Bitcoin Forum
June 17, 2024, 11:50:45 AM *
News: Voting for pizza day contest
 
  Home Help Search Login Register More  
  Show Posts
Pages: « 1 2 3 4 5 6 [7] 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 »
121  Bitcoin / Development & Technical Discussion / Re: New Mystery about Satoshi on: November 26, 2013, 07:12:34 PM
New evidence of the non-existent connection between Satoshi and DPR:

http://bitslog.wordpress.com/2013/11/26/refutation-to-ronshamir-paper-on-dprsatoshi-link/

Two of the oldest blocks rewards (used by the paper authors to relate DPR to Satoshi) that were collected by 12higDjoCCNXSA95xZMWUdPvXNmkAduhWv and that not part of the Satoshi mining pattern.





Best regards, Sergio.
122  Bitcoin / Development & Technical Discussion / Re: New Mystery about Satoshi on: November 26, 2013, 02:41:26 PM
(Also posted on reddit)
From the "paper":

"The Bitcoin community believes [9] that the vast majority of the early mining operations were carried out by Satoshi Nakamoto, and that during this early period he accumulated about one million bitcoins (..) by mining most of the first 20,000 blocks. "

[9] Lerner S. D.: The Well Deserved Fortune of Satoshi Nakamoto, Bitcoin creator, Vi-sionary and Genius, Bitslog, 17 april 2013, http://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

This is totally misleading!

From my a post just a few days after that: http://bitslog.wordpress.com/2013/04/24/satoshi-s-fortune-a-more-accurate-figure/

"Another interesting fact is that the pattern starts just after the genesis block, in block 1. ...It seems that block 12 is the first mined by another user."

So two hours after the true Bitcoin genesis block was released, there were other people mining. And other early miners during 2009 accumulated more than 300K bitcoins.

Also the older generation txs received by that address (block heights 357 and 509) does not seem to be part of the Satoshi mining pattern (this I will re-check today)

So the conclusion of the paper is completely flawed.

Sergio D. Lerner.
123  Bitcoin / Development & Technical Discussion / Re: How much slower is a big block propagating than a small block? on: November 05, 2013, 02:27:04 PM
See:
  http://www.tik.ee.ethz.ch/file/49318d3f56c1d525aabf7fda78b23fc0/P2P2013_041.pdf

Quote
each kilobyte in size costs an additional 80ms delay

You can calculate the "orphan cost" of including an extra 1kilobyte of transactions in your block from that, which gives a floor on reasonable transaction fees.

RE: can we decrease that delay:  sure, up to a point. But across-the-world network latency gives a physical limit.
See, for example:
  http://www.verizonenterprise.com/about/network/latency/


If this "80 msec delay" is the delay of the block being accepted by 51% of the nodes, then it means that most miners are loosing money by accepting a fee lower than 0.00333 BTC/KByte, which is the case most of the time.

This is because each 80 msec costs 25*80/1000/60/10 = 0.00333 BTC
Most of the current blocks have lower fees per Kbyte.

In turns this means that, if miners start acting rationally, a standard transaction cost should be at least USD 83 cents, with current exchange rate. Which in turns means if header-only-push is not implemented, the Bitcoin value cannot rationally be higher than 270 USD/BTC, since a 1 USD fee seems too much for most of the common payments.


Is this correct?


124  Bitcoin / Development & Technical Discussion / Re: New Mystery about Satoshi on: November 04, 2013, 02:52:59 PM
And I don't think SHA-256 was broken.

The simpler explanation is that Satoshi did have a good state-of-the-art computer. Justified by the occam's razor principle.
 
125  Bitcoin / Development & Technical Discussion / Re: New Mystery about Satoshi on: November 04, 2013, 02:46:59 PM
My current thought on the matter :

32 zerobits / 10 min , 4.2 Ghash/block
● Satoshi CPUs: 7.1 mhash/s (aprox)

State of the art 2009

● Intel i7-920 CPU: 6 mhash/s
(@ 4 cores) (Introduced Nov 2008)


My opinion is that Satoshi was doing multitasking on 5 threads, but since version 0.1 did not allow internal multitasking, and he didn't wanted to run 6 copies of the client (and store 6 copies of the blockchain) he created a special version of the Satoshi client which sent to 5 other "client" threads some hashing work to be done. But these threads were dumb, and only did the hashing part (no pubkey management, no extra-nonce incrementing). So Satoshi had to split the nonce space in order to avoid wasting work. He chose a range of 10 lsbs per thread because that represents a time (100 msec) that does not generate much IPC traffic and can wait for the remaining threads to finish without killing them if the one thread finds the solution for the block.

Best regards!
126  Bitcoin / Development & Technical Discussion / Re: Majority is not Enough: Bitcoin Mining is Vulnerable on: November 04, 2013, 02:10:03 PM
I have no time to read carefully the paper but..

Some time ago I posted in http://bitslog.wordpress.com/2013/06/26/the-bitcoin-eternal-choice-for-the-dark-side-attack-ecdsa/ a solution to another attack that may also work to protect from this attack:

Quote
The additional protective measure would be that any chain reorg of n blocks is delayed n seconds.  During that wait period, if another better chain reorg is received, it is processed in the same way. After one period expires, the chain reorg is applied, and a new best chain is created. If a block that extends a waiting chain is received, then the waiting lapse is restarted from zero for that chain. ...

This protocol protects from the appearance of simultaneously competing blocks but also from other attacks that may based on hidden branches. So I'll refer the method as "hidden-branch-protection".

Does it help?
127  Bitcoin / Development & Technical Discussion / Re: CoinSwap: Transaction graph disjoint trustless trading on: October 30, 2013, 06:24:23 PM
Possible vector of attack:
If Carol does not give Alice a newly generated public key C each time the protocol is run, then Alice can provide Carol a fake TX_0 TXID (for example, a TXID of another transaction that Alice wants to steal from Carol).
Same happens if Bob does not give Carol a newly generated address each time, then Carol can attack Bob.

Also when the protocol reads {A,C} and {C,B} , these C's should be different, so it would be better to call the second key C'.

To avoid another (minor) problem on how to establish secure and authenticated connections between 3 participants it would be preferable that step D is changed so instead that Bob sends HX to Alice, is Carol who sends XH to Alice (received in the previous step). This removes the need that Alice connects to Bob.


128  Bitcoin / Development & Technical Discussion / Re: CoinSwap: Transaction graph disjoint trustless trading. on: October 30, 2013, 01:44:21 PM
I love the diagram. This must go right to the wiki.
129  Bitcoin / Development & Technical Discussion / Re: Idea for a mixer that can't run with your coins on: October 29, 2013, 02:26:59 PM
I was thinking that the same can be accomplished by the protocol socrates1024 describes for p2p trading here https://bitcointalk.org/index.php?topic=193281.msg3315031#msg3315031.

The idea is that a p2p trade takes place, but for the same cryptocoins instead of two different cryptocoins.
Also only the traders know if they have exchanged coins or they have simulated a coin exchange.

Before they start the protocol they first choose randomly if they will simulate or not.
If it is a simulation, then pubkeyB is replaced by pubkeyA' in TX1 and pubkeyA is replaced by pubkeyB' in TX3.

In both cases it requires 4 transactions (2 bail ins and 2 trigger transactions).

How these two protocols compare ?

The socrates1024 is very easy to analyze.



130  Bitcoin / Development & Technical Discussion / Re: Idea for a mixer that can't run with your coins on: October 29, 2013, 01:43:00 PM
Interesting protocol, I will analyze more carefully. I suppose the retep version is the one being discussed.
131  Bitcoin / Project Development / Re: Momentum Proof-of-Work Bounty - 30 BTC on: October 21, 2013, 02:20:06 AM
bytemaster: Your idea of using hash collisions is good, but is not new!

I proposed it on my paper MAVEPAY, April 16, 2012  (and even then I thought I wasn't  something new).

Here is the part of the paper where the Colission POW (as I called it) is proposed, available in http://bitslog.files.wordpress.com/2012/04/mavepay1.pdf

The Collision POW:
The collision POW is based on the difficulty of finding partial preimage collisions of two messages. The packet broadcast has the following properties:
•packet=< command, nonce1, nonce2, bn >
•tmp=Hash(command||bn).
•pow1=Hash(tmp||nonce1).
•pow2=Hash(tmp||nonce2).
•pow1 and pow2 must be prefixed by some predefined number of zero bits and share some number of following bits (the remaining bits can differ).
The related attack is the partial collision attack.

Birthday attacks require large amounts of memory and so preclude the use of GPUs and other massively parallel computer architectures. An attacker is therefore less capable of using these technologies to mount a command flooding attack.

Could you please add a reference in your paper to the Collision Pow of MAVEPAY ?

Best regards, Sergio.
132  Bitcoin / Development & Technical Discussion / Re: Proof of Storage to make distributed resource consumption costly. on: October 17, 2013, 12:53:53 PM
Note I invented Proof-of-Harddrive in my Bitcoin : The Digital Kill Switch thread several months prior. Thanks for finding a useful application of it, even if you may prefer DRAM. I had to abandon it as a substitute for PoW because it doesn't provide the entropy for selecting which peer is next.

Could you provide a link to the exact post where you elaborate the idea of Proof-of-Harddrive ?
133  Bitcoin / Development & Technical Discussion / Re: Proof of Storage to make distributed resource consumption costly. on: October 16, 2013, 12:49:16 PM
side-topic: Also a node could prioritize nodes which store the full block-chain. This can be done with a variety of protocols known as  Proof of Storage and Proof of Retreivability.
134  Bitcoin / Development & Technical Discussion / Re: Proof of Storage to make distributed resource consumption costly. on: October 15, 2013, 01:36:36 PM
Gmaxwell: Your idea is excellent, but needs some changes to prevent an obvious query forwarding attack.

Suppose client C wants to prove the server S that he keeps the data. When client C connects to server S, it also connects to some client D, acting as a server. Then server S sends the seed to client C, client C forwards the same seed to client D. Also each query is forwarded.
S cannot detect C is cheating, because he is in fact checking D storage. Then the seed must be chosen by a fair coin-flip or similar protocol.

New proposed Setup Protocol

C chooses a seed c and sends it to S.
S chooses a seed s and sends it to C.
Both agree that seed = H (c | s)

Also it's important to note that C may not store all the tree, but only a precomputed top. To effectively detect if C is in fact storing almost all the tree or not, S would need to make many time measurements of C responses, averaging the elapsed time.

135  Bitcoin / Development & Technical Discussion / Re: Alt chains and atomic transfers on: October 10, 2013, 08:36:59 PM
This socrates1024 protocol seems to be much better than some others I saw. I can't find any drawback.

136  Bitcoin / Development & Technical Discussion / Soft-fork Proposal: allow nLockTime specify an UPPER limit instead of lower lim. on: October 09, 2013, 11:01:10 PM
In the thread https://bitcointalk.org/index.php?topic=307211.0 I propose a method to protect users money from attackers by creating 2-step transactions, so users can roll-back if an attacker attempts to do step 1. The first step can be reverted using cold storage keys. I called it the "Tick method".

I realized that the same method could be implemented much more easily if transactions could specify a time/block number after they are unable to be accepted in the block chain.

Currently nLockTime has a threshold:

int LOCKTIME_THRESHOLD = 500000000; // Tue Nov  5 00:53:20 1985 UTC

Values lower than LOCKTIME_THRESHOLD are considered block numbers and values higher than LOCKTIME_THRESHOLD they are considered unix timestamps.
Since Bitcoin didn't existed from 1985 to 2009, I propose a soft-fork where nLockTime in ranges:

nLockTime in (LOCKTIME_THRESHOLD to 510000000): Valid before block (nLockTime- LOCKTIME_THRESHOLD+262634) (190 years avail, upto 2203)
nLockTime in (510000000 to 1230000000): Valid before time (nLockTime-510000000+1230000000): 22.8 years avail (up to 2036)

Code change should look something like: (note: I'm not taking into account txin.IsFinal(), this is just an example)

  
Code:
  
bool IsFinal(int nBlockHeight=0, int64 nBlockTime=0) const
    {
   ....
        if ((int64)nLockTime < LOCKTIME_THRESHOLD )        {
          if ((int64)nLockTime < (int64)nBlockHeight)
             return true;
        }
       else
       if  ( (int64)nLockTime <510000000)       {
          if ((int64)nLockTime- LOCKTIME_THRESHOLD+262634 >= (int64)nBlockHeight)
             return true;
       }
       else
       if  ( (int64)nLockTime <1230000000)       {
          if ((int64)nLockTime-510000000+1230000000 >= (int64)nBlockTime)
             return true;
       }
      else
      if ((int64)nLockTime > (int64)nBlockTime)
             return true;
  ...
}

There may be many more use case (Mike Hearn?)

Best regards,
 Sergio.
137  Bitcoin / Bitcoin Discussion / Re: How to use fiat currencies for Bitcoin offline transactions? on: October 09, 2013, 10:15:59 PM
I posted more thoughts about the btcusr idea (which I named BitBanknotes, so it can be referred) in my blog:

http://bitslog.wordpress.com/2013/10/09/a-disturbing-idea-bitbanknotes/
138  Bitcoin / Development & Technical Discussion / Re: Isn't the output of SHA256 *slightly* too big to use for a private key? on: October 09, 2013, 07:24:05 PM
So, do brainwallet.org or any of the other brainwallet sites reject pass phrases that happen to hash above n?

The probability to hash above n is 1/2^128, so it should be considered practically impossible to achieve.
139  Bitcoin / Development & Technical Discussion / Re: Making Hot Wallets Impossible to Steal - Now with 5 BTC bounty on: October 09, 2013, 07:20:33 PM
Informal Proof: As you see, any payment that goes out from Txo MUST go through any TxIn, and then it MUST go thought the corresponding TxOut transaction, which are separated exactly delta time. Since the private keys of Txo(i) are not stored in the hot wallet, there is no other way to redeem the funds.

Also note that by burning the ticks periodically, you prevent both TxIn and TxOut for being published simultaneously.

Note that you MUST also monitor the block-chain for the tick burning transactions, if a tick is missing for too long, then you MUST also follow the theft procedure.
140  Bitcoin / Development & Technical Discussion / Re: Making Hot Wallets Impossible to Steal - Now with 5 BTC bounty on: October 09, 2013, 07:16:02 PM
The "Tick" method

Let's say you have X BTC divided in N transaction outputs Txo(i)=(TxHash(i),outN(i)) for 0<=i<N  (for simplicity suppose each output has exactly X/N BTC)
To simplify the explanation, let K(output) be the input (hash + outN + signature ) to redeem the output.

Preparation stage

Once a month, you use a secure computer, load cold storage keys and:

1. you create a sequence of transactions TxTick(0)...TxTick(M-1) called "ticks".

Each Tick transaction pays almost the same amount to the following (minus the fees). So TxTick(j).input[0] redeems the funds stored in the output of TxTick(j-1).output[0]. Each ticks uses a different destination address. Also each tick transaction has a nLockTime set at equally spaced deadlines (separation of delta time). (e.g. once a day, or once an hour). The ticks must cover the time for the full month.

2. For each Txo(i) and each TxTick(j) you create two transactions TxIn(i,j) and TxOut(i,j).

TxIn(i,j) has two inputs and one two outputs:
- TxIn(i,j).input[0] = K(Txo(i))
- TxIn(i,j).input[1] = K(TxTick(j).output[0])
- TxIn(i,j).output[0] = new unique address

TxOut(i,j) has two inputs and one output:

- TxOut(i,j).input[0] = K(TxIn(i,j).output[0])                (signature has SIGHASH_NONE flag)
- TxOut(i,j).input[1] = K(TxTick(j+delta).output[0])     (signature has SIGHASH_NONE flag, here delta is the time interval to lock funds)
- TxOut(i,j).output[0] = empty (to be filled at payment time)


All TxIn and TxOut and TxTick transactions go to the hot wallet. All private keys generated during the process go to cold storage (or at least are encrypted and the encryption-key is cold stored)

Normal use

Each tick-interval, you broadcast the corresponding TxTick to be included in the blockchain, so previous tick outputs cannot be reused.

Suppose you want to pay X/K (exactly one Txo, say Txo(i)) to the address DstAddr.

1. Choose TxIn(i,j) and TxOut(i,j), where j is the next tick which has not been spent.
2. Fill the field TxOut(i,j).input[0] with DstAddr.
3. Broadcast TxIn(i,j).
3. Wait one delta interval
4. Broadcast TxOut(i,j), and the payment is done.


Theft

In case that the hot wallet is compromised by an attacker, and the attacker is willing to spend your funds he will be forced to broadcast a TxIn() transaction.

If you're monitoring the block-chain, then you will have a delta interval to open your cold storage keys and immediately re-send all funds stored in unspent Txo AND in the TxIn's recently broadcasted to a newly generated addresses.

Best regards, I hope this helps (as long as I know, it has never been proposed before)

If you wish to send me the bounty, my address is: 17mcFB7Xyymd9hxp2bgNPz1ruWsdoPoCnZ




Pages: « 1 2 3 4 5 6 [7] 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 »
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!