|
I'm amazed this thread was started over 8 months ago! I am glad to see Gavin forging ahead, and I hope the other CoreDevs eventually come around and will lend their support to the chain with larger blocks. They may not ever agree it was the best strategic move, but Bitcoin has many other fronts that need work and development, and their extensive knowledge of crypto-systems will be needed moving forward. I think the "keep-it-small" group is correct, in a very technical sense. But Bitcoin is more than just technology, it is also a political movement that needs broad support to reach is maximum effect, and I think that Gavin is more savvy, by far, to that side of things than most of the other devs. Bitcoin does not necessarily need to be designed to withstand large-scale government-style attack. It could be designed so, and that threat of 'could' alone is a powerful deterrent. Yes, we have the technology to hide a blocks in tor, with everything encrypted and miners are in secret locations, etc, etc, etc. But the more widely Bitcoin moves into the main stream, the less such techniques will be required. Even proof-of-work mining may be altered. It is a means to a secure system, not an end. If more efficient ways of having a secure system are devised, perhaps the amount energy used to secure the chain can be safely reduced.
Bitcoin is not secure in the abstract, it is secure against certain threats from certain directions. As the threat model changes, the security engineering of Bitcoin can, and should, change as well. Reaching 'mass adoption' quickly is, I believe, a valid way of making Bitcoin more secure. Not via a 'technical' approach, but through a 'social' one.
|
|
|
|
Unfortunately the wallet silently fails, so you lose any privacy benefits if it can not connect.
I think connecting to a Tor hidden node makes more sense for now, since it's already authenticated and encrypted. The wallet currently doesn't connect to those though.
If he's running the default version of Android Wallet then it would still hve the bloom filter to protect privacy to some extent (at the cost of bandwitdh, obviously). CubicEarth, did you end up setting this up? Not yet. I (mostly) give up being a computer nerd in the summer time. I fight forest fires in the wilderness, often sleeping in a tent for weeks on end, and occasionally flying around mountain ranges in a helicopter. At some point, perhaps in a few months, I will try to connect the pieces as described, and I will report my findings in this thread. |
|
|
|
Out of curiosity, why do you want to do this? Why can't you use a same wallet?
Using multiple implementations to secure funds would reduce the required trust the user would place in one set of developers. Malice and incompetence on the part of the developers are both risks in wallet implementations, as would be some kind of MITM attack where an adulterated version is downloaded. It currently takes a very careful user to properly handle bitcoin security, so I don't recommend to friends and family that they store any significant value on their own. If I could tell them to download Electrum on their laptop, Armory on the old computer in the closet, and put Breadwallet on their iPhone, and chose a 2-of-3 or 3-or-3 setup, IMO that would be very hard to compromise. |
|
|
|
|
Multisig wallets have come a long way, but for the ultimate in usable security, it will be important to have a 2 of 3 (or 3 of 4) setup with different devices, each running different brands of wallet software. Every mulitsig implementation that I know about only works with wallets from the same developers. Does anyone know of different wallets that can multisig with each other? And is there any sort of interoperability protocol that has been proposed or published?
Thanks!
|
|
|
|
|
Interesting. Thanks for the replies. I've got something to test out and look into more deeply.
TierNolan elucidated my concerns quite well. It seems like one shortcoming of an AndroidWallet / BitcoinCore pairing is the channel between them is unencrypted. I guess you could set up a VPN link from phone to home, but that would be cumbersome.
I'm guessing Android Wallet uses some sort of bloom filter to protect privacy, under that likely assumption that the user is connecting to untrusted nodes. If the Wallet was connected only to the users own full node, I would think only the relevant transaction data would need to be transmitted. Superfluous data, sent to hide the true signal in a sea of noise, would be unnecessary.
|
|
|
|
|
Running a full node on a phone seems like it will never make sense. SPV clients are convenient, but there are several unfortunate security and privacy tradeoffs.
It seems like it would relatively straightforward to run full node at home that was setup as a personal SPV server. Your phone could pair with the server and all everything between the two would be encrypted. Friends and family could link to it as well.
Does anyone know of any projects along these lines? In addition to boosting the security and privacy on the SPV side, it would give users a very good reason to run full node, which would help the network as a whole.
|
|
|
|
20MB will not centralise nodes and blocks.
Agreed. 20MB blocks will add to centralization pressures, but I doubt to a meaningful extent. And those pressures, however slight or strong they may be, will be slowly defused by exponential advances in CPU, storage, and bandwidth technologies. After a few years, the network will have regained it's current equilibrium. |
|
|
|
ranlo - check out this thread - "Faster blocks vs bigger blocks" @ https://bitcointalk.org/index.php?topic=673415.msg7626485#msg7626485 if you haven't already. In my OP there is a link to yet another discussion on this topic. I still think moving to 5 minutes would be a safe improvement, but the counter argument seems to be that making a faster block interval is not the most efficient way to achieve quick transaction confidence. By 'efficient' I mean from a human-resource point of view, that any fork takes lots of person-hours in code changes, review, and political discussion. Although perhaps, as you have suggested, if it was done as part of the attempt to increase the networks base capacity, it would be easier to pull off. I think I remember Gavin mentioning that the easiest time to pull off such a change would be at a block reward having, which is coming up in just about a year. The timing could line up nicely! |
|
|
|
|
Thank you, everyone and anyone who has worked so hard to release this latest version. This is the most cutting edge, important piece of software in the world today, bar none, and it is an honor and pleasure to run my very own full node.
FYI - I did a clean install of 10.0 rc2 on my 2013 MacBook Air. With 20Mbps connection it fully synced in 12 hours. I hadn't set up the port forwarding, so that was with only 8 inbound connections.
|
|
|
|
|
The entire chain synced from scratch in 12 hours on my 2013 MacBook Air! Great work!
I have a 50 Mbps connection, though with my os firewall enabled, I was only connected to 8 peers.
|
|
|
|
Fake data is just some real data padded and then encrypted. There is no way to distinguish the two apart without the decryption keys. The fake data is simply generated by the sender, and then discarded on the receiving end.
This reminds me of mp3's. Music used to be encoded as constant bit rate (CBR), now there are more variable bit rate (VBR) files. We are simply going backwards with the technology.
If you have a node that is receiving the data then you know what is fake (because you disregard it) and what is real (because you continue to relay it) Excellent point. Unfortunately. |
|
|
|
This reminds me of mp3's. Music used to be encoded as constant bit rate (CBR), now there are more variable bit rate (VBR) files. We are simply going backwards with the technology.
Exactly. I hesitate to make a statement with two absolutes, but I'll go out on a limb: the concept is literally the opposite of compression. A constant stream would even be resistant to the active attack Theymos described. In the context of TOR, imagine all nodes doing their best to keep a constant 1Mbps of data flowing between peers in both directions. Then imagine big brother decides to modulate your home internet connection in some way in hopes of tracing and/or confirming an effect somewhere else. The constant flow of data would cause the modulation to be 100% damped upon reaching the first node, resulting in a downstream signal to noise ratio of zero. |
|
|
|
While think kind of countermeasure could potentially work, I would think that an adversary would eventually be able to figure out what is fake data and what is "real" traffic and be able to strip out the fake data from their analysis. IMO the only real way to prevent timing attacks is to have a large amount of "real" traffic flowing to your site on a regular basis
If the cryptography is properly implemented, "real data" should appear identical to "junk data". The trick would be merging and alternating between them in a seamless way. |
|
|
|
The main problem with I2P and Tor is that they only try to protect you against mostly-passive attackers who have absolutely no idea of where you might actually be on the Internet. The Tor threat model says (and this is also true of I2P): By observing both ends, passive attackers can confirm a suspicion that Alice is talking to Bob if the timing and volume patterns of the traffic on the connection are distinct enough; active attackers can induce timing signatures on the traffic to force distinct patterns. Rather than focusing on these traffic confirmation attacks, we aim to prevent traffic analysis attacks, where the adversary uses traffic patterns to learn which points in the network he should attack. But attackers looking for the real IP of a target hidden service can significantly narrow the set of possible targets by enumerating all active Tor/I2P users (using widespread traffic analysis or by having a lot of nodes on the network), and then they can further narrow it by doing intersection attacks. Once they've narrowed it down to a few hundred possibilities, they can try timing attacks against each one to get solid proof that they're the target. (I wonder if the hidden services that were not taken down in the recent bust have anything in common. Are they in a particular country that's unfriendly to NSA demands? Do they use a fixed set of trusted entry guards? Probably we won't find out, unfortunately.) I just don't think that low-latency client<->server networks can be secure. What we need are distributed data stores like Freenet so that the originator/owner of content doesn't need to always be online and moreover has plausible deniability even if they are under active surveillance. However, I really doubt that any existing anonymous data store could actually stand up to targeted traffic analysis of the content originator. Freenet seems to be put together in an especially haphazard way, without much theoretical basis for its claimed anonymity. I like a lot of what I've read about GNUnet. I think that a good path forward for anonymous networks would be: - Make the GNUnet software user-friendly. - Create message board and Web functionality (like FProxy) on top of GNUnet. - Make GNUnet work over I2P. - Increase the popularity of GNUnet+I2P so that attackers can't just do traffic analysis of every single user. There's an solution to traffic pattern attacks - it's just really expensive. They way you solve traffic pattern analysis is to make your protocol consume a constant amount of bandwidth all the time, regardless of whether anything is actually going on or not. I've been waiting to see 'constant bandwidth' solutions for quite some time. It would help the anonymity networks. The technique could also be applied to something like VoIP. It would consume lots of bandwidth but not necessarily and unreasonable or unworkable amount. Further, 24/7 availability could be given up in favor of some window of time, maybe one hour per day, where the constant bandwidth would be applied. It would be up to the user to take advantage of that time window. Command and control instructions, and text, take up very little bandwidth, so at least those kind of activities should only take a small bit of fake data to effectively pad the timing. |
|
|
|
Suppose all the miners form a cartel. They will have no problem funding themselves; they can all agree not to include any tx that doesn't pay high fees. The users would pay this fee because they have no other choice.
Some users will try to pay a fee lower than the cartel's threshold. One miner decides to defect from the cartel; he includes in his block all these low-fee transactions. This costs him nothing, so this is a net profit for him (he benefits).
Seeing this, users will know that even if they don't pay the cartel's high fees, they can still get their tx included eventually. Thus, their willingness to pay high fees is lower (that is, the miner consumed their willingness). Thus, more users will try to pay low fees, and the total revenue of all miners decreases.
But it's not just the one miner. Every miner will, individually, have an incentive to include low-fee txs. This means that even with a low fee, it's easy to get a tx to the block. Thus, no user will want to pay high fees, and the total revenue of miners will be low (this is the tragedy - for the miners, and due to the effect on network health, for all Bitcoin users).
This is completely analogous to the classical instance of tragedy of the commons, where all herders would benefit if they all grazed just their fair share, but everyone is incentivized to defect and overgraze, depleting the resource and causing everyone to suffer.
As long as the cartel has more than 50% of the hash power, it can dictate the terms and ensure any blocks not conforming to the cartel's fee policy would be orphaned. A cartel operating in such a fashion can prevent the tragedy of the commons you describe. I prefer to think of it as a race-to-the-bottom issue, with the bottom being inadequate network security. Realistically I would expect the 'willing' participants in the cartel to have somewhere between 70% and 90% of the hash power. The remaining fraction of hash power would also contribute hashing to the cartel because it would NOT be in their best interest to have their blocks constantly orphaned. Those miners might not like the cartel policies, but they would have little choice. I wrote about this concept extensively in my earlier posts on this same thread. |
|
|
|
I registered to come and ask the same question  I stumbled upon Bitcoin around 4 months ago and only now finding this forum! Welcome! That is a great reminder: there are literally billions of people who still know nothing of bitcoin. Voidful: Do you have any bitcoin... any at all? |
|
|
|
|
Yes, I did misunderstand. I though you were advocating for a network imposed limit, but I see better now what you are thinking. You are describing 100% thermodynamic efficiency, right? It think that is theoretically impossible to attain, but it is widely expected that as the rate of efficiency improvement in SHA256 hashing slows down, mining costs will come to be dominated by operational expenditures (electricity). Currently capital expenditures (buying more efficient ASIC's) are still the major factor.
The importance of cheap electricity will become ever more important as hashing tech matures.
|
|
|
|
Most of the conversation seems to have been about ensuring sufficient transaction fees are paid to miners. But what about the verifiers? Currently, all tx validation is done by volunteers. I think Satoshi initially intended for validators to double as miners, but in a world where the two are largely mutually distinct, how do we support the verifiers? And if we can't, isn't the network doomed anyway?
It is in users' self interest to validate. If you don't want to run your own full node, there are plenty of companies that will do the validation for you and charge you a fee. One reason to have a block-size limit is to make sure it always stays reasonable for a hobbyist, with a relatively modest expenditure or resources, to perform full validation at home. So I would say no, the network is not doomed in the absence of financial support for nodes. Related to this is something I have not seen considered: an upper limit on hash speed per device.
No one has seriously considered it because the concept is a non-starter. Even if you could devise some way to enforce the rule on a per-device basis, there is no known and accepted way to stop a single entity from controlling multiple devices. People would figure out a way to control multiple hashing devices, and in such case your idea would introduce only added complexity and possible attack vectors and, I think, nothing positive. |
|
|
|
And from this, we derive how we should fund this cost using tx fees. We want to keep tx fees artificially high, so that the total cost of mining is high, so that the network is secure.
How do you imagine you will be able to keep transaction fees artificially high? The word artificial is tricky. It can mean insincere, false and fake in one set of more negative meanings. It can also mean made by people, as with an artificial lake. That is not a negative concept; I love artificial light when I trying to read at night. In this instance we seem to be talking about how to avoid a race to the bottom at the expense of network security, with the race to the bottom being a 'natural' economic concept. Thus, avoiding such a 'natural' outcome would entail the use of some 'artificial' constraints. I can imagine a lot of possible futures, from big merchants and exchanges investing in mining to save themselves on transaction fees and ensure that their transactions are confirmed securely, to assurance contracts, to a cartel of miners regulated and funded and licensed as a global public utility.
I hope that last one doesn't happen...
There could be a cartel of miners that wasn't regulated, licensed, or funded by governments. Bitcoin has no monopoly on blockchain technology. Competing chains have and will continue to place competitive pressure on the Bitcoin system. Keeping that in mind, I see no problem with Bitcoin miners organizing to decide what security level they want to provide, and how much that security will cost. Offer too little security and people might prefer to use some other system they perceive as safer. Charge to much and people will use a cheaper system. I think a group of people, analyzing risks and making active judgements, will do a better job striking a good security balance than some fixed algorithm. That group of people would be some form of miner association, or cartel, or decentralized company, or whatever you want to call it. It could have many possible forms. If you are worried about this group abusing their power, let me recall my first point, that Bitcoin does not have a monopoly on this technology. Miners do have the network effect, as described by Metcalfe's law, working in their favor. A mining cartel would be able to extract some additional profit thanks to the barrier cost of forking bitcoin, or switching to an alt coin. But if the Bitcoin miners are too far off the optimum mix, alternatives will fill the gap. A cartel would also be able to solve the free rider problem, as it would stop a race to bottom. Minimum fees would be established so that network security would remain adequately funded. I view this thread as discussion on the merits of whether proof-of-work alone is going to give us the network we want, or if we need some additional parameters to have PoW function as desired. The follow is a short list of some pro’s and con’s for PoW that I could think of. I am interested to know if there is agreement on these. Also, the lists are not complete, so please add! PoW - Advantages •A very fair method for initial distribution •No risk that critical signing keys will be stolen since the system is not based on such keys •Easy for any person in the world to verify that a particular transaction has been vouched for by a massive, and calculable, quantity of electricity and computational power. •Absolute certainty that the work done was committed to a single version of history •Some built-in degree of global geographic distribution since the cheapest power is globally distributed. Why? The cheapest power is going to be interruptible, surplus power, and there is a finite quantity at every generation station. •Some degree of local distribution do to heat buildup, possible uses for waste heat, and the square-cube law •Can be physically trackable to the extent that a visitable number of major data centers, together, perform a majority of the hashing. This can be a benefit once world at large accepts Bitcoin as a ‘good thing’ to be supported and encouraged. In the Bitcoin-at-war scenario, which is currently still a possibility, identifiable physical locations are a weakness. PoW - Disadvantages •Expensive (yet this is inextricably tied to the cost to attack, which is a benefit. Paradoxical!) •Potential for a government to carry out a massive ASIC mega-farm attack (economically and politically unlikely, but absolutely possible. 1% chance?) •SHA256 almost certainly will be broken at some point. Not really a problem as long as a viable transition process happens first. |
|
|
|
the P2P node network could configure itself as a giant parallel processor,
This cannot be done with the design of Bitcoin today. I've previously (incompletely) sketched out what would be required, but we're a fair ways away from that. And so far there has been virtually no interest in moving things in a direction to support things like that inside Bitcoin. With the rest of your post you seem to be describing a closed cartel system for mining-- if we have that, why not dispense with the mining, trust it to keep the ledger... (and call it paypal?). Centralized systems are much more efficient and easier to make reliable. I think Bitcoin's (unique) value derives almost exclusively from not being centralized. I agree. I meant a P2P network could be designed in such a way. I didn’t mean to imply that the current software could somehow reconfigure itself, or only need slight modifications to perform in such a way. With the rest of your post you seem to be describing a closed cartel system for mining-- if we have that, why not dispense with the mining, trust it to keep the ledger... (and call it paypal?). Centralized systems are much more efficient and easier to make reliable. I think Bitcoin's (unique) value derives almost exclusively from not being centralized.
I have a slightly different take on the roots of bitcoin’s value proposition, where decentralization is actually the means and not the ends. I see Bitcoin’s true fundamental traits including: irreversible transactions, a predictable money supply, and no requirement to supply personal identity information to use the network. Open access to any entity willing to pay the fees, as well as a fully transparent ledger are also important. I accept that a decentralized network may be - practically speaking - the only way to currently meet those goals on a global scale. Otherwise untrustworthy and primitive governments would interfere with Bitcoin if they could. Lets imagine, in some fantasy world, that we could trust governments to always follow though on their promises and commitments. Let us further imagine the U.S. Government committed to running a bitcoin-like network, one that espoused all the principles listed above. If it was run with integrity and transparency, I doubt there would be the anything like the kind of grass-roots support Bitcoin has thus far enjoyed. Bitcoin would be a solution in search of a problem. It would still be a great solution to the Byzantine General’s problem, but it’s application as money system would be a minimal improvement over the centralized Bitcoin look-a-like. I see Bitcoin as an expression of people’s desire to be part of a money system that has those certain traits. We should fervently guard decentralization in general as it is currently the best way to achieve those traits in a world that is seemingly hostile to those principles. Bitcoin has proved an important point, mainly that such a system can exist, and in doing so has challenged countless peoples’ assumptions about money, information, and control. I am suggesting that such a demonstration of what is possible can permanently change peoples perspectives, and maybe in the future a bitcoin-like system, likely even Bitcoin itself, will have widespread support of people and governments the world over. When the world becomes friendlier to the underlying concepts, I think some sets of design tradeoffs could be re-evaluated. Miners are already organized to an extent, the collaborative product being the blockchain. A cartel would represent a greater degree of organization. It is truly unstoppable phenomenon, as miners are free to associate and make agreements just like anyone else. Most of us don’t live in fear of a 51% attack because we know it would not be in the miners’ self interest. For exactly the same set of reasons I don’t worry about the actions of a miner cartel. I assume they would use their power to uphold the traits that made Bitcoin valuable to begin with. A well organized association of miners would actually be able to add additional value to the network, and that is why I see it as inevitable. Guaranteeing unconfirmed transactions by actively rejecting any double-spend would be one way of adding value. Such an association would also provide a convenient framework for implementing some version of Thaddeus Dryja’s proof-of-idle concept. I would expect the association to be welcoming of any hash power that wanted to join. Paypal, as a totally centralized service, could not look anything like Bitcoin even if they wanted to. Governments would not allow it. A global association of miners could and would be set up in a way to make government orders unenforceable. The mining cartel would have a global monopoly on SHA256 hashing power, but thanks to proof-of-stake and other block signing systems, there are viable alternatives to SHA256 proof-of-work. PoS has issues, and I remain big fan of PoW, but PoS would easily be better than centralized and exclusive PoW that did not uphold the core principles this community cares so much about. I believe miners know this today and will not forget it in the future. Hashing power allows miners to provide a great security service to the world in the form of PoW, but as a tool of oppression, it would be utterly impotent. The P2P network of full nodes will still have role to play, but it will primarily be in auditing the miners. Miners have an economic interest in maintaining an audit-able network, since openness itself is a primary feature of bitcoin. As Gavin suggested, nodes could cooperate in auditing the blockchain.
In that case, the miners' cartel back-bone would have an incentive to delay publishing full blocks for auditing. Only if they were being shortsighted would they confuse the incentives. The miners should realized the network (and their mined BTC) would have maximum value if it remained easy to audit and make every effort to keep it that way. A third audit function of the P2P node network would be as a channel for a wrongly excluded miner to submit a valid block. A bedrock principle we should expect the mining backbone to adhere to would be to be welcoming and inclusive of any hashpower. The P2P network could be configured to accept and verify any allegations that the mining backbone was engaging is exclusive activity.
How would merchants and users respond if a block was excluded? In theory, they could blacklist one of the backbone's blocks, but that seems excessive. Cancelling tx fees would be possible, but would likely just encourage fees to be moved off-chain. I don’t know exactly, but it would in essence be a political crisis for the network. I would imagine it would cause a fissure within the mining collective. A steadfast policy of inclusiveness would result in more work being done on the chain than if some hash power was excluded. I expect inclusiveness to be the policy of the collective, and it would be a problem if there was proof the policy was not being followed. The ultimate power the Bitcoin community would have would be to fork and move away from SHA256 proof of work if the miners were abusing their position. |
|
|
|
|
Show Posts
