It's really hard to measure stale block rates right now.

Fibre and compact blocks have made propagation tremendously in the network, so now when a block is stale it's usually stale at the first or first couple hops.

As a result, the stale block doesn't propagate well (because it just makes it through zero to a few nodes before intersecting the wavefront of the earlier block).

You can think of it like this: stale blocks come from latency, latency arises from the mining process (miner devices, pool servers), from bitcoind, and from the network.  Advances in block propagation have really zeroed out the latter two classes. But mining process latency hasn't decreased (and in some places it likely has increased as miners have fewer stales to worry about), but the faster propagation means that your node will learn about all stales (including ones due to mining process delays) at a much lower rate.

If you want an even remotely useful figure you need to get the output from getchaintips rpc from a bunch of nodes spread all over the world.

Last time I collected stats I got data from a dozen nodes and I was still learning about more new stale blocks from the dozenth.

Really, there should be a P2P message added that allows nodes to announce the headers which are extremely close to the current tip for network monitoring purposes and which doesn't imply block availability like ordinary announcement does. ... but there isn't much activity in improving the Bitcoin protocol anymore, and improving stale monitoring would be one of the lowest priorities for that sort of work.

All six points related through negation and endomorphism share the same value for x^3. (see your forum messages from me, from a few months back)

Some are certainly lost, but there is no particular reason to think that all or even most of them are lost.

Wallets try to minimize change, generally, and a big 50 BTC output is going to result in a lot of change unless you're moving nearly 50 BTC... so some of these coins could even be in actively used wallets and still sit unmoved.

Recently someone posted a signmessage from 145 of the keys that would have been in your list.

I don't agree that it is, many were clearly not.  Bitcoin was public from the first mined block and we do know that quite a few other named people participated from pretty much the beginning.

Stop lying. What "keys"? there are no fucking keys. Unless you mean the alert key-- which many other people, including Theymos and myself had.

Mike's claim was that Satoshi told him that he was moving on ... on Apr 23, 2011.

Another lie. Gavin's first public announcement was on (or before) April 20th, presumably he wrote to Satoshi days prior to that, before accepting:


2011-04-20 23:06:11 <gavinandresen> Oh, "they" are already paying attention.  I committed a couple of days ago to give a presentation down in DC to some of "them"
...
2011-04-20 23:07:52 <gavinandresen> (at CIA headquarters... no, I'm not making that up)


So, if we believe Mike Hearn, we find that Satoshi said that he was moving on immediately after Gavin contacted Satoshi to tell him about the CIA thing.

("If" because we know people have distorted private records when they've published them. And it's not like Mike's ethics are in good standing, e.g. giving vague support to wright by saying that wright is interesting and otherwise 'no comment').

According to Gavin, Satoshi's last message to Gavin was:


Which I think speaks for itself. Pretty unfortunate that Gavin didn't follow Satoshi's advice.

Perhaps it was coincidence-- likely even, but back when Gavin wasn't trying to fraudulently convince people that he was Satoshi's appointed successor he, himself, didn't have any problem speculating his decision to meet with the CIA might have triggered Satoshi to bow out.

Tying the subject back in-- perhaps part of the reason Gavin went along with Wright's claims is the same reason Wright goes along with various crazy things: it was consistent with the bullshit that they'd been slinging for a while previously. I mean, sure, ultimately idioicy underlies all of it-- but "they were stupid" is just too universal of an answer to be satisfying on its own.

Because he's an idiot.

There is an old video where Gavin speculates that Satoshi left because Gavin spoke with the CIA because Satoshi stopped responding to him when he wrote and said he would be meeting with them.

Oh jesus christ.  Anyone can sue anyone at any time for any reason.  Their bullshit lawsuits will get dismissed, of course, after some cost and expense.

Wright's ability to sue is not improved an ounce by claiming to be Satoshi:  In fact, if he claims the basis for his lawsuits arise from being Satoshi, he would undermine them and make them much easier to dismiss because the claims would not be timely, because satoshi applied for no patents etc.

No court is going to judge that, it's not even a matter on the table in the Kleiman v/ Wright case.

But even if that somehow happened it would have no effect on patents.  EVEN SATOSHI CANNOT FILE (valid) PATENTS ON BITCOIN NOW. Everyone is blocked from filing patents on Bitcoin itself now because bitcoin was made available to the public.

No, again, he cannot: Even Satoshi himself could not do that because he has abandoned the mark.


No, he cannot, except in so far that anyone can file a frivolous lawsuit. There is nothing he could file against me that wouldn't end up instantly dismissed (and likely end up with him having to pay fees).


Claiming to be Satoshi would not add grace to a patent lawsuit. In fact, if he claims his patent claim is related to his origination of Bitcoin it will guarantee an immediate dismissal.

As I said up-thread, I would totally buy your theory if it weren't for the case that being Satoshi doesn't help a patent claim in court, so fraudulently claiming to be Satoshi woudln't help Wright in court.  Instead, all it will do is help him rip off idiots that think Satoshi has (or could have) patent rights over Bitcoin-- so good job helping wright scam people.

This is the same for almost every person here including nutildah. The only exceptions are CSW shills like hv_, and microguy-- I've tagged most with negative trust so you can see them on my ratings.

To the point that wright even paid someone to create an idiotic report to try to debunk stuff we've said.

So congrats for not being wrong about something for once.





Again:  No patent right to Bitcoin (or segwit, for that matter) could exist now regardless of who created it because none were applied for by the deadline. Similarly, no copyright of interest can exists because Bitcoin was published under an MIT license. No other kind of IP would be applicable so no IP can exist.

You cannot publish something and then ten years later patent it.  In most of the world you must apply for the patent before making your work available to the public, in the US the inventor has a one year grace period after their own publication.

You're just confusing yourself by making up weird stories and swapping around people and whatnot.  Forget about all that shit.

If Satoshi were to turn super evil and return and everyone agreed it was actually Satoshi... what "IP rights" thing could he do in relation to Bitcoin?  Absolutely fucking nothing. He could suck an egg, but he wouldn't have any relevant rights over Bitcoin.  And so no matter how successful Fraudtoshi was as convincing people that he was Satoshi or the plaintiff in the case against him was... none of them would gain anything in terms of "IP rights" to Bitcoin because there is absolutely nothing to be gained.

A conman can't gain more rights than Satoshi has by pretending to be Satoshi.
 
Basically you are arguing that Satoshi owns the bitcoin system in some legal sense, this is a nonsense claim that has nothing to do with fraudtoshi. If it were true it would make bitcoin worthless and pointless, but -- fortunately-- there isn't an ounce of truth to it.

Sure!

You rewrite   k*P as  k1*P + k2*lambda*P  --  lambda*P is trivial to compute, since its {beta * P.x, P.y} and k1 and k2 are 128-bit numbers instead of 256. Then this sum of products can be computed efficiently using Strauss' algorithm (also called Shamir Trick) or similar.

Here is an implementation that splits k into k1 and k2 for secp256k1: https://github.com/bitcoin-core/secp256k1/blob/master/src/scalar_impl.h#L268  with a couple scalar operations.

The endomorphism optimization in libsecp256k1 is (currently) disabled by default (and can be enabled via a configure option) because it's potentially covered by a patent that expires pretty soon. (I think history suggests that the patent is actually invalid, but the benefit isn't great enough to worry about it).

The implementation in libsecp256k1 is a little more complicated than described above due to some common and some novel optimizations in its version of Strauss' algorithm.  It uses WNAF so it pre-computes a small table of P times odd numbers using an efficient addition ladder. It then performs all the additions over an alternative isomorphic curve so that it's able to treat the precomputed P multiplies as affine points without needing an inverse to reproject them.  As a result the application of beta is done on demand late in the algorithm rather than needing to compute two tables.

What it seems like you're missing is that Wright himself claimed many many times that he and Dave partnered to create bitcoin.  He did this because he knows he is obviously technically incompetent and knew that few people would ever be convinced he created bitcoin on his own. By virtually defiling the corpse of his dead acquaintance he hoped to add a little credibility to his scam.

So a parallel case would be if Doomad claimed he and Pieter created segwit and that Doomad (claimed he) collected a billion dollar payment for this work, and then Pieter turned around and sued doomad for his share of the claimed (and non-existing) billion. If doomad didn't admit he was lying about the partnership and the money, he might well lose such a case.  But the only consequence is that he'd be ordered to pay Pieter.  It wouldn't let him go on and cause trouble for anyone else.


Except no such patent rights can exist. Lets imagine (lol) that Wright actually did create Bitcoin.  When he published it to the world his own publication created prior-art which is an absolute bar against patentability.  Once a year passed after Bitcoin's release no person in the world, not even Satoshi, could make a valid patent filing about it.  If someone tried to litigate over something like that it would be so outrageously false that their attornies might face misconduct charges over it.

If the patent system worked like little kids playing "dibbs" then I'd see where your argument came from.  But it doesn't.  You can't go file valid patents on long ago published things, even if you were the inventor of those things.  (and getting sued by someone who might well be a compatriot would never be taken as evidence that you were the inventor of something in someone elses case, regardless)

[Source: My partner is a @$@ patent attorney]

It is really clear that Wright intends to attempt patent trolling-- or at least intends to convince his victim-investors that he intends to engage in patent trolling, for sure. But most of that appears to be based on a complete and total misunderstanding of the patent system.  He also seems to think that he can sue random people and somehow get Satoshi's bitcoin's turned over to him-- or again, intends to convince his victims of this--, but that isn't how the courts or Bitcoin works.  It might be the case that the plaintiff also labours under these or related stupidities, but it seems unlikely to me and it doesn't matter if they do because that just isn't how things work.

That isn't what anyone is saying.

Courts do not award specific performance, they award cash damages. (Though parties can agree to accept specific performance in lieu of cash damages).

When wright loses his case because he himself claimed a partnership existed and then submitted mountains of provably forged documents, the court will order him to pay damaged based on the courts findings (which are ultimately based on wright's own claims).  It doesn't matter than the Bitcoin wright claims to own doesn't exist.

In the likely case Wright loses the plaintiff get awarded a judgement on the order of 15-25 billion dollars (highest value of the stolen assets times three, which is a usual penalty for theft accompanied by fraud).  Wright won't be able to pay it, obviously, but with that judgement in hand the plaintiff will be able to go and attempt seize whatever assets wright does own as well as garnish his income.  Presumably the plaintiff did the math and believes that they'll be able to extract enough to pay for their legal costs.  Just a couple million dollars would be enough to make it worthwhile, based on what nchain is paying wright (500k GBP/yr or something like that, per discovery) this doesn't sound like a totally insane plan.

I think it is unlikely that the plaintiff will lose at this point:  When you destroy or fake evidence in a civil trial that evidence is presumed to be prejudicial to your interest (otherwise, why would you have faked it)-- and Wright has dug himself in really deep now with forgeries and evasion.

This thread seems silly to me.  Some underspecified and inept way of attacking it requires 2^whatever work? Who cares.  Secp256k1 has 2^infinity security against attack by green tree slugs because green tree slugs cannot do math.

The amusing thing here is that the plaintiff (and the court!) are allowed to take the defendant's word for it when they want to.

If I go announcing from the rooftops that you and I had a partnership that earned 20 billion dollars which I have in my possession, even though it's all a total lie you can go to court and sue me for your half of the 20 billion and likely win.

Unless I recant my claims I'm going to be screwed: Because there never was a partnership I won't be able to prove that its terms didn't entitle you to an equal share, nor will I be able to demonstrate that I paid you out-- or any of the other facts that would otherwise move things from the default assumption that half of the proceeds from our partnership were yours.  In fact, if I try to prove those things, I'll just make myself look more and more dishonest as you continue to show those proofs were forgeries. -- and that is exactly what has happened in Wright's case.

So even though that 20bn doesn't exist it would be utterly unsurprising that the court would go ahead and award you 10bn plus damages.   Now, you can't collect that 10bn  (because it doesn't exist) but you can go ahead and collect from me whatever I do have-- by getting court orders to seizes assets or garnish wages.

The courts are an adversarial system. The court itself isn't trying to get at the truth, it's just arbitrating legal combat between the parties.  In the US (and generally, common law) tradition you're totally free to screw yourself over, if you so choose.  If someone wants to tell a dumb lie and stick to it, the court is happy to let them suffer the consequences.

Wright could have avoided all this by simply responding to the lawsuit by admitting that he was committing fraud on the ATO and his investors, that he and Dave's "partnership" was limited to some failed government bids, and that they didn't mine any Bitcoin much less create the Bitcoin system.  ... but if he did that he'd expose himself to criminal prosecution, destroy any potential for future income, and potentially even get himself assassinated by one of his shady victims.  With that trade-off its not hard to see why he'd choose to roll the dice and risk a likely civil judgement of tens of billions.

Indeed. The problem is that franky himself is just barely quick enough to avoid falling for it, so he can't comprehend that the people he's arguing with-- whom he has zero respect for-- had a much easier time seeing through that fraud.

You are mistaken because your focus has been on things like DL breaking which is a very weird and contrived usage.

The existence of the endomorphism is a roughly 20% speedup in a plain multi-exp due to halving the number of doublings. What it does is gives many algorithms which could be batched across multiple point the efficiency they'd have at twice the number of pubkeys.  It's a pretty big speedup and AFAIK at an equivalent level of optimization it makes secp256k1 the fastest to verify of any widely deployed curve. So the motivation there is pretty clear, I think.

I don't believe that is currently the case, -- that's a rather tall claim and begs for concrete justification. Got a cite?

b=5 wouldn't have been used because the resulting group isn't prime ordered.

a=0 is necessary to get the endomorphism (also leads to slightly faster group law).

FWIW,  Bitmain S9 (and presumably later devices) has the controller upload the coinbase transaction and the log2(txn)  left-side-of-the-tree hashes to the FPGA so the fpga can roll the extra-nonce on its own.

It's unclear to me exactly how much of the motivation there was just being able to use lots of hash boards on a really slow control processor vs because it was required for the fpga to do covert asicboost... but regardless, thats how that works.

It's also kind of a bummer because it makes it much more likely some change in bitcoin behaviour will break a ton of miners.

Franky1, you keep going on about Ira's position is playing along with wright's con.  ... What you are missing is that everyone already knows that and doesn't care.

Wright says that "My buddy and I made bitcoin and mined 800k coins!". Ira says "oh, okay then, so hand over our share".  And then wright is fucked because he could easily escape but only by admitting his con.

Ignoring the tastelessness of wright's continual necrophilia (his fixation on roping unwilling dead people into his con), this seems completely apt to me.

The kleiman estate is entitled to take Wright's word where it benefits them to do.  I doubt they actually believe Wright's story, though they might believe that wright owed dave for other reasons.  But this is the cost of telling outrageous lies: you might be held to them and their consequences.

They've done a *tremendous* public service unearthing, exposing, and debunking wright's fraud.

True, it would be better for the public if they were invested in exposing Wright completely... but if wishes were horses then beggars would ride.

There is more direct litigation but because it's happening in the UK there isn't the same tradition of public access.  I've heard that it's benefited a ton from the documents and research made available in the kleiman v wright case.

It's much safer to go from target to difficult than from difficulty to target. There have been some hilarious broken ass miners that withholding attacked themselves by computing the target from difficulty.

Performance and memory usage are both security critical in consensus systems.  It's difficult (impossible?) to write Haskell which is all three performant, predictable in its memory usage, and idiomatic-- at least for some sufficiently strict requirements in performance and memory usage.

Rust is a lot like C++.  In theory, it's easier to write rust code that lacks particular classes of bugs than in C++.  However, no one using C++ uses the entire language and the various subsets people use also largely avoid various kinds of bugs. Not as rigorously as rust, particularly because its hard to verify you're using the subset of C++ you're intending to use.

In Bitcoin we've found that the kind of bugs that rust guarantees the absence of have been uncommon.

I've personally found that the rust code I've encountered online has often been low quality to extremely low quality-- often throwing panics on the slightest unexpected input or usage, or suffering from incorrect results due to integer wraparound (which in theory debug mode would catch, but it runs so slow as to be completely unusable on many codebases).  I'm unsure if this is a property of the language itself (e.g. does the syntax lead to greater faults), user's expectations of the language (sloppy work because they expect things to be 'safe'), or the user/application (e.g. are people that redo stuff "but in rust" less experienced programmers?).

Given that experience I would not place a bet right now that rust currently lowers the rate of serious defects in large programs developed by experienced teams compared to C++ with modern practices. However, if I had to use software written by inexperienced developers I suppose I would probably prefer they use rust to C++...

The rust ecosystem is also immature and unstable-- it's not uncommon that any random code you get requires some bleeding edge new compiler. Rust also largely imitates the extremely security-toxic software distribution model of ruby and javascript-- it's common for a rust package to have a dependency graph of hundreds of assorted packages, any of which could backdoor your system. It's possible to use rust without using the packaging ecosystem, but doing so is more of a challenge.

Rust and C++ also have no good facilities for formally reasoning about the behaviour of programs (beyond things like the borrow checker in rust).  But C++ is a superset of C and there are tools to rigorously prove things the properties of C code, which means you can write components of C++ programs in C and formally prove things about them.  You could do the same with rust+c but C++ and C share a lot more syntax and behaviour.

In the world of open source Rust and Haskell both have an additional limitation that the community of developers and reviewers for these languages is smaller than that of C++.

Not so: People have falsely claimed there were on a number of occasions but to the best of my knowledge that has always just been bamboozled media people talking about simple URLs to long dead hidden services, not "illegal images" themselves.  Also, data buried in an effectively inaccessible location that requires special tools and knowledge to access isn't the same as a file serving service practically or legally.

Doing so would be somewhere between entirely pointless and professional misconduct.

Ultimately the Bitcoin system doesn't exist to shove your data retention costs onto others-- Piling every proof-of-work quorum system in the world into one dataset doesn't scale. Existing nodes don't provide random access to the blockchain and if anything you should expect them to provide less in the future rather than more.


When you originally created this thread "I don't give a flying fuck" was about what I thought of your proposal. Yet I kept my response matter of fact.  Too bad you didn't extend similar courtesy to other participants here. You were even warned that what you were asking for wasn't going to get a loving response, so it seems silly to be offended by the predictable outcome...


As you wish.

I expect you'll find that a large portion of the community will be fairly hostile to your proposal due to the externalities generated by that sort of misuse of the system.

Transaction fees will also make it astronomically expensive, so no one is likely to want to use it in any case, even if you were to create it. To the extent that Bitcoin provides something at all of value for 'data' that isn't available much cheaper elsewhere, it would be timestamping-- which is accomplished by opentimestamps at essentially no cost to the Bitcoin system. So I think your assumption that people will anyways is not true as is demonstrated by current practices.

Separately, Bitcoin software generally goes out of its way to avoid extracting arbitrary data from the chain because it can be a vector for malware, code injection, and social engineering attacks.

Reject messages were never a 'stable interface' and couldn't really be-- the issue is that which reason for rejecting you provide depends critically on the exact construction of the software.  So random, seemingly unrelated changes could stir them around.


Say, for example that you send a transaction that was already confirmed a few blocks ago.   Is that a inputs-already-spent rejection, or is that an inputs-don't-exist rejection?   The former is only even possible to return if you have a pretty expensive index of every confirmed transaction-- something that isn't required for consensus operation but which Bitcoin originally had.

Essentially rejections make for a bad interface because they inherently expose otherwise irrelevant internals.  They also result in privacy leaks, dos attacks, etc...  and searching showed zero (I believe absolutely zero, but it might have been just nearly zero) usage outside of test harnesses / debugging output.

The protocol didn't need to be bumped because there never was any guarantee that reject messages would be generated, and unknown messages are just ignored in the protocol. I'm pretty sure the protocol version wasn't bumped for their introduction either-- at least a bump is not mentioned in the BIP.


Good protocol design:

1. Be strict in what you accept. Otherwise it becomes impossible to change anything without accidentally breaking compatibility with broken inputs.
2. Liberal in the kinds of things you send, within the strict allowance of the spec so that all corner cases get tested.
3. Silence is golden. Information you don't send usually can't cause interop problems or compromise the user's privacy.