Bitcoin Forum
June 27, 2022, 06:23:18 AM *
News: Latest Bitcoin Core release: 23.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1] 2 3 4 5 6 »
1  Economy / Services / Re: [Announce] Megareload alive and kicking - now even bitcoinier than ever! on: September 01, 2013, 06:19:30 PM
I dunno, but as far as I can tell there's nothing vague about them.

Their business is the tried and true legal file hosting service where users are motivated to upload files they legally own.

Only this time with bitcoin and a user-side crypto-sauce that covers the ass of both them and their users. At least their cryptographic magical sauce seems both easier to understand and more robust than Mega's.

Fortunately, we, as a service, have persevered -- though there was a bit of turmoil which has somewhat slowed down our progress.

Are "you" as a service in the business of providing vagueness to the Internet? Because that's not a service. Or a business.
2  Bitcoin / Development & Technical Discussion / Re: defending ahead the p2p nature of bitcoin - blending hashcash & scrypt on: April 20, 2013, 10:23:24 PM

The timestamp chain could still be based on sha256.

And, that would be a kind of "institutional" commitment in a loose sense - informal and unspoken one, but commitment nonetheless.

If you decide to move away from SHA256, you'd have a bunch of very upset participants, who will at that point become fairly confrontational.

Attacker hires [unethical hacker] to enter BTC dev circles, contribute, gain team trust, and eventually sneak a remote code execution vulnerability (disguised as a honest coding mistake, of course) into main.

I dont think you even need a lot of money for that, the grey/black hat hacker just does it as his own project...  There ought to be some really serious scrutiny of every byte every check-in.  Maybe bitcoin should think about paying a bounty for the bugs out of some slush even.

Some of those guys ranging through black, grey to white hackers are very very smart.  If they can find new 0-days, in highly reviewed code, and sell it on the grey (legit actually) market - they are well qualified to know what a subtle mistake looks like, and how one would create one.

Well, having a lot of money allows you to pay the blackhat a really nice salary to ensure he devotes all his efforts to compromising BTC from "team insider" position, and the blackhat gets to keep all the coins he gains from sneaking a remote code execution exploit into BTC.

Which, I reckon, would be an offer few blackhats would decline.

The sheer effort needed to detect - and neutralize - such an attack would be tremendous.

So if we are really consider a non-economically motivated attacker with millions of dollars to spare,  exotic chippery is the least of our concerns (I'd say outright implausible, given the amount of non-cryptographic shortcut attacks a rich monomaniac can undertake)

And yes, we need a "bug bounty" and a generally more robust change review process.


Ok you called me on that.  Your points are valid also IMO.  I was mostly reacting to the 'one-two teak clones' as you put it that are basically 100% bitcoin with paramtweaks.  I should have qualified that with simple no difference forks.  Otherwise why would each person not start the same code or a paramtweak metoocoin etc in their own name and go for the first mover coins until there are 100k coins types and the concept of a cryptocurrency gets weakened by the noise!  Its confusing to the semi-technical viewer and erodes the meaning of a cryptocurrency.  But yes part of an experiment is potentially the economics which maybe you cant really tell without operating it.

There are limitations with bitcoin, things that could be improved, maybe crytpographic and/or p2p optimizations perhaps that could jump scalability up, reduce network requirements of peers, etc

Different mining and decentralization retaining features etc.

The research and experimentation brings value.  Maybe in the longer term bitcoin would merge an innovation to improve.  And worse cast, yes a monoculture defense, if bitcoin lost its way.

The first mover thing is odd though.  No one knows if an alt-coin will perhaps for some unforseen reason overtake, if bitcoin hits a big stumbling block people didnt see coming.

Adam

Well, there won't even necessarily be an overtake.
I expect  BTC and decent alties to specialize to different market segments, with BTC being more mainstream and some altcoins taking up niches that a "mainstream cryptocurrency" doesn't fit quite as well (if at all)

There's no particular reason why There Should Be Only ONE Wink.

And don't get me started on Bitcoinomics...

Having said that, there's you know, a certain gap between "cryptocurrency ideas" and capacity to implement them.

Altcoins need more level-headed professionals, good designers, and perhaps most importantly, cryptography experts involved.
Wink
3  Bitcoin / Development & Technical Discussion / Re: defending ahead the p2p nature of bitcoin - blending hashcash & scrypt on: April 20, 2013, 06:15:36 PM
Seriously though, with all due respect (and with admittance of my conflict of interest here) - alt-coins (or rather, truly innovative alt-coins as opposed to one-two tweak clones) are useful.

They prevent monoculture.

If anything, we need more altcoins pursuing different niches (I feel that there are market niches which BTC, contrary to popular belief, fills imperfectly, allowing for an alt to take that niche without affecting mainstream btc adoption - but that's a long and boring story)

Arguably, what you want is one timestamping chain.  All other chains can then use that timestamp service to establish ordering of their transactions.

That is effectively what merged mining actually does anyway.

It would allow the main chain headers to be extremely clean.

Certain practicalities (like "motivating miners of the meta-chain") aside, monoculture is admittedly very comfy.
However, non-monocultural settings are less susceptible to exploits and systemic failures of design.

Monocultures also tend to "calcify", stifling innovation and accruing institutional commitments (the latter isn't always a bad thing, but it can limit the directions project can realistically take - for instance, bitcoin becoming more anonymous would piss off FinCEN by breaking an implied institutional commitment. Or, for a more obvious example, consider the response of people who already bought ASIC units to a hypothetical PoW change Wink )
4  Alternate cryptocurrencies / Altcoin Discussion / Re: Escrow attack on Proof-of-Stake on: April 20, 2013, 08:17:05 AM
The reason for compensating miners (with fees, subsidy, or anything at all) is that because in a PoW scheme they provide a service that is vital to the entire market.

In a scheme where solving progressively complex cryptopuzzles does not serve to secure the ledger against doublespends and other shenanigans, mining is, frankly speaking, a waste and should have been replaced with a more reasonable initial wealth distribution routine - of which there are many options (including collusion-proof cryptographic lotteries)

In fact, mining provides outright perverse initial wealth distribution in pure PoS because you are essentially rewarding folks for the investment they have made into another, different crypto-currency scheme (by buying BTC mining equipment), an investment that has been likely already paid off via that other scheme.

That's like if Microsoft started paying me money for the fact that I own Google shares Wink

Interesting point, and I agree with the wealth distribution argument.  However this can be fixed by not using SHA256 which is not designed to be a technology-neutral algorithm.

Well, yeah, a different PoW might have alleviated the issue a bit, though designing a PoW that would be hostile to modern mining equipment turns out to be a pretty hard task it seems...
Regarding a crypto lottery, where is the collusion-proof cryptographic lottery that is immune to a sybil attack?


Immune ? No.

But significant sybil-resistance could be achieved by various tricks (an obvious and somewhat imperfect one would be to use v4 IPs as "identities". Admittedly, you can still sybil a lot, especially if you are a botty op, but during initial wealth distribution a botnet is not likely to show up and anyone who honestly buys a crapton of IPs just to win MORE PPCOINS is probably an individual with quite a bit of interest in your specific coin)
5  Bitcoin / Development & Technical Discussion / Re: defending ahead the p2p nature of bitcoin - blending hashcash & scrypt on: April 20, 2013, 07:56:03 AM
Maybe someone is rich and just wants to mess with the network.  It seems unwise to make ourselves vulnerable to that sort of thing merely because we wouldn't take advantage of it ourselves.

I think that is something to think about in byzantine threat models.  Could a big and hostile player greatly out sizing bitcoin in terms of money to burn destabilize via financial exchange manipulation, or mining out the coins with vastly more CPU power, buying and deleting coins etc.  It seems often that some big players prefer covert plausibly deniable or hard to prove action than something overt.  Or alternatively they could find or make an legal excuse to cut exchanges off from the banking interface.

Even competitors like banks themselves if the bitcoins started to eat into profit margins maybe they could drive out the currency by buying all the liquid parts.  (Bad currency drives out good?)

Adam


Oh, like I said, such an attacker can do a stupidhuge number of devastating non-cryptographic attacks.

Here's another one:

Assume attacker can waste up to 500 mil. USD (I assume that is the ballpark "pocket change" figure for someone who can afford developing ASICs just to "mess with the coin guys")

Attacker creates a highly anonymous offshore structure, in this case I would probably suggest a trust (it's hard, but possible, to set up an offshore in a manner that is literally impossible to trace back to the real mastermind of the affair)

Attacker arranges for about $50 mil moved there.

Attacker locates, across numerous anonymous fora, a programmer that is both highly competent and unethical (not like there ain't places on the net where such folks hang out)

Attacker hires him to enter BTC dev circles, contribute, gain team trust, and eventually sneak a remote code execution vulnerability (disguised as a honest coding mistake, of course) into main. Attacker pays the blackhat a very lucrative salary via the offshore structure.

The attack would be completely devastating, and, in case the exploit is discovered prior to relevant code being accepted into main, the blackhat has plausible deniability (not like anyone can claim to never have made a dangerous coding mistake)

Fighting "Rich Mad" is not fun Sad

Surely thats just a question of mining in much smaller parts, so that rewards are meaured in the Satoshis range instead of 25 whole coins.  I think the harder but probably solveable problem if it was desired would be p2p traffic efficiency.  I do think poolproof would be useful.

Well, the problem with "mini-mining" is variance, also known as "luck" [..] Miners want their payoff come in stable and predictable intervals

Thats because the minimum network accepted virtual "nugget gold weight" is too high for the end user miner.  If the rate of average production for a spec of virtual gold dust was 1 second on a GPU (for some picosatoshi) the rate of progress would be smooooth, so its not the randomness per se, its the size of the minimum mining target.  It'll be acceptably smooth even at 1 microcoin per hour for 500MH miner at a given difficulty.

The problem and reason for big 25 coin blocks I think is p2p network scalability.

You can therefore think of pools like supernodes in a p2p network.  They hand "shares" sized chunks of work, out effectively the microcoin challenge and smooth it out for you, and like supernodes in p2p networks in general, they help the network scalability.  There is healthy competition amongst pools, and the barrier to entry is low.

In an idealized crypto currency you could argue it would be desirable to be able to mine picocoins directly with out pools.  poolproof as you called it.  But I think for now the people working on the code are having enough fun scaling for transaction volume etc with the current parameters absent some interesting new crypto to say allow secure offline combinable and splittable proofs of work.

Adam

Yes, a mining algo that would allow me to mine low-diff mini - rewards blocks alongside "big" miners mining for bigger rewards  without causing a security compromise would be a huge boon (with current PoW, that won't work, at least not straightforwadly)

 It would make the poolsafe concept viable  (currently, you can make pools un-workable, but you need mini-reward scheme to make it lucrative)

Well my idea is this aim to get to 50:50 hashcash scrypt [or pool of algorithms]
I can't imagine majority of miners (who are already sitting on ASICs) would accept this kind of fork.

I am anti-fork as bad for mindshare, confidence and dilutive of bitcoin and crypto currency value aggregate.


Awwww man  Cry

Seriously though, with all due respect (and with admittance of my conflict of interest here) - alt-coins (or rather, truly innovative alt-coins as opposed to one-two tweak clones) are useful.

They prevent monoculture.

If anything, we need more altcoins pursuing different niches (I feel that there are market niches which BTC, contrary to popular belief, fills imperfectly, allowing for an alt to take that niche without affecting mainstream btc adoption - but that's a long and boring story)
6  Bitcoin / Development & Technical Discussion / Re: defending ahead the p2p nature of bitcoin - blending hashcash & scrypt on: April 19, 2013, 09:10:00 PM
Well, if you don't mind, I will provide a few comments without specific quotes:

When you account for pooled mining, ASICS become completely irrelevant - it doesn't really matter whether there are 4000 corporate-owned ASIC farms or 4 000 000 individual GPU miners, because in both of those cases the equipment will be connected to 4-10 "megapools" which will be effectively in control of the network

It thus appears to me that, if empirical evidence is to be trusted, ASIC resistance (or lack thereof) will have little to no effect on "decentralization", primarily due to very strong centralization arising  from "pool" infrastructure.

Well I dont think thats as dangerous a problem as corporate control by a long way.  A pool cant misbehave much.  If it does the users will realize and pull out and it'll go under.

It appears to me that many miners care little about protocol intricacies. As long as dollers keep falling out of the vidjacard, all is fine and dandy to such folks  Cheesy.

Besides, I do think that you're overestimating corporate malice. Corporations are, by design, fairly sociopathic - but they are just profit driven decision makers, much like pool-ops, and would, just like pool-ops, seek to refrain from doing things that may break the profit model (one could argue that de-pseudonimizing bitcoin or removing the max coin count would drop the price like a giant bag of rocks, and that would not be good for Coinmining LLC, would it ?).

Also, I'm not convinced that "de-ASICing" BTC would necessarily prevent "corporate encroachment". It just so happens that it is much easier to run a large cluster of complicated equipment when you are a small company - and much more comfortable for the proprietor.

Quote
P.S.:
My limited understanding of concepts involved suggests that "poolproof" design is possible, but my limited understanding of miner behavior suggests that it would be woefully unpopular.

Surely thats just a question of mining in much smaller parts, so that rewards are meaured in the Satoshis range instead of 25 whole coins.  I think the harder but probably solveable problem if it was desired would be p2p traffic efficiency.  I do think poolproof would be useful.

Well, the problem with "mini-mining" is variance, also known as "luck" and occasionally affectionately referred to as "fuck my life" Smiley

Miners want their payoff come in stable and predictable intervals (which makes business sense). They want it so much they are ready to pay pool fees in order to ensure that stochastic nature of mining won't throw them under the proverbial bus.

And they will probably ignore a coin that does not allow for such a service to take place - it massively increases their risks without offering any benefit that a for-profit miner would consider "substantial"

ppcoin seems interesting.  I think I reinvented it or something similar, had another post in draft form, though ppcoin seems complicated at least the way its explained on the wiki  (not sure I fully understood it from quick skim of wiki).  Will post my similar idea next.

Adam


Ppcoin is incredibly contrived and opaque - I'm not too fond of it (and also, I have a conflict of interest Wink ) but at least it is kinda trying something new, which is, one has to agree, cool...

Quote
and do nothing whatsoever to exclude the people that some would like excluded.

It would do something about the people we want to exclude, that was my point/intention anyway: there are limits to custom hardware optimization where it becomes just too expensive and you're better off buying or making a faster CPU.  Intel is a target you're chasing at the speed of Moore's law.  Particularly if the algorithm is changing every 6 months in interesting and novel ways.  Imagine someone come to you with a mountain of money and says build me this custom CPU in 3 months (so there's three months left to start mining).  Maybe you cant do it in time to repay the investment.  Maybe you cant do it in the timeframe with any amount of money.  Even all of it - there are complexity and science limits for hw gurus and chip fab people etc.

You are assuming that the investment must be repaid in terms that you understand.  Maybe someone is rich and just wants to mess with the network.  It seems unwise to make ourselves vulnerable to that sort of thing merely because we wouldn't take advantage of it ourselves.

You can not stop someone who has so-called "disposable money" in the upper millions/lower billions USD and is, as far as you can tell, insane, with just "merely" sound cryptography and better hashrate, unless this hypothetical opponent is obsessed by the idea of taking you down by hashrate alone.

If he can't out-hash you with superior ASICs, he will lobby for BTC to be banned in USA and EU.

If can't out-lawyer us, he'll directly go after the exchanges.

If that fails, who knows...
...maybe he will buy some BTC and anonymously strongly pseudonymously hire hitmen to go after everyone worth going after in the community, at which point no half-sane dev will touch this code with a ten-foot pole.

"disposable money"  in the upper millions/lower billions USD + batshit insane = IRL Saturday morning cartoon villain.
7  Alternate cryptocurrencies / Altcoin Discussion / Re: LTC on GOX on: April 19, 2013, 08:17:39 PM
GOX recipe for quick wad of pocket cash:

1) receive initial inquiries about LTC on GOX. Ignore them

2) Buy cheap LTC

3) Answer further inquiries regarding LTC on GOX with optimistic non-committal non-answers along the lines of "eventually" and "details will be published at a latter date", inducing buy hysteria

4) sell LTC for BTC on other exchanges right into the huge buywave

5) PROFIT!!!

 Grin
8  Bitcoin / Development & Technical Discussion / Re: defending ahead the p2p nature of bitcoin - blending hashcash & scrypt on: April 19, 2013, 03:47:05 PM
Well, distributing the verification "back" would be nice, but it seems to me (from your post and elsewhere) that there are practical issues with that (and little to no impetus for pools AND for-profit miners* to adopt such a technology).

I don't think they are necessarily insurmountable, but yeah, missing data is hard to handle.

Personally, I think adoption / social issues may turn out to be worse than technical ones (though the latter have not been surmounted yet, either).

Your typical pool, and your typical for-profit miners don't give a single rat's ass about decentralization or whatever. They're in it for the money, which isn't necessarily a bad thing, but could easily lead to a kind of "tragedy of the commons" scenario.

If a transaction 20k blocks before the end of chain goes missing, does that invalidate the chain?

I'm not really the To Go Guy in this regards, but it seems to me that for various "distributed work generation" systems to work, pool's clients must be kept aware about all the transactions that need to go into the block OR ELSE.



You simply cannot make an algorithm that is, in general, resistant to ASICs.  If a general purpose CPU can do it, then a purpose-built CPU can do it faster.   

While probably true in general sense and almost certainly true in the "efficiency" ("performance/J") sense, I am not convinced that the difference between ASIC and CPU can not be made to be rather unimpressive by clever algo design. There's clearly not enough work in this are, however.

Also, if you, at the very least, can drive ASIC development and manufacture costs high enough (which isn't impossible), you can render any ASIC operation economically unsound.

P.S.:

If we're talking an economically irrational opponent with virtually unlimited funds, then ASIC resistance, theoretical or otherwise, becomes irrelevant.

Such an opponent would buy up whatever equipment he needs to dominate your chain, be it CPU rigs, ASICs, or goddamn Blue Gene.
9  Bitcoin / Development & Technical Discussion / Re: defending ahead the p2p nature of bitcoin - blending hashcash & scrypt on: April 19, 2013, 01:16:28 PM
Well, distributing the verification "back" would be nice, but it seems to me (from your post and elsewhere) that there are practical issues with that (and little to no impetus for pools AND for-profit miners* to adopt such a technology).

In the end, though, all is better than it could be - we could have had just 3 pools, and we have more. We have ASIC first-mover who is very much into decentralizing mining. I'd say all turns out fairly luckily for BTC.


_______
* as a friend once said about such folks, "mah vidja-cart is shitten teh dollerz". No offense intended to for-profit miners Wink
10  Bitcoin / Development & Technical Discussion / Re: defending ahead the p2p nature of bitcoin - blending hashcash & scrypt on: April 19, 2013, 12:14:33 PM
Well, I don't disagree with the argument that major ASIC-mining players, in all likelihood, will be organizations, not individuals ( I do not necessarily agree that the mining organization and the ASIC manufacturer will be the same person, as such an argument would require one to make prediction regarding future state of a highly unstable market) .

However

a) I think that, even if some "hypothetical situation magic" were to make bitcoin strictly GPU-minable, matters would eventually evolve towards organizations and "mining moguls" hogging majority of raw hash power

b) all organizations and individuals doing mining would  flock into pools irrespective of whether we're talking corp-owned ASIC farms or GPU farms or little Joe's garage mining device.

As long as pools are in the picture, the argument regarding "mining decentralization" will remain rather hollow and pedantic, IMHO.
11  Bitcoin / Development & Technical Discussion / Re: defending ahead the p2p nature of bitcoin - blending hashcash & scrypt on: April 19, 2013, 11:55:28 AM
Well, if you don't mind, I will provide a few comments without specific quotes:

1) I do not think that companies producing good ASICs would be incentivized to mine themselves on a reliable basis.
There is a large number of operational costs (and risks) that are specific to the miner but not to the party producing the specialized equipment, so depending on legal, economic, and geographical circumstances it may - and often does - make business sense to produce the boards without actually using them.

This is true for a wide array of specialized equipment manufacture - and I don't think there are enough reasons to believe it won't be true for bitcoin.

2) Empirical evidence suggests that current (GPU and a bit FPGA) mining of Bitcoin is not decentralized.

While there are indeed a cute "gold rush" and "side-business" aspects to "amateur" GPU mining, nowadays a number of circumstances have forced the supermajority of individual miners into "pools" (as correctly noted above), a few of which are accountable for the absolute majority of hashrate in both BTC and LTC nets.

When you account for pooled mining, ASICS become completely irrelevant - it doesn't really matter whether there are 4000 corporate-owned ASIC farms or 4 000 000 individual GPU miners, because in both of those cases the equipment will be connected to 4-10 "megapools" which will be effectively in control of the network

It thus appears to me that, if empirical evidence is to be trusted, ASIC resistance (or lack thereof) will have little to no effect on "decentralization", primarily due to very strong centralization arising  from "pool" infrastructure.

P.S.:
My limited understanding of concepts involved suggests that "poolproof" design is possible, but my limited understanding of miner behavior suggests that it would be woefully unpopular.

P.P.S.:
As far as alt-coins go, I would prefer ppcoin and namecoin over litecoin.

Of course, I have my disagreements with ppcoin design, and namecoin is pretty much dead in the water, but at least those two are trying to significantly innovate, as opposed to doing some very meager PoW-algo jockeying and calling it a day.
12  Alternate cryptocurrencies / Altcoin Discussion / Re: Escrow attack on Proof-of-Stake on: April 19, 2013, 11:15:27 AM
The reason for compensating miners (with fees, subsidy, or anything at all) is that because in a PoW scheme they provide a service that is vital to the entire market.

In a scheme where solving progressively complex cryptopuzzles does not serve to secure the ledger against doublespends and other shenanigans, mining is, frankly speaking, a waste and should have been replaced with a more reasonable initial wealth distribution routine - of which there are many options (including collusion-proof cryptographic lotteries)

In fact, mining provides outright perverse initial wealth distribution in pure PoS because you are essentially rewarding folks for the investment they have made into another, different crypto-currency scheme (by buying BTC mining equipment), an investment that has been likely already paid off via that other scheme.

That's like if Microsoft started paying me money for the fact that I own Google shares Wink
13  Alternate cryptocurrencies / Altcoin Discussion / Re: Escrow attack on Proof-of-Stake on: April 19, 2013, 07:56:08 AM
Thus any large escrow service would be a threat to the network, in addition to large miners.
Yes, they can, but technically it will be suicide for them. Anyway, it's possible to prevent such attacks by implementing another REORGANIZE algo.

why reorganize? it is still harder and extremally expensive to 51% a PoS blockchain, than a PoW only one.

beauty of PoS concept is that atacker to be succesfuf has to attack himself.    

Because clearly, all human creatures are rational (or at least L-rational) and economically motivated.

"man shall not live by bread alone" - said no human, ever  Roll Eyes

Miners don't have a play in double-spending attack, unless they wait and become stake owner. Security comes from proof-of-stake, proof-of-work only provides minting. Please don't confuse ppcoin's design with other proof-of-stake proposals. Our design is the only one that gives full respect to the concept of proof-of-stake and is the only one that actually has an implementation rather than just talks.

So, basically, this entire ppcoin thing is a bit like Solidcoin sans massive egotism and with less retarded pignode implementation?

Why not discard the PoW component altogether, if it has no "say" in choosing which chain is "goodchain" ?

P.S.:
Disclosure - passerby is affectionately fond of hybrid PoW/PoS things, and hybrid things in general Smiley
14  Bitcoin / Development & Technical Discussion / Re: Zerocoin: Anonymous Distributed E-Cash from Bitcoin on: April 16, 2013, 08:52:24 PM
Why not ? Bitcoin is cryptographically interesting, and so is the challenge of "distributed anonymity" - I say prime JH material.
15  Economy / Service Announcements / Re: Wallet.is a service striving to succeed where instawallet has failed on: April 16, 2013, 07:45:29 PM
I kinda like z12's idea, especially since dead man's switch (which is among my fav. features) involves providing a btc address anyway.
16  Bitcoin / Development & Technical Discussion / Re: Zerocoin: Anonymous Distributed E-Cash from Bitcoin on: April 16, 2013, 07:39:43 PM
Quote
2) If your concern is fungibility, then Zerocoin-like systems - not just this particular implementation with massive proofs and pruning issues, but basically any system that requires formation of "fixed-denomination" non-fungible "tokens" with fixed BTC value - would not appear to be acceptable solutions.
Since they outright break fungibility

I think you are confusing fungibility with divisibility.

gmaxwell's points about enhanced fungibility due to strong anonymity are correct ... and are not widely appreciated.

You are correct that fixed-denomination tokens are not as divisible, but this is a simple technical matter of choosing the smallest denomination that makes sense in terms of value. Eg. if we had system that dealt with strongly anonymous satoshis as the fundamental unit it would be functionally equivalent as a money to bitcoin as it is now.

Ah indeed, my bad - that's what I get for posting w/o caffeine  Grin

However, I do believe that part of my point still stands.

In any system where anonymity is achieved along the lines of
[classic BTC-style TX -> classic BTC-style TX -> "weird" high-anonTX ->  Lips sealed ->  Huh -> classic BTC-style TX]

fungibility may start failing same way it could start  failing in BTC now.

Merchfolk could begin refusing to accept coins which appear directly related to the "weird high-anonTX"
17  Economy / Service Announcements / Re: Wallet.is a service striving to succeed where instawallet has failed on: April 15, 2013, 04:47:32 PM
I think internal transactions should be your priority.

Also, perhaps, make a special non-announcement thread for feature suggestions ?
18  Bitcoin / Development & Technical Discussion / Re: Zerocoin: Anonymous Distributed E-Cash from Bitcoin on: April 15, 2013, 04:45:19 PM
Would it be wise to implement "stronger" anonymity in bitcoin ?
This has been asked before— and I think it's an important question. We shouldn't just assume that any feature is good.

After extensive consideration, I think I can answer this with an emphatic "Yes".  Without good anonymity the fungibility of Bitcoin can be substantially degraded.  The road to fungibility loss is paved with good intentions, but the end result makes Bitcoin less useful as money.   "We're really sure that _this_ bitcoin was stolen" ... "We're quite confident that this person is bad" ...  but if Bitcoin is to be trustworthy you must never have reason to feel that you'll wake up on the wrong side of a kafkaesq heuristic, or that you'll have to fight for what is rightfully yours even if there is due process, having to defend yourself means you already lost.

I believe that the ultimate social good that comes out of weaker anonymity for Bitcoin like activity is fairly limited: Bad-guys will generally figure out good ways around the lack of transaction anonymity, but still get caught based on their other activities even when transactions are strongly private. The harms from not having good anonymity— the losses of privacy, the danger to fungibility— hurt everyone.

Then there is the question of should it be in the system or outside of it.  If we ignore the implementation cost, I think here again the answer is emphatically that it should be inside the system:  Putting it outside greatly reduces its effectiveness.   But right now implementation costs are non-trivial and so I don't think there is much of a question of including it in the system—  and, if people build it outside of the system: we can't stop them even if we were to agree that it were a bad thing.
 

1) I think that in vivo experiment known as the Silk Road demonstrates, convincingly, that "properly used Bitcoin" has very strong anonymity.

Yes, it is not perfect, but so far, a motivated and resourceful attacker appears to be unable to "dox" a major, publicly known pseudonymous player.

2) If your concern is fungibility, then Zerocoin-like systems - not just this particular implementation with massive proofs and pruning issues, but basically any system that requires formation of "fixed-denomination" non-fungible "tokens" with fixed BTC value - would not appear to be acceptable solutions.
Since they outright break fungibility

Besides, any system that involves special "anonymize me this 1.00 BTC" transaction types could hurt fungibility along the same lines as you describe (a cautious vendor might not accept a coin that is less than N transactions away from an obvious "anonymizing event")

Me?
I think that the problem of "banned coins" is more of a legal and social issue rather than a technological one.
And so far, bitcoin "ecosystem" has been handling this problem rather well, so perhaps it would be wise to refrain from fixing something that is, from available evidence, not broken.

So far, bitcoin has been choosing its fights fairly well, and gained a modicum of mainstream acceptance, including acceptance by regulatory authorities.

I am not convinced a "100% hardcore anon-coin" could enjoy such (even cash is relatively traceable, one doesn't even have to be a government to track a paper note)

Also, there is the issue of  current investors and supporters  (miners, merchants, service providers) - many of them may suffer various degrees of inconvenience if bitcoin announces a "full anonymity protocol extension" since that might prompt their local authorities to take a much closer look at their business, which is something they might not entirely appreciate.

I am all for the world having a "full-anon decentralized cryptographic payment system".
But since I think such a system would have a harder time gaining mainstream acceptance, I am not convinced that bitcoin should be this system.
Perhaps bitcoin should stay strongly pseudonymous, to facilitate... how to put it... backwards compatibility with various regulatory bodies ? Smiley

19  Bitcoin / Development & Technical Discussion / Re: Zerocoin: Anonymous Distributed E-Cash from Bitcoin on: April 13, 2013, 06:06:07 PM
Okay, first, some specific comments I would like to make about other people's comments:

My point is that it doesn't require a trusted third party.  Yes they seem horrible naive (academics usually are).  A privacy "coin" where the govt has the backdoor key has essentially no utility.  Bitcoin's pseudo-anonymous capabilities are more that sufficient for "casual anonymity" (not wanting your wife to know where you spend your money).  Anyone interested in something stronger isn't going to be ok with backdoors.

If I understand correctly, trapdoor params during accumulator setup do not give you the ability to "denanonymize everyone forever" - it does, however, give you ability to forge as much zerocoins as you can care, which is bad.
However, the paper mentions something called RSA UFO (It's right over my head. Badum-tish) that allows the developer to set up the accumulator without learning the "sensitive numbers" and thus not gaining any kind of anonymity-destroying or coin-forging "superpowers"


My greatest concerns were: 50Kbyte transactions with 0.5 second validation time, stored in a step-2-then-a-miracle-occurs (DHT, presumably an attack resistant one created by unicorns), with a cryptographic accumulator which grows without bound and can't be pruned like the block-chain or compactly zero trust queried like the UTXO can if we add a commuted UTXO tree.

Unless I greatly misunderstand, it is not accumulator per se that is infinitely bloatable, but the "mint" and "spend" records that can't be pruned.
Which kind of sucks, unless some way to prune them without enabling double-spends is found.

As to storage, the article, if I understand correctly, specifies that the z-coin transactions can be stored anywhere, from blockchain to DHT to unicorns.

A bit of speculative commentary (IANAP/IANAC):

The article mentions that Schnorr group parameters can expire, and will have to be reset/regenerated, but states that it's not a problem since "oldtimer" zerocoins can be transformed into fresh ones.

However, I wonder if one could modify the constructs used so that old zerocoins will not be "transformable" into "new" zerocoins upon Schnorr group parameter expiration, thus unspent "oldtimer" zerocoins becoming essentially lost.

It might reduce convenience / anonymity (since you would have a limited time to spend the zerocoins) but since zerocoin is very explicitly an anonymous transaction system and not a value store, and since the "parameter expiration" can be pretty long in terms of human time and might even be leveraged to actually improve plausible deniability (script to spend all my zerocoins into bitcoins when expiration is near, as part of mainline client), it might be acceptable if it allows for pruning the z-coin DB (and why not prune records that are explicitly and irrevocably expired? )

Now, on to a more general (and more controversial Grin ) topic

At the risk of getting stoned (and not in a nice way), I would like to bring up a certain question:

Would it be wise to implement "stronger" anonymity in bitcoin ?

Bitcoin, as it stands, is strongly pseudonymous.

Under reasonably careful use, it has just enough anonymity to discourage causal peeping toms and minor LEA investigations.
Under very careful use, it can probably protect the user from a considerable investigative effort.
It is, obviously, not "absolute" though.

However, it not being "absolute" lends it properties that make it more backwards-compatible with existing monetary system, and more palatable to "average pointy-haired legislator" (and even despite not being all that untraceable, Bitcoin is catching some misguided flak as being a "criminal's currency")

Given that the seemingly apparent aspiration of the project (correct me if I am wrong) is to establish a widely accepted digital  "commodity money" that would be free from human monetary policy meddling and forced seizure (kind of like digital gold money), "hardcore no-holds-barred" anonymity might actually be counterproductive in the long term, since it would impede wide-scale merchant and institutional adoption (Many investors might choose to steer clear if you start signalling that you are, essentially, trading a "Los Zetas derivative" Smiley )

Current Bitcoin's condition of being "strongly pseudonymous" and "never forgetting" could be a sweet spot that gives average and above-average Joe just enough obfuscation to make invading their privacy too costly and time consuming while still being auditable enough to appeal to mainstream finance and large merchants.

Moving out of this sweet spot in any direction might be woeful.

Also, consider this - many investors who are currently "in BTC" (including people investing in expensive, complicated mining equipment like ASICs) have invested with their risk assessment being based upon understanding of bitcoin as "strong pseudonimity, moderate privacy" system.
By radically altering bitcoin's anonymity/privacy profile, one would be be voiding those people's assumptions regarding political, legal and regulatory risks and compromising their trust.


========

Disclosure:
I am actually a proponent of "absolutely anonymous" digital transaction mediums as a concept.

I am, however, dubious in regards to whether BTC should strive to become such a medium, given that it already has a notable investment, regulatory, and institutional infrastructure organized around a different set of privacy/anonymity assumptions.


========

Last part, ADHD version:

"Absolute" anonymity may have unforeseen regulatory, social, and financial consequences for "bitcoinomy".

Given that "bitcoinomy" is doing pretty fine with current level of "privacy/anonymity", it might be wise to avoid meddling with this property of Bitcoin.
20  Economy / Service Announcements / Re: Wallet.is a service striving to succeed where instawallet has failed on: April 11, 2013, 06:08:27 PM
Well, I guess I will first comment on tvbcof's suggestions a little bit, then will offer my own


 The 'killer app' for me was not needing to provide an e-mail addy, SMS, etc, and the lack of a password made that smooth.

Same here.


 - A team which is well known and respected (this failed in the case of ~davout though.)

I'd rather look for formal positions confirming competence - then again, I'm pretty sure that Citibank doesn't outsource its operations to 12 year old boys with ADHD and yet... THIS

- A good understanding of the funding.  Limited hot-wallet with occasional funds exhaustion is preferable to insolvency on failure.  Fees going into an auditable pool to be re-distributed absent failure would lend some credibility.  Or even let the user select thier preference on limits.

I think there definitely should be hot wallet and cold wallet, though given how insta-wallets aren't exactly Goxes, the cold wallet might be cold in more than one sense for a rather long time.

- A 'lock out' URL which, if visited, would lock the account.

 - A 'recovery token' which could be used to unlock a locked account or prove ownership of a URL

I like this, but I think the complexity added can be sidestepped with having a recovery email and a "lock account" button.

I mean, if I have to write a "de-mothballing token" I might as well just use an email recovery process.

- A 'maximum exceeded warning' mechanism whereby a user could be reminded that the service is for limited funds.

I think just adding a line of text clarifying that this is not a "bitcoin bank" should be enough. After all, "only keep as much bitcoins here as you really need" is rather subjective.
I had, at one point, about 100 btc in Instawallet (long before the whole thing went down in fire, luckily Cheesy), and would have been pretty annoyed if it started nagging me about the need to take them out.
 

Now, some suggestions of my own.

  • outgoing-fees

People hate ads. People who think they are security-conscious hate ads even more. Also, bitcoinfolk is savvier than your average soccer mom, so a lot of us have adblockers. Thus, ads won't work for paying your bills, roalwe.

Fees might.

I, however, hate the ever loving hell of "storage" fees (guys, I trust your little wallet shop with my coins, and you repay my trust and loyalty by charging me ? Yes, easywallet.org , I am looking at you Cheesy )

  • free internal transactions

You should introduce a mechanism one "vault" (in your terminology) can send BTC to another "vault"  without actually going through BTC network, and such transactions would be free.
This would require the account to have a secondary identifier that can be shared freely... I don't know, like an email. Or something.

It should NOT be related to anything that can be used for vault auth (URL, password, etc).

Ideally, I should be able to attach notes (like, "thx 4 all Z drugz - kissz, lawl nF0rc3r" Wink ) to internal payments

  • Recovery email

If I bother to set up a password, I might also bother enough to set up a recovery email.

  • Dead man's switch

Yeah, easywallet has it. So what ? It's damn cool, and I think every wallet should have it. Not like it's rocket science or a huge server load.

  • QR codes

Personally, I think they aren't all that useful, but ladies like them Wink or something.

That's all for now
Pages: [1] 2 3 4 5 6 »
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!