Bitcoin Forum
October 06, 2022, 06:14:11 AM *
News: Latest Bitcoin Core release: 23.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 »
1  Bitcoin / Development & Technical Discussion / Re: Signature aggregation for scaling - what is possible? on: October 05, 2022, 07:01:27 AM
I've yet to study more about sidechains such as Liquid, so I can't say whether those off-chain solutions are trustless, but I'm relatively confident they are; otherwise nobody would use them.

You definitely need to trust the federation that controls peg-outs [1]. From the whitepaper [2]:

> As a sidechain, Liquid supports transfers of bitcoins into and out of the system by means
of a cryptographic peg. Bitcoin pegged into Liquid is referred to as Liquid Bitcoin or LBTC. The forward progress of the Liquid ledger and custody of the underlying bitcoin are
controlled by a federation, and remain secure as long as over 2/3 of its members are honest.

> This option requires no changes to Bitcoin, since the peg is enforced by means of ordinary
multisignature transactions. It does require a consortium to exist, and for participants of
the system to trust that at least 2/3 of the federation is acting honestly.

[1] https://help.blockstream.com/hc/en-us/articles/900001551783-What-is-a-Liquid-peg-out-

[2] https://blockstream.com/assets/downloads/pdf/liquid-whitepaper.pdf
2  Bitcoin / Development & Technical Discussion / Re: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion on: August 31, 2022, 06:38:48 AM
Oh and what about 10% foundation reward shady tax, I forgot to say that before...  Tongue

The devtax was originally advertised as 10% of total supply, by 20% tax on first the 4 years which generates half of total supply.

But before those 4 years were up, they voted to extend it another 4 years, and now with the planned switch to PoS it becomes effectively 20% of total supply. So much for immutable monetary policy...
3  Bitcoin / Development & Technical Discussion / Re: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion on: August 30, 2022, 11:05:09 AM
With unlimited ZEC inside the Sapling pool, the attacker could still use it to trade, sell for other cryptocurrencies or for fiat, to buy goods and services, etc., and it could be an arbitrarily long period of time before such an attack was discovered.

No, the attacker couldn't because there's no exchange or trading platform that supports Sapling -> Sapling transactions. In fact most exchanges only allow trading the transparent pool.
4  Bitcoin / Development & Technical Discussion / Re: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion on: August 30, 2022, 06:36:20 AM
As of their NU5 upgrade on May 31, Zcash no longer relies on a trusted setup [1] [2].
Only for people creating and using the new Halo 2 Orchard addresses though, unless I'm mistaken? Since the old Groth16 addresses are still in use and can still be created, funded, etc., then the risk of someone compromising the entire set up and printing unlimited ZEC in secret remains.

There's only a risk of unlimited ZEC *within the old Sprout/Sapling pools*. There is no risk of that unlimited ZEC getting out to either the transparent or the Orchard pool due to turnstiles.

So the only risk is to people who keep ZEC in the old shielded pools in case the turnstile prevents them from getting their funds out due to someone else having inflated funds moved out.

Quote
Zcash need to phase out all old addresses before this upgrade means anything.

Disagree. The upgrade clearly means something with the turnstile protection and with the new address format defaulting payments to the Orchard pool.
5  Bitcoin / Development & Technical Discussion / Re: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion on: August 29, 2022, 02:38:15 PM
To use Zcash, you must trust completely in the set up process and the six individuals involved in that process. This is a complete non-starter as far as I am concerned for any currency, least of all a currency which styles itself as a privacy currency.

As of their NU5 upgrade on May 31, Zcash no longer relies on a trusted setup [1] [2].

[1] https://www.coindesk.com/tech/2022/05/31/zcashs-nu5-upgrade-goes-live-boosting-privacy-and-removing-trusted-setups/
[2] https://zips.z.cash/zip-0224
6  Bitcoin / Development & Technical Discussion / Re: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion on: August 25, 2022, 07:03:23 PM
He said nobody paid him to be a part of this ceremony, but they did pay other people to participate....

Nothing unusual there.
Todd went on a long road trip [1], staying at an unpredictable motel, buying a disposable computer and thoroughly destroying it afterwards, generally making lots of expenses for which Zcash reimbursed him.
Snowden probably chose to make negligible expenses and declined to be paid.

Quote
Now even if zcash is to become without this trusted setup they will always have this suspicious shady history and it's never going to be widely accepted.

If you want to talk about shady history, look at Monero's Cryptonote origins with the Bytecoin scam [2] and the purposely obfuscated inefficient miner software [3]...

[1] https://www.coindesk.com/markets/2016/11/14/zcash-and-the-art-of-security-theater/

[2] https://bitcointalk.org/index.php?topic=4508322.0

[3] https://da-data.blogspot.com/2014/08/minting-money-with-monero-and-cpu.html
7  Bitcoin / Development & Technical Discussion / Re: Why is it assumed SegWit's schelling poing cannot ever be broken? on: August 23, 2022, 04:28:29 PM
Could someone explain why is it considered theoretically impossible that enough miners could collude to steal funds sitting on non-legacy addresses through a 51% attack?
Of course it's considered possible in theory.

Quote
My simple answer to this would be that even if they managed to reorg the chain

There's no need to reorg the chain. They just build a block with a segwit stealing tx, which everyone else ignores
(as it breaks the segwit softfork rules), but that they keep building on. Since they are assumed to have a hashpower majority, their chain will likely stay ahead of the segwit-faithful branch that other miners build on.

Quote
the price would crash
No it wouldn't, because exchanges and other non-mining entities would ignore this longest branch which breaks their rules. All that would happen is that blocks come in more than twice as slow until the next difficulty adjustment kicks in.

Quote
so much that they would be left with nothing.

They would be left with nothing, since everyone else sees their coinbases as invalid.
In short, it's not just up to the miners.
8  Bitcoin / Development & Technical Discussion / Re: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion on: August 23, 2022, 02:49:20 PM
But I guess depending on how it's implemented, every new UTXO after the upgrade could be private by default, without an option to disable that.

Zcash currently allows all 4 directions between transparent t addresses and shielded z addresses: t2t, t2z, z2t, and z2z. I'm not sure how these qualifiers work if you have different types of inputs, or different types of outputs in one tx.
A first step to phasing out transparent addresses is to disable z2t, so once shielded you stay shielded. A second step is to disable t2t, so you cannot create new transparent outputs. I don't think you want to take either step in Bitcoin.

Quote
Are there existing concepts / ideas about the very question how to best 'add' privacy to an existing coin (in terms of what to do with pre-upgrade UTXOs and whether privacy can or should be optional afterwards)?

IMO a coin that values full auditability should keep private amounts optional, although one could argue that with ElGamal commitments, at least unconditional soundness is preserved.
9  Bitcoin / Development & Technical Discussion / Re: BTC redundant code / latent bug please explain on: August 23, 2022, 06:03:34 AM
Now, assuming that cnt is never less than 0, cnt can never be 0 after incrementing it.
The result is that the code following the check is never executed.

Of course, there is wrap around,

I wouldn't say "Of course" when you didn't consider it in the first place...
10  Bitcoin / Development & Technical Discussion / Re: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion on: August 23, 2022, 05:56:22 AM
Why is Zcash not really a privacy coin?

Obviously, because privacy is optional in Zcash.
Only a small minority (0.8M of 15M ZEC) of coins lives in shielded pools, and only a small fraction of transactions is z2z.

It seems most Zcash users are not interested in its privacy features, but hope to profit from other people's interest in its privacy features.
11  Bitcoin / Development & Technical Discussion / Re: Solution for the bitcoin distribution problem. on: August 22, 2022, 05:00:45 PM
I think computation above shows that the 10 minute time window is the real culprit... and is too slow
to distribute coins successfully across the world.

Not every bitcoin owner needs to have an entire block reward. You could split up the 7.5B people in the world into
750K groups of 10K. If each group won one of the 750K blocks so far, then each group could split the reward of say, 25 BTC = 2500M satoshi into 250K satoshi for each member.

Remember there are plenty satoshi to go around...
12  Alternate cryptocurrencies / Altcoin Discussion / Re: Shiba Inu has no value and shouldn't be bought on: August 22, 2022, 02:49:50 PM
Many coins will lose massively value and we need to look very carefully which coins are likely to die.
Reason number one why coins are going to die is if a coin is simply a cheap copy of an existing coin.
Copied coins will die!

Litecoin begs to differ.

It only made some relatively meaningless tweaks to Bitcoin (or to the now forgotten Tenebrix to be precise), and its much-touted ASIC-resistance proved to be extremely short-lived (its PoW now just takes a needlessly long time to verify), yet it went on to be rather successful in terms of marketcap.

Doge itself launched as a Litecoin clone with a few more meaningless tweaks.
It did make a very meaningful change later though, when it introduced Tail Emission.
13  Alternate cryptocurrencies / Altcoin Discussion / Re: do any coins rival Grin's simplicity? on: August 22, 2022, 02:43:55 PM
My question is: there a way to implement the cuckatoo cycle in the SHA256 coin to make it more asic resistant ?

Cuckatoo32 is designed to be ASIC friendly, and there are in fact ASICs for it.
But where SHA256 can be seen as proof-of-logic-circuit, C32 is proof-of-SRAM.
You need 512MB of SRAM to find solutions most efficiently.

It's true that the performance gap with GPUs is much smaller than for SHA256,
and current ASICs don't have enough SRAM to achieve full efficiency, but for
future ASICs there will be at least an order of magnitude gap.

Quote
If so there is a lot of C++ code I found on your GitHub but not a guide on how to maybe implement it ? Do you have one ? Can you maybe help me ? I am also from the Netherlands and donít mind paying you for your time and effort.

The actual Cuckatoo32 verifiying logic should be easy to integrate into Bitcoin Core. The majority of effort needed will instead be for enlarging the header with a new field for the 42 cycle indices of size 42*32 bits = 168 bytes. I'd advise you to first get your blockchain working with this larger header, where you just ignore the contents of the new field. Let me know when you have that working.

14  Bitcoin / Development & Technical Discussion / Re: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion on: August 22, 2022, 02:03:46 PM
By the way; does interactivity in pure MimbleWimble / Grin mean that basically cold wallets don't exist? Or has someone come up with a smart solution?

You can pre-sign incoming transactions of predetermined denominations from a hot wallet to a cold wallet,
and keep them stored in the hot wallet to be used at any later time. So it can be made to work with a few limitations.
15  Bitcoin / Development & Technical Discussion / Re: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion on: August 22, 2022, 07:20:19 AM
Another feature, that can be considered both an advantage in some cases, and a disadvantage in others, is that MW transactions are multisig by sender AND receiver, and thus require them to interact to build the tx, just as is already the case for Lightning.
Interaction sounds pretty much like a no-go to me, to be honest.

Strange to hear you denounce Lightning just like that...

If Bitcoin is to achieve any sort of mainstream adoption, and actual use as a currency, then most users will eventually be far more familiar with the interactive nature of L2 transactions than the non-interactive nature of L1.

Btw, another advantage I haven't mentioned is that multisig greatly reduces worries about mistyping addresses or sending to the wrong address, since the receiver must actually prove being able to spend received funds before being able to receive them. That gives much more peace of mind and mostly avoids the need for an extra "test" transaction of negligible value before a big value transaction.
16  Bitcoin / Development & Technical Discussion / Re: Bitcoin Ė most important technical characteristics on: August 22, 2022, 07:06:25 AM
Its simplicity. Not in the sense of being trivial, but in the sense of having a very focused feature set.

There are coins significantly simpler than Bitcoin, e.g. https://bitcointalk.org/index.php?topic=5309951.0
Bitcoin's script is a huge source of complexity which runs counter to having a focused feature set.
17  Bitcoin / Development & Technical Discussion / Re: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion on: August 20, 2022, 03:30:02 PM
Why, if I said I paid and you say I didn't and I release my side and you don't release yours then although there is not 100% proof you did not get paid it looks shady as hell.

So I can make you look shady by claiming I paid you and releasing my fake side and by definition you couldn't release yours?

It seems you want to transact with people whom you trust and don't trust at the same time.
You trust them to provide the goods/services you pay for, but
you don't trust them not to disclose tx info without your consent.

I have not kept up on grin, with that being said are you stating that a listener can no longer store transactions for chain analysis?

Any mempool observer can reconstruct (nearly all of) the transaction graph.
But chain analysis on this graph is hard without any visible amounts or addresses.
It's even harder if most transactions are payjoins (i.e. receiver also provides an input), so that you cannot distinguish between payer and payee. Thanks to the interactivity required by MW, payjoins are just as easy as non-payjoins.
18  Bitcoin / Development & Technical Discussion / Re: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion on: August 20, 2022, 01:30:23 PM
For true privacy you need to be sure it can only be released when BOTH people agree to release it.
If for whatever reason Bob does not want it known that Alice paid him if Alice can release in unilaterally then it's not really that private.

It's also not that useful, as payments can trivially be denied by a fraudulent receiver, with no recourse for the buyer.

Payment proofs are a critical component to a functioning digital payment economy.
19  Bitcoin / Development & Technical Discussion / Re: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion on: August 20, 2022, 12:53:15 PM
we would need a way for Alice to pay Bob that is 100% private BUT at the same time provide them with a way that if needed Alice could prove to the world that she did in fact pay Bob to this address and this amount and here it is to be seen on a public block explorer. BUT and this is a big but, they both have to agree to release that info.

Mimblewimble supports payment proofs. For a payment from Alice to Bob, this is a statement signed by Bob's public key (associated with his wallet) that appearance of certain data on-chain (sufficiently confirmed), proves that he was paid by Alice. The statement can include amount, time, and purpose of payment.
BUT Bob's agreement is not needed to release this info. In fact, payment proofs are useful in cases where Bob promises to provide some goods or service in exchange for Alice's payment, but then fails to do so. Now Alice can submit the payment proof to some 3rd party (e.g. a court) as evidence for Bob's fraud.

Quote
Which brings up the next question, which probably needs it's own thread. Do we need L1 privacy or would an integrated into the protocol but on an L2 privacy be better?

I think amount and address privacy is best built into the base consensus layer, as these improve scalability as well in case of MW.
But hiding input-output links (obfuscating the tx graph) on the base layer comes at a large cost in either scalability or (in case of recursive snarks/starks) in trustworthiness, so perhaps that is better added on as separate service  (such as the Mimblewimble CoinSwap protocol).
20  Bitcoin / Development & Technical Discussion / Re: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion on: August 20, 2022, 10:59:18 AM
Without MWCS you can see addresses that get paid in the mempool

That makes no sense. Pure MW has no addresses.

The only thing you can see in the mempool that you cannot see in blocks are the original
transaction boundaries (except for txs that got aggregated in the Dandelion phase, but that is rare).

Mimblewimble Coinswap for Grin is still in development.
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 »
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!