This message was too old and has been purged

[TheDR]

No I am no expert in quantum safe cryptography but I found in quick search several approaches to that. I have a more pressing concern though the crowd sale page is showing only 3.32 btc  spent?? glitch or major redemptions?

[1715358262]

1715358262

[1715358262]

1715358262

[1715358262]

1715358262

[Dazza]

Is S is a string which remains constant over multiple iterations of the PoW function then yes, you can do the state-reusing-attack (Already used in bitcoin mining and termed the "mid-state").
But if we assume S to be a mix of previous block and input to the current PoW function and the different Ci being the different buffers that result from this particular input, we should be fine going with either SHA-256(S.Ci) or SHA-256(Ci.S) ... or do I miss something?

Yes, the attack I described later in the post.  S is the buffer, which the attacker can keep constant.

Regarding the proof,  SHA-256(Ci.S) has the same complexity as SHA-256(S). If Ci has constant length this should be "almost" equivalent to a pure SHA-256(S) with a starting-state that is different (and influenced by Ci).

You seem to be confusing SHA-256 the algorithm, with SHA-256 the function.  There are an infinite number of algorithms which compute SHA-256 the function, but we assume none are supra-linear because if such existed, collisions could be produced.

Consider the following generalisation of the "mid-state" optimisation.  Let T be a string of length(s+c).  Suppose s bits of T are fixed, while c of them vary randomly.  These c bits must be in well-defined (i.e., computable) positions within T.  You lose nothing if you assume they are all a fixed distance from either the beginning or the end of the string.  The idea is that we find a function f(T) which reads only the fixed bits of T and produces some fixed length output, and another function g(T,f(T)) which reads only the randomly varying bits of T, as well as the output of f.  Finally suppose g(T,f(T)) = SHA-256(T) for all T.

If such f and g exit, then g is particularly well-behaved.  the number of bits in its input that it actually reads does not depend upon s, so a machine with random access to memory will have an algorithm to compute it whose running time is O(1).  A look-up table would work.  The complexity of f will be at least O(s).

If we can find algorithms to compute f and g, then we compute f once, (It may take a long time), and g (which is quick) over and over, so to be provably secure, we need to prove one of the following statements:

1.  No such f and g exist.
2.  f is not computable.
3.  No feasible algorithm for f exists
4.  It is not feasible to find a feasible algorithm for f.

Can you prove any of these things?  I can't.

Having said all that, this is of purely theoretical interest.  An attacker does not need the additional speedup that this construction would give him.  "My scheme" is dead already from the attacks I have already described.

[TheDR]

It now shows my donations as zero btc spent and negative 5400 something coins had positive 14000 when it showed my contribution. I want to see this worked out but does anybody that knows what is up want to explain?
EK thanks for response I will stand by for update

[TheDR]

Cool It is back to showing my balance proper. I expect this project will get on better footing in time. We all know this was rolled out poorly but it can be salvaged.

[Cryptorials]

By strange coincidence, two subdiscussions have merged.

I've been reading this paper on DAGs, which contains a useful section on the threat posed by QC.

I don't really understand a lot of what you're saying, but I must have been right about it being a DAG that Iota uses because I've also seen it described as a 'tangle'.

I definitely don't think ELC should use their technology wholesale, not least because the have no real PoW, or PoS or anything. Instead, and I'm not really a reliable source so I hope I'm right on this, each node is equal and must only perform a very small amount of PoW in order to submit a transaction.

The reason I mention it is because it was said that a possible solution of FAA is for it not to matter who is fastest. In Iota I think instead of having 1 person win the right to build the next block, and to have them do so by building on the longest chain, the network is able to store multiple possible chains and have multiple participants (in their case any node on network) select what they think is the best chain.

Although the Iota guy definitely knows what he is talking about, I also think that not everyone who knows what they are talking about agrees that this is a safe way to build a cryptocurrency network. In our case, however, I was just wondering if this shows a general principle by which miners could win the right to participate in consensus and be rewarded for it without it making any difference how fast they perform the work, but instead just worry about finding a way to check how much work they have done. Perhaps a miner becomes a masternode of some kind, able to take any transaction and confirm it as long as they have performed over a threshold level of PoW since the last time they did so.

[Cryptorials]

Btw there is an interesting discussion on alternatives to the bitcoin blockchain approach, which includes some discussion of DAGs, here: https://bitcointalk.org/index.php?topic=1319681.0

[haggis]

Seems like my question was overseen:

Maybe stupid question: I sent BTC from my Electrum wallet. What do I need to claim the ELC later? Is the seed enough?
When I export private keys I get numerous BTC addresses with their corresponding private key. Will I need them?

[haggis]

Seems like my question was overseen:

Maybe stupid question: I sent BTC from my Electrum wallet. What do I need to claim the ELC later? Is the seed enough?
When I export private keys I get numerous BTC addresses with their corresponding private key. Will I need them?

Go to Menu -> Private Keys -> Export,
Check your donation transaction and see which was the address of the first input that the funds came from,
find that address in the exported list and you are good to go. 

Great, thanks!   

[TheDR]

I like the idea of an alternative to blockchain. The only example I know of is the safenetwork. In that case it really will be advantageous. If I was directing this ship I would use this coming network along with others as a platform to develop all the characteristics we want for our coin. Temporal Instant Market Exchange built in to manage multiple computing resource backed coins. Effectively making elastic coin glue for different currencies focused on different aspects of computing. In this case most of the development is done already.   

[Evil-Knievel]

This message was too old and has been purged

[Cryptorials]

Random idea that I got on the way home.
What about this scheme:

1. PoW functions are submitted to the network and stay in a "pool" until their "gas" has been entirely used.

2. There are two types of transactions: the send-ELC transaction and the submit-work transaction.
The latter is used by the "miners" to submit their proof-of-works and their bounty-solvings.
The submit-work transactions in this context spend the "gas" to the miner's address and at the same time provide the PoW proof which is verified as part of the transaction verification.
Proof of work is measured in the same way as discussed: With the FAA attackable SHA256 scheme. However, in this context it makes no sense for the attacker to mine his own blocks and so earn his own money.
(Merkle-trees would allow that we can prune old transactions later to save disk space)

3. This is not a consensus yet. We still need to define when a "block" is found and the chance to find it must be proportional to the work that has been done so far (so, to the number of submit-work transactions)
Here, I suggest using a "proof of stake" scheme which goes like this (and that is the trick here): The likelihood of finding a block does not increase with the ELC one holds (as in a traditional proof of stake) but with the number of submit-work transactions one has contributed to the current block.

Not saying that every detail is perfect here,
but two attacks are avoided here on the first sight:

- Block-witholding attacks are dangerous
- Having 51% of the calculation power will also only get you solved ~51% of the blocks (here, FAA might be harder to pull off
- FAA is still here, I m not sure how big its impact is. It is way lower than in the traditional design i think.



Not saying this is the way to go, just sharing random thoughts so someone might pick them up and come up with something even better.

Well I like it. It seems to go in a similar direction that I as trying to go in when I was talking about the DAG model with having pow earn you the right to participate in consensus but breaking the automatic link between solving one specific piece of work the fastest and mining that specific block as a result, but your method does it in a much cleaner and more reliable way.

[Evil-Knievel]

This message was too old and has been purged

[Cryptorials]

To be honest, your DAG model inspired be ;-)
But something is still missing here I think, it does not yet feel 100% rock-solid. Maybe we figure it out.

Glad I could be of some use

I'll be interested to see what Dazza makes of doing it this way.

[SISAR]

It might be a good investment of time to check Mini-Blockchain scheme which Cryptonite is using. It offers superb syncing from scratch (under 20 minutes to fully sync with few years of data) and much lighter blockchain because all transactions where previously unspent input was spent are discarded after a while (I think it is one week), it is not keeping all transactions at blockchain.

https://bitcointalk.org/index.php?topic=713538.0

[Dazza]

Cryptonite looks good.

This is interesting though I don't see how it can help merchants.  The very limits that prevent an account from being emptied too fast will prevent it from paying the merchant.

What I can see it being useful for, is account security.  Suppose the user has generated a key, call it the primary key  The user uses it to sign a secondary key. The user can then store the primary key in a safe place offline, and use the secondary key to authorise spends and to set, or lower a spending limit.  Only the primary key can be used to remove or raise a spending limit, or to revoke a secondary key.  (Edit: a secondary key could be used to revoke itself.)   This way, if the secondary key is compromised the true owner can regain control of the account before the attacker has time to loot it entirely.

This could also be a way for someone to use an online wallet without entirely handing over the keys to the kingdom.

[Evil-Knievel]

This message was too old and has been purged

[Evil-Knievel]

This message was too old and has been purged

[Dazza]

Random idea that I got on the way home.
What about this scheme:

1. PoW functions are submitted to the network and stay in a "pool" until their "gas" has been entirely used.

By "gas" do you just mean ELC?  Or do you envisage a second spendable commodity?

2. There are two types of transactions: the send-ELC transaction and the submit-work transaction.

OK.  Eventually I think we will end up with many different types of transaction.

The latter is used by the "miners" to submit their proof-of-works and their bounty-solvings.
The submit-work transactions in this context spend the "gas" to the miner's address and at the same time provide the PoW proof which is verified as part of the transaction verification.

We need to distinguish between proof-of-work and proof-of-correctness.  Blockchain security requires PoW.  It doesn't care whether the worker is submitting correct results, so long as he has appropriately spun his wheels.  The buyer, on the other hand, wants to be sure that the results are correct, including negative results.  While he has the same interest in blockchain security as every other honest user, n this context, the buyer doesn't really care how the worker obtained the results.  A faster algorithm just means that he gets his results faster.  (This does not mean that the FAA is benign to the buyer, since in many attack scenarios the buyer gets incorrect results.)

Proof of work is measured in the same way as discussed: With the FAA attackable SHA256 scheme. However, in this context it makes no sense for the attacker to mine his own blocks and so earn his own money.

I don't see how.  If PoW (rather than some other scheme) is still being used to secure the blockchain, then an attacker might use the FAA to control the consensus.

3. This is not a consensus yet. We still need to define when a "block" is found and the chance to find it must be proportional to the work that has been done so far (so, to the number of submit-work transactions)
Here, I suggest using a "proof of stake" scheme which goes like this (and that is the trick here): The likelihood of finding a block does not increase with the ELC one holds (as in a traditional proof of stake) but with the number of submit-work transactions one has contributed to the current block.

I have an even simpler idea.  Why not just have pure proof-of-stake but with no reward at all (or pehaps just the tiny transaction fees) for the PoS miner.

Without a reward, the perverse incentives criticised in the white paper and the website are eliminated.  But the work will still be done.  Coinholders have a strong interest in maintaining the blockchain - their coin is worthless if they don't.  Additionally many coinholders will also be participants in the market, and so have an additional interest in its smooth operation.

With pure PoS, the FAA is mostly dead.  My gut feel is that it will rear its ugly head again in proof-of-correctness, but even then, in the greatly attenuated form of DoS attacks.  As far as blockchain security is concerned, it's dead.

[Evil-Knievel]

This message was too old and has been purged

[Dazza]

Bitshares has something similar.

"Your ideas are both original and good.  Unfortunately your good ideas are not original, and your original ideas are not good." -- Paraphrased from somewhere I don't recall.

Dazza, what do you think about the "submitting PoW transactions increase your chances to find a PoS block" approach?
Do you think we can used that as some sort of basis?

PoS can be used in conjunction with PoW to mitigate problems with the latter.  You could also just alternate between PoW and PoS (This was an early idea of mine which I never posted, my brain runs much faster than my typing fingers.)

My preference at this stage remains for pure PoS.  User supplied PoW is going to be such a headache and incur so much computational overhead, to so little benefit, that I think we should just abandon the idea.

What does that leave us?  A distributed market for computer processing, supported by a computationally inexpensive cryptocurrency.  I think that is a worthy project, and more than enough work for us to be going on with.