble> New news from bitcoinrss: freewil opened pull request 1151 on bitcoin/bitcoin <https://github.com/bitcoin/bitcoin/pull/1151>
315 2012-04-26 15:13:25 <etotheipi_> sipa: quick clarification: the chain codes that are generated per address are essentially ignored... they only matter for the master extended key, and the parent extended keys
316 2012-04-26 15:13:31 <etotheipi_> ?
317 2012-04-26 15:17:21 <gribble> New news from bitcoinrss: freewil opened pull request 1152 on bitcoin/bitcoin <https://github.com/bitcoin/bitcoin/pull/1152>
318 2012-04-26 16:56:49 <pierce> https://github.com/laanwj/bitcoin-python been using that for python, and https://github.com/mikegogulski/bitcoin-php for php, but I was looking to do a GWT app, and didn't see much java goodness around
319 2012-04-26 16:57:25 <pierce> just lookfor for getbalance sendtoaddress etc, not touching blockchain (bitcoinj etc)
320 2012-04-26 16:57:29 <XMPPwocky> pierce: it's just JSON-RPC
321 2012-04-26 16:57:53 <XMPPwocky> as long as you make sure you parse values as doubles, you can use any library
322 2012-04-26 16:58:12 <pierce> sure :-) I just like to have the class abstraction though
323 2012-04-26 16:58:20 <pierce> JSON-RPC can get messy in java
324 2012-04-26 16:58:49 <pierce> could write up something and post on github, but I would have thought someone else would have done that by now
325 2012-04-26 17:09:11 <sipa> etotheipi_: yes, indees
326 2012-04-26 17:16:36 <Diablo-D3> remember to vote! https://bitcointalk.org/index.php?topic=78052.0
327 2012-04-26 17:22:45 <pierce> Diablo-D3: you realize that 1m coins is 1/9th of the entire economy?
328 2012-04-26 17:23:22 <Diablo-D3> pierce: yes.
329 2012-04-26 17:23:35 <Diablo-D3> do you realize that this might end up nailing BTC up on the board at $10?
330 2012-04-26 17:31:51 <MC1984> pump n dump confirmed
331 2012-04-26 17:31:55 <pierce> sure, sitting on 1/9th of the economy would do that :-) Of course, if you ended up spending it on say, mining units, retailers would likely attempt to cash out, causing a significant drop in price.
332 2012-04-26 17:33:17 <Diablo-D3> pierce: yes, but if, instead, I use it to run for President
333 2012-04-26 17:33:25 <Diablo-D3> best 1/9th of an economy _ever_
334 2012-04-26 17:33:41 <Diablo-D3> huh.
335 2012-04-26 17:33:50 <Diablo-D3> a bitcoin political party.
336 2012-04-26 17:33:53 <helo> whatever you use it for will likely result in it being "cashed out", unless you sit on it
337 2012-04-26 17:34:21 <helo> oh, misunderstood what you were saying
338 2012-04-26 17:35:16 <pierce> bitcoin doesn't need a party :-) the idea of deregulation of information does need more political attention though
339 2012-04-26 17:39:14 <Diablo-D3> pierce: maybe we can get the pp in on this
340 2012-04-26 17:40:49 <pierce> Diablo-D3: like this? http://thirdpartydaily.blogspot.com/2011/06/founder-of-pirate-party-gets-behind.html
341 2012-04-26 17:41:18 <pierce> the date of that story makes me laugh
342 2012-04-26 17:42:49 <pierce> "the currency has increased in value one-thousandfold against the US dollar in fourteen months. Yes. Read that again: one-thousandfold, fourteen months. There is currently no indication it would stop or has saturated; quite the opposite."
343 2012-04-26 17:43:04 <pierce> from here --> http://falkvinge.net/2011/05/29/why-im-putting-all-my-savings-into-bitcoin/
344 2012-04-26 17:44:10 <Blitzboom> please
345 2012-04-26 17:44:14 <Blitzboom> someone tell me if this is a joke: http://www.bitcoincard.org/
346 2012-04-26 17:44:29 <Blitzboom> video http://vimeo.com/40711689
347 2012-04-26 17:45:03 <Diablo-D3> pierce: er
348 2012-04-26 17:45:08 <Diablo-D3> yeah like that.
349 2012-04-26 17:45:28 <Diablo-D3> wwait, wasnt that around the time of the $30 spike?
350 2012-04-26 17:45:37 <pierce> Diablo-D3: exactly :-)
351 2012-04-26 17:45:40 <Blitzboom> Diablo-D3: what a coincidence
352 2012-04-26 17:45:54 <Blitzboom> now watch the fucking video
353 2012-04-26 17:45:54 <Diablo-D3> fucking pirates :<
354 2012-04-26 17:46:17 <pierce> I guess he's doing fine financially now, and still has most in bitcoins, but the timing on that decision was pretty epic
355 2012-04-26 17:46:23 <Diablo-D3> Blitzboom: gotta admit, its well produced
356 2012-04-26 17:46:36 <Blitzboom> is this the NWO?
357 2012-04-26 17:46:51 <Diablo-D3> I like the guys voice
358 2012-04-26 17:46:52 <pierce> woah 300m!
359 2012-04-26 17:47:06 <Diablo-D3> it makes it fakereal
360 2012-04-26 17:47:13 <Diablo-D3> you know what I mean
361 2012-04-26 17:47:30 <Blitzboom> if this shit works, and they achieve a critical mass, it will revolutionize commerce and let them track every consumer
362 2012-04-26 17:47:57 <pierce> don't understand why they didn't just do a phone app..
363 2012-04-26 17:48:09 <Blitzboom> https://bitcointalk.org/index.php?topic=78171.msg870064#msg870064
364 2012-04-26 17:48:11 <pierce> cards need to die
365 2012-04-26 17:48:13 <Blitzboom> confirmed it is real
366 2012-04-26 17:48:19 <Blitzboom> holy shit
367 2012-04-26 17:48:39 <Blitzboom> but i cant believe this actually works as advertised
368 2012-04-26 17:48:53 <Blitzboom> something about it must be shitty (except for being tracked)
369 2012-04-26 17:49:06 <pierce> well, ya, being tracked
370 2012-04-26 17:49:38 <pierce> don't understand why they hammer that point so hard in the video, I would think that quite a few people using coins now would be slightly turned off by that level of tracking
371 2012-04-26 17:49:43 <Diablo-D3> Blitzboom: well, it cant be too real
372 2012-04-26 17:49:44 <Diablo-D3> I dont have one
373 2012-04-26 17:50:29 <pierce> http://www.bitcoincard.org/under_construction_1.php
374 2012-04-26 17:50:30 <pierce> lol
375 2012-04-26 17:51:03 <Blitzboom> i want to see a prototype in action
376 2012-04-26 17:51:13 <pierce> must be somethingawful
377 2012-04-26 17:51:16 <Blitzboom> they make lotso f promises
378 2012-04-26 17:51:27 <Diablo-D3> yeah, I have a technology boner going on here
379 2012-04-26 17:51:33 <Diablo-D3> figuratively and literally
380 2012-04-26 18:17:29 <guruvan> The tech is pretty damn impressive looking. The tracking just makes me want to see a competitor that doesn't do that :D
381 2012-04-26 18:28:37 <Blitzboom> guruvan: well, this card will be cheap because you are the product
382 2012-04-26 18:28:45 <Blitzboom> others will be more expensive i guess
383 2012-04-26 18:28:58 <helo> http://www.bitcointard.org
384 2012-04-26 18:29:18 <Diablo-D3> no domain
385 2012-04-26 18:31:08 <MC1984> im watching this bitcoin card thing
386 2012-04-26 18:31:24 <MC1984> 30 seconds in and theyre still describing how its the size of a credit card
387 2012-04-26 18:31:28 <MC1984> im lik, cool story bro
388 2012-04-26 18:31:34 <Diablo-D3> it gets awesome fast
389 2012-04-26 18:31:48 <Eliel> guruvan: depending on how the tracking is implemented I might or might not ever use one :P
390 2012-04-26 18:31:58 <MC1984> is it bullshit or what
391 2012-04-26 18:32:41 <Eliel> however, if it's limited to the card projecting an identity at close range only, it might be acceptable.
392 2012-04-26 18:33:41 <MC1984> bitcoin is so not anon as it is
393 2012-04-26 18:33:45 <pierce> MC1984: my opinion is well produced troll
394 2012-04-26 18:34:18 <guruvan> don't care about the bitcoin anonymity, so much as I'm really getting tired of invasive tracking in the guise of advertising
395 2012-04-26 18:37:51 <guruvan> I just don't need some chip reporting to some advertiser how long I stood in front of their product at which stores, omg
396 2012-04-26 18:39:04 <MC1984> the fuck
397 2012-04-26 18:40:12 <guruvan> I managed ops for one of the biggest 1st gen ad networks.....it's come a long way, and gotten a lot more personal since then.
398 2012-04-26 18:40:40 <guruvan> Google's filed a patent to scrape the background noise on your phone calls and serve you ads - kinda like the gmail scrape ads
399 2012-04-26 18:41:03 <MC1984> fuck you mang
400 2012-04-26 18:41:24 <guruvan> combine that data plus the data from one of these cards - there's very little you can't know about an individual by name
401 2012-04-26 18:41:43 <MC1984> youre like the tower guard at auschwitz
402 2012-04-26 18:43:38 <guruvan> hey...wait...I didn't work for DoubleClick!
403 2012-04-26 18:50:23 <MC1984> ok 1:38 in that video, im calling bullshit
404 2012-04-26 18:52:53 <guruvan> gotta move a lotta cards, terminals, and card monitoring devices everywhere, it looks
405 2012-04-26 18:57:19 <MC1984> im at the mesh net bit and my BS detector is off the chart
406 2012-04-26 18:57:44 <MC1984> glorious if it was real but smacks of vapourware
407 2012-04-26 18:57:49 <guruvan> yeah....I don't don't see that as realistic now
408 2012-04-26 18:58:08 <guruvan> there's apps for android & such, but mmmmmm
409 2012-04-26 19:04:00 <etotheipi_> I think it's possible if it spontaneously reached critical mass
410 2012-04-26 19:04:17 <etotheipi_> the power requirements to transmit a couple hundred meters is nothing compared to transmitting to a cell tower
411 2012-04-26 19:04:56 <MC1984> solar powered yet spends most of its time inside a wallet hmmm
412 2012-04-26 19:05:18 <etotheipi_> I am assuming they won't get it CC-sized...
413 2012-04-26 19:05:33 <etotheipi_> but even if not, it would still have a similar appeal to consumers
414 2012-04-26 19:05:40 <MC1984> i had a solar powered credit card calculator in school
415 2012-04-26 19:05:44 <MC1984> though i was a fucking boss
416 2012-04-26 21:10:27 <weex> from a data type perspective what does 21m btc fit into when expressed in satoshis?
417 2012-04-26 21:10:59 <luke-jr> 61 bits IIRC
418 2012-04-26 21:11:12 <luke-jr> no, 51
419 2012-04-26 21:12:00 <weex> any reason for that number? I recall having an ahha moment about that but forgot why :/
420 2012-04-26 21:14:32 <luke-jr> weex: Satoshi presumably just picked the 50 BTC constant to start with
421 2012-04-26 21:14:39 <luke-jr> 21mil is the natural result with the halving rules
422 2012-04-26 21:15:47 <weex> ok then, thanks