Seems overly complicated considering that little that existing implementations due today to deal with weird cases. I'd be more interested if there were any evidence of implementations making .. well. really.. almost any effort to handle exceptional cases like this usefully.  (Bitcoin-qt does something more than nothing but only very slightly more than nothing; and I've seen no evidence so far that it does any good... including cases where services were running bitcoinds on faulty hardware that ended up forked, and still failed to respond at all to it.)

But, at the same time, I do agree that would address the goals there. Just given the environment today, it may not be worth the additional implementation complexity and risks. This may change, I'd certainly like to see better reactions to weird cases.

That isn't how stealth addresses work. (http://sourceforge.net/p/bitcoin/mailman/message/31813471/) The DH nonce is not a txout pubkey.

I don't know about the wisdom of packing changes together, it just increases the ability of someone to take issue with something exponentially (as we've seen here!).

(Incidentally, the making of P2SH mandatory is that it would make utxo handling completely uniform and constant size; and remove a lot of corner case handling in implementations; not that I think that there is much chance of that happening)

Funny that this list is more or less disjoint with the list I'd already made for obvious changes. What,  e.g. no timewarp attack fix?

The value can be under the signature without a single byte being added into the transaction itself.

In any case, some of these things are huge changes with scaling impacts (e.g. UTXO commitments) and have non-obvious competing alternatives (STXO commitments), so I think we're not near at all being able to say what should be done there.

The behaviour in testnet is intentionally insecure. Things like the difficulty reset are intentionally tested in the chan and weren't a surprise when you posted about them previously (go look in the chain, I demonstrated it right before or after the timewarp in the early blocks).

The reality is that it's a little network and it's easy to screw with regardless of what the rules are. The general chaos there is good for testing some things, not others, feel free to use regtest or fork off testnet at some prior point (IIRC I even put a 100k TNBTC  (IIRC) fee in some block for nice testing if you fork from there).

Perhaps but global consensus is inherently slow. There have been many good proposals for faster transactions which don't require a global consensus, and so they can achieve speeds that no global consensus system can achieve.

What you're describing is not a checkpoint then. A checkpoint forces the identity of the selected chain, regardless of it has the most work or not. So that would be the point of departure.

What is the point of the rest of the complexity in what you're discussing then? The "propose", "earmark" milibits? etc. (and no, newly generated coins cannot be spent for 100 blocks). The blockchain itself is already the measurement of its history.  If you're willing to trust the data in the blockchain, you just can no extra information is required. (Though if you're willing to adopt that reduced security model, why are you not going all the way and using SPV (see section 8 of bitcoin.pdf)?  Presumably you're aware that you still need to transfer the data and process it to be able to verify further blocks, right?

[If you're talking about small numbers of blocks like that, what you're proposing would be a considerable reduction in the security model, since the reward for a miner to hop ahead of the network would basically be unbounded, so that the incentives arguments on behaviour are much weaker. Weaker has it's place, but thats what SPV already accomplishes.]

Have you also noticed your consensus split along implementation/architecture boundaries, or do you not have enough users or care to have noticed that?

(/me quietly leaves a draft of https://download.wpsoftware.net/bitcoin/alts.pdf around for people's education).

It isn't. See the discussion about fraud proofs and probabilistic testing. Please also note that the tone you've taken here is irritating and is likely to cause experienced people to ignore your messages in the future if you continue with it.

Thats not correct. If you give a bitcoin node a chain and then someone else gives it a mutually exclusive longer one, your chain will simply be unwound and replaced, so giving it that extra data is harmless, once the honest network is observed its like the node never saw the forgery. When you start talking about "check-pointing" based on that chain the situation changes and you get the attack. (and not just that attack, there are several others, e.g. announcing two competing equally valid forks concurrently and leaving the network in a never-resolving perpetual consensus split).

Every node begins its life partitioned, our security model also allows temporary partitioning. Assuming you will never be partitioned requires resolving the sybil problem in a strong sense at a minimum and isn't generally compatible with the reality of computer networks today (they're just sometimes partitioned).

Uh. You're pointing out precisely why they cannot. An invalid mined block is invalid, no less than if it didn't meet the target.

I can mine 80 blocks in a row at height 100,000 trivially in a few seconds myself (there are many thousand in a row mined by me in testnet, for example). I could also mine 80 blocks in a row forking from the current heights at considerable cost given a few months. A bitcoin node doesn't have an absolute synchronous ordered view of the world, it only learns what it learns from its peers... and it can't tell if a simulated blockchain took 6 months of computation or one day, it can't tell if it was created recently or long in the past.  etc.  If we could tell these things we wouldn't need a blockchain.

Your first post in this thread was advertising that NXT was implementing an unspecified, undescribed, instant transaction system which you have/are patenting.  Your posting history and signature are plugging NXT in many inappropriate places.

That isn't what a patent does. A patent invokes the state to prohibit people from freely communicating and acting on ideas which they invented completely independently of you. It grants you a monopoly ownership over an idea and, in the rare cases where they're actually successful (as mentioned a _majority_ of patents lose claims on review), allows you to extract rent from others who have worked hard to invent and build the infrastructure that your work rests on.

Funny, you're surely not expressing it. Instead you're promoting competing systems which have ripped off ideas from Bitcoin (and broken them), and claim to be working on extensions which you plan to exclusively control for your personal profit.  Foolishly too, since as I've mentioned: we have decades of experience that patents completely suppress the adoption of cryptosystems, even very useful and powerful ones (like Chaum's invention of digital cash).

Why would I have? If you wanted to discuss an idea you would have. Instead you wanted to promote NXT and try to ring up customers for your patent based purely on the promises that it will do something useful. I'm not interested in giving you free review for you to further go and turn a private profit off my back and the backs of others who worked for years (and even decades) inventing the things you just learner about in the last few months... though you should review my very first response to you: "If your idea is actually useful, you should make it available publicly where it can be reviewed and refined and have some chance of adoption and building your professional credibility."

You can't stop me from doing so, any patent application will be made public, My ability to make your patent commercially worthless is not reduced. All keeping what you're doing now secret accomplishes is reducing the risk that someone points out the the ideas are old (thus making it harder for you to engage in the inequitable conduct of hiding the actual prior art), or that they're unsound (stifling your ability to pump NXT or sell the ideas to an unsophisticated buyer).

This isn't true. Please take the time to actually read Andrew's paper on this.  One of the points that you're missing is that "50% of the forging power" is defined _inside_ the chain and is meaningless outside of it, so your security definition is circular. Likewise, any probabilistic process repeated enough times where only one success is required tends to probability one, there is no reasonably retying limit external to the system, so the protection is, again, circular.

No, if you were actually offered to do these things you would have actually helped instead of bragging about vaporware proprietary technology, which you helpfully provided no details on except to promote NXT. Give it up.

I've worked full time for close to 20 years doing good and valuable work on technology that has helped people solve real problems, much of it shared with the public, and none of it abusively encumbering the ideas and work of third parties via patents (rather, I've done a fair amount of patent busting along the way). I'm not asking here for money from anyone because I don't need to, I've made money by doing work and not preventing other people from working, and as a result I don't need any more (though more is always appreciated and put to good uses). I don't begrudge you for wanting to get paid: good work deserves pay, but locking up ideas isn't work, and it doesn't deserve pay-- quite the opposite. Instead, it marks you as a wanna-be-thief in my book who would seek to profits of my own efforts and would use litigation to prevent me from inventing on my own... you could ask people to pay you to work on useful things, but given the approach that you're taking I, for one, would rather pay someone who has better ethics.

If you care to propose something technical, feel free to start a new thread. Otherwise, you're in the wrong subforum. Cheers.

It's an arbitrary big number which is hopefully macroscopic relative to whatever external process you'd hope to rescue the system if it failed, but hopefully still small enough to give a good speedup on the checking.

I only used a specific number because thats an example of the kind of numbers that were banded about before... even given pretty healthy hashrate growth far in excess of computer industry historic trends numbers in that space should still be adequate to keep downloads bandwidth bounded instead of cpu bounded. (Also keep in mind that libsecp256k1 is >6x faster than openssl).

Yes, for many months: http://bitcoin.sipa.be/growth.png

Yep.

Complexity by itself isn't really the engineering constraint (passing a message is no big deal, in any case) the concern would be complexity coupled with risk. If there is something complex but its strongly isolated you can reason about what kind of things can happen if it goes wrong. E.g. fraud proofs can initially run over a separate protocol, communicate to an isolated sandboxed process, and even if they've massively gone wrong the threat is likely limited to a nuisance of making all your transactions show as unconfirmed, rather than splitting the consensus or stealing keys or what have you.  See Matt's relaynode network client (https://github.com/TheBlueMatt/RelayNode) for an example of how to develop and try out protocol features (in that case, relaying blocks more efficiently by taking advantage of transaction pre-forwarding) with reduced risk to the production Bitcoin system.

Transcribe it. Watching an hour long video intended for a general audience is too much to ask given zero information.

You keep making claims that strongly support that you don't know what you're talking about; e.g. the completely brain-dead claim that there is an assumption of majority of participants in the problems with PoS.  Perhaps you do actually understand things, if so, kudos to you. But it certainly doesn't appear to be the case... and it would surprise me genuinely consider that past inquiries to NXT's creators (like come from beyond) for even simple things like "What are your security assumptions?" have resulted in technobabble and even threats.

Considering that fact that you're yabbering on about NXT (in the wrong subforum) and patents without even bothering to disclose the idea it's seeming to me it's just more garbage altcoin hype. I used to be more tolerate of this stuff, but my patience is wearing out after encountering the 1000th person to pull this kind of nonsense.

You realize that you're continuing to demonstrate poor character here, right?  The only purpose not disclosing your grand idea at this point serves is to preserve hype in order to profit from asset speculators or fools who would pay you for an unsound unreviewed idea (when they can get neigh-infinite unsound ideas just going through the forum history).

Feel free to try to justify your abusive behaviour because you feel slighted by me personally if it helps you sleep at night... but everyone else knows that you and only you are responsible for your actions.

I don't believe that money can be or is evil. And getting paid is something that I'd never begrudge people for. What you're attempting to do there, however, is not to get paid for your work: You're attempting to get paid for other people's work (including mine, as a matter of fact), which made whatever you done possible and for which you did not pay a single bitcent. You are also attempting to get paid for the work other people may do in the future completely independently of you.  I consider this to be despicable and many other in our ecosystem will as well.  If you'd like to do useful work you can certainly find people to pay you to do so... if you're willing to actually do work, rather than spin your wheels encumbering the work others have done, I've certainly never complained about being unable to earn a living. (I thought I was clear that donations only amounted to a tiny amount? I've really tried to call for them.)  I worked on Bitcoin prior to having any expectation that it would make any money for me, it's an interesting technology which I believe is important for human freedom in the future (including my own and my families: my community work is not selfless, it's just merely not exploitive either).

Ah, this demonstrates you don't actually understand the issue there at all. Sad. I think it's explained quite clearly, but then again I've been working in this space for many years. It's a bit much to ask people to have a strong understanding of anything new to them in only six months.

Considering your lack of understanding of the basic technology, this tangent is probably uninteresting (that it's unlikely that you've found anything which is new and interesting or even secure in a meaningful sense). I recommend you confine your posts to the NXT thread rather than cropping up here to pump it and irritating others.

I'd demand that you stop pumping and actually post your design-- except since you've announced an intention obtain a monopoly ownership interest in the idea (and, accordingly, any cryptocurrency that used it), I wouldn't want to encourage anyone else in the ecosystem to review it and provide you with even more free labor to exploit for your personal gains.

Pieter and I-- at least-- have been talking about it for a while as part of the motivation for headers first, even prior to the fraud proofs: past some limit (E.g. max(60days work at the highest difficulty ever observed in the best chain, 2016 blocks) ) a huge reorganization at tip is a guaranteed system failure. (Once you cross 100 blocks a reorg starts forever invalidating an exponentially expanding cone of transactions).   For a while this wasn't as interesting because the total time to replace the chain with the tips hashrate was very low, but it's finally expanding nicely: http://bitcoin.sipa.be/powdays-50k.png

Another potential softer safety mechanism is simply holding the confirmation count in the RPC at zero when there has been a 'system failure grade' reorganization to allow time for a "higher process" to sort out the mess. This also needs a couple other pieces to be completely useful, like the ability to manually invalidate a block over the RPC.

First priority was getting headers first in, tested, and mature.

Obviously fraud proofs have been on my mind for a long time, but they have a lot of protocol surface area. The recent reorganizations of Bitcoin core (e.g. libscript work) will make it easier to work on them with confidence, e.g. be able to build an external process that receives and checks fraud proofs.

I've worked on Bitcoin for years without payment, and made no magical "early money" on account of having worked on it (it isn't like working on the software results in it paying you... outside of some scammy premined alts , I think I've probably collected a dozen or so in donations, on account of open source work on Bitcoin), and made a conscious and intentional decision to not patent or restrictive license many piece of novel technology used in the ecosystem. Bitcoin is a revolutionary technology which has the potential to improve people's personal freedom and autonomy and allow more of the world to interact as equals. This potential cannot be realized-- cryptocurrency has no future-- if the system is owned or monopolized through state granted artificial property rights. Bitcoin is also the logical progression of the work of thousands of people over many years, without which Bitcoin would not have been possible.

I think that it's unfortunate that providing freedom to the world also includes greedy parasites who think it's acceptable to go around trying to take small (and usually obvious) extensions of a system that was shared freely with them and take them away from the public for their personal gain. But fact that you're based on NXT at all suggests that you don't actually have the technical background to gauge a secure system from an insecure one, so, well, good luck with that. In the unlikely event that what you've done is at all worthwhile, I'll personally endeavour to ensure that it's replaced with superior unencumbered alternatives so that they only thing you receive on account of your anti-social behaviour is lost income.

If anyone is threated on patent grounds by mczarnek or anyone else involved with the seedy "NXT" project now or in the future and finds this message, please feel free to reach out to me for technical, legal, or financial assistance. I've worked on defending against patents successfully for many years and would be glad to help anyone work around, uncover prior art, or otherwise invalidate patents in this space. Cheers.

Patenting your idea will almost certainly guarantee its complete failure, patented cryptosystems are almost never deployed and there is a long history proving this out. Your patent will also likely be invalid, since it was almost certainly anticipated by the years a public work in support of the community done by people here and in other places. Even ignoring the situation specific factors, in the US a majority of patents have claims struck down on review; for small inventors the patent system is a scam to make money for attorneys and the patent office: the patents they get are usually unenforceable for legal (invalidity) or economic (patent litigation costs hundreds of thousands of dollars and ruins good will, so a small inventor can almost never afford it and everyone knows it) reasons.

If your idea is actually useful, you should make it available publicly where it can be reviewed and refined and have some chance of adoption and building your professional credibility. If you instead go the route of patenting it, then even if the idea is unworkable (which it likely is, most cryptographic proposals turn out to be flawed) you will have only been successful as identifying yourself as a thief who has taken from the enormous body of work in Bitcoin and the wider cryptocurrency and cryptographic ecosystem given to your freely and attempted to lock up part of it for your personal profit at the expense of everyone else who you've benefited from.

I read somewhere that the moon is made of green cheese. ... you might want to be a bit more specific.

Zero confirmations are inherently somewhat unsafe-- inherently due to physics, a decentralized system cannot have an instant consensus because light has a finite speed. As far as I am aware zero-conf cannot magically be made substantially more safe without invoking a trusted party in some manner. There are many proposals for instant payments that involve things like escrowed coins (E.g. micropayment channel hubs), but they all make some additional security compromise (though potentially a small one).  I am not aware of any magical mathematical calculation that helps you.

Federated servers are a form of centralization, an improved one-- for sure, which may be suitable for many applications. Man would it be nice if they weren't.

No it doesn't. It can skip verifying very deeply burred signatures (as is the checkpoint behaviour), since with headers first it knows the amount of work on top of them and can perform the tests only probabilistically past a certain point.

Because it doesn't make any sense. Lets say you program nodes to enforce some criteria burred in a chain they're handed.  Great now I create a simulated history which that sets a bogus 'checkpoint' back early in the chain, but any _new_ nodes that attach to me I give this simulated history to before they know there is a better chain elsewhere and they start enforcing that rule and they are now forked off onto this bogus alternative chain; so you've introduced a vulnerability. Worse, because the forking off can be arbitrarily far back it becomes exponentially cheaper to do so long as hash-power is becoming exponentially cheaper.

This is even _before_ getting to the argument that what you're suggesting weakens the security model even if it works fine:  The result is that you give miners a new power, instead of just being able to reorder the history, they could also create arbitrary inflation just by adding new utxo to their updates. (which, if course, would be in all of their short-term interests to do)

Far better to just get rid of them: Headers first makes most reasons obsolete.  The circus above doesn't really help, since it's using the chain itself, which of course checkpoints distort the selection of, so it's just circular.

Ah, but mining is not made artificially difficult in any absolute sense. It's whatever it needs to be to keep the target pace. The system operates fine, though its insecure with the difficulty at 1.  The hardware investments are one time, they amortize, energy usage is what is actually interesting. I know I'm not saying anything you don't know,  but I don't know why you expect a particular cost for hashing without first starting with an income (e.g. transaction fees) which would sustain it.

I disagree here. Network capacity is not very cheap... It is cheap marginally to miners but thats because the trust cost of a transaction is largely an externality to miners. It's also cheap in a highly centralized network where there is only one or a few verifiers, but in a highly decentralized network much less so. Security does not come exclusively from miners, it comes _primarily_ from verification. Miners serve to provide ordering, an essential part of the system, but miners incentive are aligned by all the other parties verifying (otherwise, a rational thing for all miners to do would be to just agree to inflate the currency forever).