|
Is it true that a deterministic wallet's seed (or master private key or equivalent) can be recovered completely from just one of the private keys that it created? Is this a guaranteed every time sort of thing, or a probabilistic thing, or what?
|
|
|
|
One of the most common arguments against any proposal to increase Bitcoin's block size limit is that it would inherently reduce the decentralisation of the system. This is of course true, but (when you back away from the tribal politics that have recently emerged where your position on one technical issue is used to signal your entire philosophical/political alignment towards cryptocurrency) pointing this out seems pretty pointless if not disingenuous once you realise that there are no incentives, formulas, or processes in the Bitcoin system at all that are aligned toward increasing or maintaining any amount of decentralisation (not that any particular level of decentralisation that would be desirable has been proposed). It's quite the opposite in fact. From mining to data storage, centralisation is persistently economically rewarded by the Bitcoin network. This is well reflected in the fact that Bitcoin is already much more centralised than many would like, as core developer maaku points out here. Decentralisation is obviously a very important value for many members of the community (myself included), but from the point of view of Bitcoin's currently implementation, it does not have any role in dictating the allocation of resources and therefore essentially does not exist. The Bitcoin network is a monetary system that plays by economic rules. It is politically neutral, which also means that there is nothing about it that is fundamentally opposed to the corrupting influence of humans that most of its proponents seek to eliminate. If you really care about decentralisation, then shouldn't you worry about fixing this broader issue instead of scapegoating one particular aspect of the system (the increasing demand for larger blocks) that is not in any way inconsistent with its broader context? You can't enforce a principle like decentralisation with piecemeal, band-aid solutions, because people will always find a way to get around the intended consequences of a system unless they are made explicit. That raises one of the other fundamental problems with with the decentralisation debate: it has not been defined in a useful sense. What is decentralisation, empirically speaking? How do you measure the amount of decentralisation in the Bitcoin network? If you can't measure or objectively define something, then bringing it up in a debate that is fundamentally about technology is simply signalling ideological affiliation, not proposing a solution. If decentralisation advocates want to incorporate the issue into Bitcoin policy making, then they must come up with a method to measure the results of those policies. Simple metrics like how many full nodes are running aren't the answer (and don't capture the full picture, as we know from the large number of Chinese nodes that benefit from the smaller block sizes and yet simply by being run on hardware in China are basically under the de facto control of the Chinese government) since it is trivial for one entity to masquerade as many full nodes. Any proper measurement of decentralisation must account for and work around such Sybil attacks. This is part of the problem that Bitcoin was designed to solve in the first place so it won't be easy. Authentically measuring the "independence" of any given node/miner might be impossible, requiring the formulation or discovery of a clever proxy measurement (like proof of blockchain fair sharing to give an example of that kind of thinking) that correlates strongly with overall decentralisation by its very nature. Then once you've established how to measure decentralisation, you will have to change Bitcoin's core formulas to incentivise its increase. Instead of "proof of work", you might have a "proof of independent work" value that incorporates some degree of weighted incentives for independent mining. If you were going to incentivise running full nodes as has been proposed, then you would want to reward independent nodes more heavily than a large number of nodes run by one entity. Yet you would also have to make sure that you aren't sacrificing overall mining security or the speed of the network in pursuit of these goals. Of course all of this in itself would be a dramatic change to Bitcoin that could very well be just as controversial and opposed as XT. My main point is that there seems to be a fundamental conflict underlying the block size issue that is not being addressed. A large portion of the Bitcoin community is strongly in favor of decentralisation, but nothing about the basics of Bitcoin's design encourages it. Its P2P topology certainly allows for it, but ultimately does nothing to counter the economy of scale that does not favor it. I certainly don't have the solution to this very complicated problem, but I don't think that anybody benefits from ignoring the issue. As it stands, Bitcoin will inevitably continue to centralise simply as a result of basic economic laws. If decentralisation in Bitcoin is truly a desired goal, then it must be explicitly baked into the system or it won't happen. If decentralisation advocates are serious, then it's time to start addressing that fact. Block size is only one small part of the picture. As far as the raising the block size limit goes, the only other argument that I can see against it other than the decentralisation aspect is the fear that blocks that are too large might literally break the network and make it impossible to process transactions. But obviously nobody is just going to allow Bitcoin to stay broken. The whole issue would be fixed relatively quickly just as all other network-breaking bugs have been. It would be an inconvenience, but hardly the existential crisis that many see a centralised future for Bitcoin as. So if you really are in favor of decentralisation yet only focus those concerns on block size issues then you are still being myopic. Block size is a red herring. |
|
|
|
I don't believe that proof-of-stake is necessarily appropriate for Bitcoin but I do completely agree with: Bitcoin holders are reluctant to debate competitive alternatives to PoW such as PoS and trusted nodes (like Ripple, despite its nearly $1B market cap). It seems like every new technological innovation being pioneered by other cryptocoins is categorically rejected for implementation in Bitcoin almost immediately. It also seems like most of the people behind Bitcoin are also on the board of dozens of projects designed to replace it. If Bitcoin does end up failing, I think that the failure will be entirely social, a refusal to adapt and innovate. This is something that anybody interested in the project should be worried about. |
|
|
|
If anybody is still interested in this topic, they should check out Bitlaw at https://www.reddit.com/r/bitlaw which seems to be doing something similar to this. |
|
|
|
Incorrect. People have speculated that potentially an attacker powered by non-public mathematical breakthroughs could select parameters in a way to make a system weaker against publicly-unknown attacks which require specific improbable curve characteristics. This is pure conjecture, however— though it's something prudent to be cautious about, it is not a known backdoor vector by itself. The process for selecting curve parameters already excludes known classes of bad curves, if we knew about any other classes we'd exclude those too. In the case of Bitcoin our parameters were selected in a way where performance considerations removed their degrees of freedom (like the ed25519 parameters were selected), and are all explicable from first principles. In fact, they have an additional property that even if you drop some of the performance characteristics, and increment from the smallest possible parameter requirement the first curve of prime order you find is the one Bitcoin uses. Other cryptosystems also use nothing up my sleeve numbers, where an abundance of caution demands the designers pick them in a way that limit their degrees of freedom but at the same time no one knows of a way where control could be used secretly to do something bad— it's just a good practice, not a backdoor closed.
In the case of the GGPR'12 based SNARKs there is no comparable way to generate the parameters: The creation of the prover/verification keys requires computation using secret values, which— if known— completely compromise the soundness of the proofs. Here the backdoor is very concrete— not theoretical— when you know just a couple of the secrets you can do a few multiplies and have a false proof. Worse, there is no known way to use a nothing up my sleeve number to pick the parameters to convince people that no one could know the secrets. The best you can do is use process, like the CA system does (but potentially way better) to convince people of security. This isn't insurmountable for _many_ applications, but it is not at all comparable to EC curve parameters, there is nothing in curve parameter selection that looks like a magic number where if the attacker knows it all is lost. As far as I know there nothing like this in widespread use, the nearest parallel I can think of is the backdoor in DUAL_EC DRBG, though in that case the backdoor was a "surprise" and no process to prove that the potential backdoor wasn't weaponized (because it was)— which certantly makes it more concerning. There are a fair number of proposed _theoretical_ cryptosystems which have similar assumptions (e.g. Any of the neat uses of obfuscation involve the obfuscation being established by a trusted party), but I'm not aware of these systems being put into production. One reason for this may be because theoreticians find trusted initialization to be more acceptable than practitioners do— the theoreticians just posit "A spherically honest cow in random-oracle derived motion faithfully creates the parameters", the practitioners are the ones that have to figure out how to approximate the spherical cow using three chickens, a reed-solomon code, and a priest. Thank you for correcting my misleading statement. There are definitely are significant trust differences between the two processes. Your explanation will come in handy as more discussions about Zerocash surface. I don't think there was anything hostile there, I've spent time with the developers of it and I think they're great guys, ... and I don't know any other developers who have been hostile about it either, so I'd really like to know what you're talking about.
I don't think that you in particular are hostile to anonymity nor am I suggesting that any of the Bitcoin developers have personal issues with any of the Zerocash developers. But I also know that there are many agendas at play in the Bitcoin world and not all of them include the type of anonymity that Zerocash provides. I still think that there will have to be a public conversation about Zerocash, particularly after its developers have revealed how they plan on instilling confidence in their parameters, but I will save it for another thread. |
|
|
|
In very short summary: Zerocash is not and never has been considered for inclusion on the bitcoin block chain
Considering the billions of dollars of other people's money that's at stake here, that seems like something that needs a public discussion and not a decree by fiat. When the author references bitcoin he means the bitcoin protocol generally. Here's a direct quote from page 10 of the paper: "Zerocash can be integrated into Bitcoin or forks of it (commonly referred to as "altcoins"); we later describe how this is done." (I'm just projecting here don't know full details) It seems like their plan is to build a layer on top of Bitcoin like how MasterCoin works. And that the ZC ledger tracks the Bitcoin one so you can convert to and from the ZC system. That's really exciting if so. I think that's being considered but I'm not sure if it's their final plan. It seems to me that, given some BTC developers' hostility toward their technology, they'd have an incentive to strike out on their own. As far as I know the infrastructure for Bitcoin sidechains is not yet in place so they can't go that route. AFAIK ZeroCash needs a trusted accumulator. So it's just a science prototype and wont become a cryptocurrency, no one will use a cryptocurrency where:
- if an NSA agent contributed to the "trusted setup" there will be no privacy
or
- if an Mark Karpeles guy contributed to the "trusted setup" he can generate/create more coins than announced (as his crime would be invisible in the block chain)
Why use technologies based on trust, when we have trustless ones. Satoshi created Bitcoin specifically with the idea/key feature of not depending on trusting a third party. Zerocash needs a "one time trusted setup of public parameters". It's not unique in that sense. Many cryptography systems can be broken if certain constants are chosen in a particular way. Bitcoin itself could potentially be broken if its curve parameters were backdoored in some way (see https://bitcointalk.org/index.php?topic=151120.0). I don't know exactly what the Zerocash team's plan to instill confidence in their public parameters is but it seems like a surmountable complaint. |
|
|
|
The promised update to the original Zerocoin/Zerocash paper ( http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf) has been released and it claims to reduce the size of a Zerocash transaction to under 1 kB and the time to verify a coin's spending transaction to under 6 ms. I have not fully read the paper yet, but am wondering if anyone has investigated these claims and whether or not these improvements would fully remove the barriers that previously prevented the protocol's integration into Bitcoin? I am posting this here since I assume that there is a reasonable degree of overlap between those interested in Zerocash and those interested in CoinJoin. I apologize if this has already been addressed but I have been away for a while and am trying to catch up. I know that Peter Todd is advising the Zerocash team so I'm sure he has some valuable insight. It sounds exciting from what I've heard, but it probably won't go into Bitcoin directly. We need to keep Bitcoin's consensus pure and untouched. We don't nearly know enough. I find this response a bit confusing. In what way would Zerocash affect Bitcoin's consensus, assuming a one-to-one conversion rate? As for not knowing nearly enough, the whitepaper is pretty detailed and still seems to make provisions for including the protocol directly into Bitcoin. I don't mean to be argumentative, but I consider truly anonymous payments to be a "killer feature" that could very negatively affect Bitcoin's value if it lags behind. Of course there's no rush but it would seem prudent to me to start collecting a bounty. |
|
|
|
The promised update to the original Zerocoin/Zerocash paper ( http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf) has been released and it claims to reduce the size of a Zerocash transaction to under 1 kB and the time to verify a coin's spending transaction to under 6 ms. I have not fully read the paper yet, but am wondering if anyone has investigated these claims and whether or not these improvements would fully remove the barriers that previously prevented the protocol's integration into Bitcoin? I am posting this here since I assume that there is a reasonable degree of overlap between those interested in Zerocash and those interested in CoinJoin. I apologize if this has already been addressed but I have been away for a while and am trying to catch up. I know that Peter Todd is advising the Zerocash team so I'm sure he has some valuable insight. |
|
|
|
Apparently the consensus amongst rumour posters is that the FBI seized the coins on Feb. 7'th, so the case is not about lost keys, but theft. Therefore my question is no longer relevant.
Personally I think that forcible coin seizures is an issue that Bitcoin or some cryptocurrency will have to address eventually but it probably won't find much support here yet. It just seems kind of contradictory to have a decentralized, libertarian, etc. currency that can be easily taken over by Uncle Sam pointing a gun at a few of the largest holders. |
|
|
|
This is the preliminary section to Zetacoin:   So basically this book is a compendium of worthless trivia that I could easily find here for free, devoid of any humor or insightful commentary? I at least hope you get an editor. |
|
|
|
The gist of crypto currency is to remain anonymous. Tying coins or accounts to people's name and addresses? I don't see this going far sorry.
You don't have the exclusive right to determine the gist of a technology. That is like saying the Internet was invented for only for a specific purpose, just so that college students and hackers can have access to confidential information. You are saying that everyone else must conform to the wishes and needs of others. Cryptocurrency is about far more than just anonymity, and you're missing out on the truly disruptive aspects. Once a technology is invented then it becomes a tool which anyone can make use of. The option will exist for people who want to form or join a community. To have a community you must have an identity and while you can be pseudo-anonymous you must prove that you are in fact a human individual if you expect to be able to vote and have citizenship. Anonymity and citizenship don't mesh well together. While you can have a virtual community you still need to register to vote. You still need a reputation which must be reviewed. For the purpose of basic income you must join the community and if the community is willing to give you the dividend anonymously that is their option but I doubt most communities will do that. It's also human nature to form communities. So it is both an economic necessity and human nature that people join groups of like minded people. If you want a completely anonymous cryptocurrency there will be plenty of coins for that. If you want a basic income dividend, join a decentralized autonomous community. If you're given citizenship then you will have dividend paying shares which will provide you a basic income for life provided that your citizenship isn't revoked. And of course there will be some communities which will be more open than others and which will accept anybody. This model is better than charity because it does not ask anyone to make donations. It's better than taxing people to pay for it because no one has to lose anything for other people to gain something. It works by giving everyone in the community a share in the capital assets the community holds. It's like a virtual sovereign wealth fund. As a member you get a stream of dividends to your addresses but you cannot join without being backround checked because if the community does not filter it could be over run by criminals, or just infiltrated and destroyed by black flag. You could easily have this and anonymity still with stuff like zero-knowledge proofs of whatever, CoinJoin, or Zerocoin. The real question is still how you verify individuals in a decentralized manner. |
|
|
|
These are some good ideas and my thread compliments this one. https://bitcointalk.org/index.php?topic=483866.msg5326024#msg5326024The problem with most states as we know them is that they aren't very good at certain things. For example providing social programs or basic income is something the traditional states suck at. A cryptostate or decentralized autonomous community would be better at this because there would not be a need to have a debate in congress, there would not be a need to overcome political barriers, it's just a matter of writing the code and then people who agree with having a basic income exist would use the cryptocurrency and join the community which enables it. This is an important point. The economy as a whole, beyond even just currencies, is in a time of transition and traditional states with their hegemonic ties to the existing paradigm aren't going to help us through it. Alternative institutions are needed. |
|
|
|
Hi, I am very interested in your ideas, I wrote something related, Reset-coin: https://bitcointalk.org/index.php?topic=427306.0the approach is different, but the aim in the same, how to guarantee a mínimum wealth to every human being and equal starting conditions to everybody. And even how to correct too big differences between rich and poor in the future. The idea of a reset function, could look too radical, but it is just an starting point of discussion. Like you said, the key point is some kind of "proof-of-human-work", I have some ideas about that i hope to write on a next Update on Reset-coin post. Hope to know you feed-back. Choose or be chosen. Every human being should have the option to choose to join a virtual community, or a virtual sovereign nation. The model to use would be micro nations where you must register to receive citizenship and then you can get the dividend. Another model to use are communities which do the choosing. In that case they would background check you to make sure you are an honest person and if you pass the checks you can join the community. This would keep scammers and bad actors out of certain communities as some more exclusive communities will not want to support them. A citizen of a virtual community would have voting rights and there would be a distributed Constitution of some sort which everyone in the community has found some way to agree upon. This way you would be able to join a community of like minded people and receive your basic income dividend from your community, your micro nation, your virtual sovereign entity. No one would force their values on you because you'd join the community of people who share your values. It sounds like you've discovered the concept of a cryptostate. There's a link to a thread about it in my signature if you'd like to discuss the concept more thoroughly. |
|
|
|
|
Is anybody keep tracking of all of these shitcoins? Can we have a flashing banner for the person to create the 1000th shitcoin?
|
|
|
|
What the hell with all these nerdy names?  Normal plz we need speaking-friendly names How about 1 Bitcoin = 1,000 SilverBit = 1,000,000 = CopperBit = 100,000,000 Sato-Bit You sure worked hard to dig this thread up didn't you? Especially as they already have established names, note this thread was created 3 years ago. Go spam somewhere else to get your post count up, like, active posts? The last post before his is from December of 2013 and there really aren't any catchy names for these values that are established. Pipe down. |
|
|
|
Zerocoin's "business model" is inherently flawed. It involves complex cryptography with anonymity implications so it has to be open source to be trusted, but if it is open source then it can be easily copied by Bitcoin. The only point to releasing it as its own currency is for a nice pump and dump.
They could just release the source under a strict license that prohibits its use anywhere else. Then the protocol would simply be reimplemented. It wouldn't be as trivially easy, but a community with billions of dollars could easily get it done. |
|
|
|
|
This is a good idea and inevitable if you ask me. The only question is how to keep the unit price stable.
|
|
|
|
Anoncoin is adding the zerocoin protocol. http://www.reddit.com/r/Anoncoin/comments/1x71aj/zerocoin_update/Keep in mind zerocoin is more of a protocol than a currency. We don't know if or when the researchers might actually release a coin into the wild. It looks to me like they'd just release a set of technical specs. So if Anoncoin can pull it off, Anoncoin basically will be zerocoin. The Zerocoin devs have already committed to releasing a currency. The next version of the Zerocoin paper will be presented in May at which point we can expect to see more info. |
|
|
|
|
Nobody wants to call it a "gavin"?
|
|
|
|
|
There are not anywhere close to 49 coins on that list that deserve a mention, much less 2 pages.
|
|
|
|
|
Show Posts
