consensus of more than 50% total network computing power
Computing power has nothing to do with hardforks. Hardforks are not a great path to evolution. They're dangerous and potentially coercive. They must be undertaken with the consent of effectively _all_ users. They should be avoided unless there are no other reasonable alternatives. Although many things have changed and advanced, it's arguable if we've ever had a hardfork or not: Very old nodes can still validate the chain, though they will non-deterministically fail because of semi-hard-forking database management bugs that have been fixed. Fortunately, we don't have to have hardforks to evolve: The P2P protocol is a matter between individual peers. They can negotiate whatever options they want. We have replaced the p2p protocol. Most interesting and important changes to the blockchain validation rules can be accomplished via softforking changes. E.g. P2SH is effectively a radical change in how transaction spending rules are encoded and was accomplished without a hard fork. In Bitcoin evolution is slow. There are wallets which cannot be updated because they run on platforms controlled by corporations which are hostile to user-freedom (in particular, there is an i phone wallet app that produces signatures with an invalid encoding). There are multiple implementations of the Bitcoin protocol, but even with the BIP process their implementers have simply declined to implement some functionality, and its lack of universal availability makes it unusable to users. etc. But the system itself is a gigantic moving machine and failure is difficulty— even impossible— to fix, if something goes wrong so it's hard to say that slowness is a bad thing at all. Slowness helps ensures there is understanding and consent and reduces risk. I heard that anything before 0.3 would not work (even before the latest BIP50 fork). Is that true and what's that about? |
|
|
|
Would it be technically possible to produce a digital equivalent of Casascius-style physical bitcoins?
If yes, this would allow the use of BTC without the need to propagate a transaction through the network. In effect it would be the true equivalent of cash. The balance would be recorded on the blockchain for the public address, but transfers of the private key would remain private.
Such a system would need a transferrable digital wallet/wrapper with the following characteristics:
1. An encrypted private key with a passcode.
2. An indication of whether the private key has ever been decrypted (the equivalent of the seal on a physical bitcoin)
3. A way of generating a new passcode when the wallet/wrapper is transferred so that the new owner can be sure that the old owners cannot decrypt the wallet once possession has changed.
Could it be done?
If you find a way to do this without trusting third party, you are greater than Satoshi. So the answer is simply no. If you trust a third party, you can certainly do this. See https://bitcointalk.org/index.php?topic=277389.0 |
|
|
|
To me it seems like an issue with american non-metric tradition. In Europe people easily say "1.86 meters" while in US it would sound too complex. There you have "6 feet 4 inches" - all whole numbers.
On the other hand, people are simply not used to use hard appreciating currency. Normally all dollars/franks/roubles are losing value and everyone uses bigger whole amounts for the same products. If you give people a deal "your money will increase its value, but for that you'd have to deal with smaller and smaller fractional units over time", would it be considered a great deal? I think people will educate themselves very quickly about anything when their money is involved (and could be controlled by them).
This is Simple: 12 inches = 1 foot; 3 feet = 1 yard; 1760 yards = 1 mile This is Complex: 1000um = 1mm; 1000mm = 1m; 1000m = 1km |
|
|
|
个人挖矿已经不可能了,炒币吧,去买了去796放贷年华收益率有10%-15%,关键是没风险的。
真的嗎?? 這利頭感覺不錯,改天研究一下 当然真的,在796融资融券业务里借出比特币,由借入方将股票抵押给796作担保,然后796再给借出方作担保,所以是完全没风险的。 利率的选择范围是0.2%-4%每周,不算复利相应的年化收益达到10.6%-212%!!! 風險也許不高, 但也要面對796倒閉的風險. |
|
|
|
I think we should ban tx malleability with the following approach: 1. Make anything except P2KH and multi-sig P2SH non-standard 2. Change the transaction version to 2. 3. Define the most significant bit of transaction version as "malleability bit" 4. If malleability bit = 0 AND version = 2, the following new rules are applied (with soft-fork). For other combinations, existing rules apply (ie. malleability is allowed.) 5. Use "low S" as malleability breaker in signature (e.g. https://github.com/bitcoin/bitcoin/commit/e0e14e43d9586409e42919f6cb955540134cda2a ) 6. For P2KH, the scriptSig must and must only push 2 values to the stake, without any other actions 7. For P2SH, the scriptSig must and must only push n values to the stake (in addition to the serialized script), for a n-or-m multisig. 8. Malleability is allowed for any non-standard tx even the malleability bit = 0. Therefore, the user can choose whether they want to allow malleability. Any future protocol upgrade will use a new transaction version so the anti-malleability rules will not apply. (p.s. If I have learnt bitcoin earlier, I would have proposed a similar approach to the P2SH migration. The P2SH has created a permanent exceptional case in the interpretation of OP_HASH160, and that's now irreversible without a hardfork. I think a better way is to define a "P2SH bit" in the transaction version and let people to choose Sorry this won't work without adding further complexity. btw this is off-topic.) |
|
|
|
If extortion is a real concern, Alice should send it with multiple transactions to minimize the incentive to cheat and potential loss. More importantly, with the micro-payment channel mechanism, Alice could send ANY value of bitcoin to escrow, and is always able to get the excessive value back. Therefore, it is impossible for Bob to identify the target transactions. If Bob takes a spray and pray strategy, that would be a big disruption to the whole bitcoin network. In long term, we should forbid malleability, which I'll discuss in another thread: https://bitcointalk.org/index.php?topic=271278.0 |
|
|
|
FWIW jl2012 almost described what you just described, except he didn't make it explicit that you need P2SH: https://bitcointalk.org/index.php?topic=255145.msg2756623#msg2756623Note how to further discourage miners for modifying transactions, you could spend an output of tx1 in a fee paying transaction broadcast at the same time as tx1 is broadcast. Even better would be to pay the tx fee for tx1 via an out-of-band fee paying protocol - like the fidelity-bonded rough consensus balance ideas I've talked about before - that identified transactions solely by txid. Finally make the protocol allow for Alice to request Bob to sign multiple transactions, spread out over time, so that Bob can't know if Alice is asking him to sign a dummy transaction or because tx1 was modified and Alice needs a new refund tx. Note that in some cases you'll need to give Bob a SHA256 midstate so Bob knows what nLockTime/nSequence he's signing - the latter could be tricky to apply due to limitations on what information the midstate can hide - you may need an extra txin - so you're better off with a protocol where Bob learns tx-refund prior to relying on it's contents.EDIT: nah, actually I can't see how you'd prevent Bob from figuring out what tx to mutate based on the nLockTime value, so it looks like you just have to let design the protocol so Bob learns tx-refund (any any dummy's signed) prior to relying on the non-existance of a immediately-mineable refund tx. I don't understand your point. How would Bob know the nLockTime? Alice doesn't need to show tx-refund to him before tx-1 is confirmed |
|
|
|
I had an idea that I thought would work to prevent covenants.
There exist chameleon hash functions... these are hash functions which are parametrized by a public key and are cryptographically strong collision resistant hashes to anyone who doesn't know the secret corresponding to the public key. ... but someone who knows the secret can trivially compute collisions.
My thought was that if you had the hash over the transaction outputs pass through a chameleon hash then you could tell the covenant you were using one set of outputs, but then substitute another set after obtaining your signature. But it would still be secure because no one else could make this substitution.
Unfortunately it seems like it wouldn't work: The covenant could force you to use a nothing up my sleeve number as the public key for the hash, e.g. like the txid of the coin you are spending.
Just add a rule to require all SCIP inputs must be sent to standard pubkey hash outputs, so covenant is not possible. However, this will eliminate all "good use" of covenant. |
|
|
|
Be very careful when reading the volume figures of CNY markets. Some may show fake volume. For example, www.btc008.com claims they have 8000BTC per day while the price is constantly and significantly higher than all other CNY markets |
|
|
|
2013年9月24日 有一笔1314.88 比特币的买入挂单,挂单价788.88. 此挂单人,邮件联系平台,要求提现时不扣除0.001的手续费,因为这笔订单是用于他买给自己女儿陪嫁的,数字上图个吉利。平台方面表示同意。
一生一死, bye bye~~ 为啥这网站的比特币价格那么高?
問: 为啥mtgox的比特币价格那么高? 答: 因為沒有人能在mtgox提取美元 問: 为啥这网站的比特币价格那么高? 答: 沒那麼高又怎會有人上當 |
|
|
|
Hardly. Making payments with good privacy is the whole point of Bitcoin, isn't it?
No. I believe the whole point of Bitcoin is " A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution". Privacy is just a secondary objective. Back to the topic. Unless the salary is paid with 100 completely unrelated transactions, your friend could still figure out your salary. This will create a massive overhead and is obviously not sustainable. In addition, it would be a stupid idea to ask your boss to pay directly to a hot wallet on your smartphone. Firstly, it's unsafe. Secondly, you boss can see all your transactions. The right way is to ask your boss to send to your salary wallet, and use some coin-mixing scheme to move the money to your spending wallet. |
|
|
|
How does the payment protocol solve that?
The request message allows you to request the payment be spread over multiple outputs (which don't have to be pay-to-address type outputs at that point, they could contain any script, like multi-signature scripts). It also lets the payer submit multiple transactions as part of satisfying the same payment. When an app generates a payment request (e.g. to get your salary), it knows how much money it's requesting and it can spread the money over many outputs. They payer might still generate one mega-transaction, but it's smarter for the payer to try and match up what it's got most closely with what's requested, to maximize privacy and minimise leakage.
This is just abusing the blockchain. It won't work when tx fee gets higher in the future |
|
|
|
If you wanted to, you could run games alongside a group video chat to raise the bar for cheating a bit further (i.e. people are not actually sitting next to each other, you can see their hands+keyboard), and you could pay someone independent to randomly audit peoples computers using screen-sharing software to verify they weren't communicating.
In this case, cheaters will tap Morse code with toes. |
|
|
|
|
Asking for camera privilege has some privacy concern. Combining other standard Android detectors such as digital compass and light sensor should be good enough
|
|
|
|
|
Can we use the accelerometer in smartphone as entropy source (or adding it to HW wallet, costs only about 1 USD)? When generating a new address, or signing, the user is asked to shake the device for a few seconds. That should give plenty of randomness
|
|
|
|
List of top100 madmen.
One bitflip while making a transaction with these fat txouts and its $10 million in paper value down the drain.
What is the maximum value in USD would you trust with a bitcoin address? |
|
|
|
Any file, like photo, music, video, could be the seed. However, you will lose the private key even with 1 bit of data loss.
Which is also true of storing any private key electronically (such as in your wallet/client) as well. Yes. But since a private key takes only 256bit, while a photo may take several Mbits, a private key has lower chance of getting corrupted. |
|
|
|
I am familiar with using bitaddress.org to generate addresses. I am not sure how the random numbers are generated.
If I want to use dice to tediously generate a 260 bit random number, how can I use that random number to generate a private key / public address?
I have no programming expertise. Thanks!!
Transform it to a 256bit Hex number and it is already the private key. Then use this to generate the public address: https://www.bitaddress.org/bitaddress.org-v2.4-SHA1-1d5951f6a04dd5a287ac925da4e626870ee58d60.htmlFor safety, you should save the javascript and run it on an offline computer |
|
|
|
|
Any file, like photo, music, video, could be the seed. However, you will lose the private key even with 1 bit of data loss.
|
|
|
|
jl2012: What's interesting about SPV nodes is that because they don't really verify anything, there are cases where a hard-fork for a full node is a soft-fork for a SPV node. One such example is the merkle tree itself - and SPV node wouldn't know the difference if we, say, moved the coinbase transaction to the top of the tree.
Many "simple" hard-forks are transparent to SPV, such as the BIP50 bug fix and increasing MAX_BLOCK_SIZE. For your example of moving the coinbase transaction to the top of the tree, new full nodes need to somehow cheat the old SPV nodes to make it works. More complicated changes, e.g. merkle sum tree, will break SPV nodes You're not thinking deviously enough. Lets suppose I define a new merkle-sum-product-christmas-tree which sums all the transaction values up and even distributes presents to the homeless; we'll call the top level digest of that tree D2, and the top level digest of the old merkle tree D1. Now ask yourself, can a SPV node know if rather than setting hashMerkleRoot to D1 as before, we've set it to Hash(D1 | D2)? A full node certainly can - they have a full list of transactions and will immediately see that something isn't adding up - but what about a SPV node? Also, it'd be interesting to know if any SPV clients out there would even notice if they were given two transactions, ostensibly from the same block, whose merkle paths back to the block header were of different lengths. So we have at least 4 levels of hardforks: Level I hardfork: a hardfork that is completely transparent to SPV nodes, such as the BIP50 bug fix, increasing MAX_BLOCK_SIZE, increasing block reward (too bad!!!) Level II hardfork: a hardfork that adds new functions while all existing functions are still supported, such as SIGHASH_WITHINPUTVALUE ( https://bitcointalk.org/index.php?topic=181734.0) . Old SPV nodes can still function as usual, just not supporting the new function. Level III hardfork: a hardfork that will partially break SPV nodes, such as fixing the OP_CHECKMULTISIG bug. SPV nodes can still receive bitcoin from bug-fixed OP_CHECKMULTISIG but cannot send with it properly Level IV hardfork: a hardfork that will completely break SPV nodes, usually something fundamentally change block or transaction format, such as increasing coin divisibility, 64bit block timestamp. However, this pretty depends on how an SPV node exactly works. With the examples here I assume that SPV will only 1) make sure blocks have adequate PoW; 2) find the chain with highest PoW; 3) look for related transaction outputs in the chain. It would not check the validity of the signature (otherwise SIGHASH_WITHINPUTVALUE signatures of bug-fixed OP_CHECKMULTISIG would look invalid). Please feel free to add more levels to the list (both softfork and hardfork). |
|
|
|
|
Show Posts
