Pages:
Author

Topic: BLS signatures (better than Schnorr) (Read 788 times)

hero member
Activity: 568
Merit: 703
July 13, 2018, 09:58:22 AM
#31
Every post from @anunymint apparently was deleted. The thread is now very difficult to understand the offtopic discussion because a significant portion of the discussion is missing.

Some of this thread was archived here.
legendary
Activity: 1652
Merit: 4392
Be a bank
June 28, 2018, 08:01:18 AM
#30
https://twitter.com/nopara73/status/949007859341197312
At Stanford, I overheard a conversation between @pwuille and @benediktbuenz (Bulletproofs). The level was above me, what I heard was: BB: "BLS, BLS, BLS!" PW: "Schnorr, Schnorr, Schnorr!" Is there anything to read about the pros and cons on BLS vs Schnorr signatures for Bitcoin?
thread
member
Activity: 168
Merit: 47
8426 2618 9F5F C7BF 22BD E814 763A 57A1 AA19 E681
June 28, 2018, 07:55:51 AM
#29
I would like to know more about BLS signature.
Can someone delete all these segwit bs? I will try reporting all to moderator. Hope this can help.

legendary
Activity: 3430
Merit: 3080
June 28, 2018, 07:51:08 AM
#28
And as far as the matter goes, Carlton Banks claims it's nonsense and SegWit funds are safe forever, it's possible, but it's also possible you are wrong, and why would I bet against MP when I can just leave my coins in legacy addresses and avoid the problem if/when it happens? The theory is there, now someone needs to put it in practice, and I don't want to find out if it was actually viable or not with my own coins.

The same logic applies to P2SH addresses (Popescu's "army" subscribes to this). BTC 4.3 million currently in P2SH addresses. No attack is forthcoming. BTC 4.3 million is not enough?

The same logic applies to P2PKH addresses (i.e. supposedly "safe" legacy addresses beginning with 1). There's around 11 million BTC in P2PKH addresses.


Miners could use this logic for re-appropriating (stealing, "donating to self", whatever) BTC 11 million in P2PKH addresses + BTC 4.3 million in P2SH addresses + BTC 150 thousand segwit addresses.

Can you explain why the attack isn't happening now? Why not, it's only 15 million BTC! They could take it all, couldn't they?
legendary
Activity: 1372
Merit: 1252
June 28, 2018, 07:36:03 AM
#27


At this stage, I'd recommend posting a brand new, self-moderated, topic to discuss this elsewhere.  Then you can nuke anything off-topic.  I don't think we're going to salvage this one.

I don't personally mind if the thread is derrailed to discuss the SegWit issue, but I would appreciate if the discussion is about BLS and the SegWit issue is continued on any of the other numerous SegWit threads such as:

https://bitcointalk.org/index.php?topic=3670474.40
https://bitcointalk.org/index.php?topic=4433000.80

In fact someone should create a thread for this issue specifically to not confuse readers. And as far as the matter goes, Carlton Banks claims it's nonsense and SegWit funds are safe forever, it's possible, but it's also possible you are wrong, and why would I bet against MP when I can just leave my coins in legacy addresses and avoid the problem if/when it happens? The theory is there, now someone needs to put it in practice, and I don't want to find out if it was actually viable or not with my own coins.
legendary
Activity: 3948
Merit: 3191
Leave no FUD unchallenged
June 28, 2018, 07:35:15 AM
#26
And I prefer to think that this is rational behaviour, and that all of this is a highly orchestrated act. The only possible benefit for Popescu to behave like this is to spread FUD, and the present timing of the reappearance of his "supporters" (all 1 of them) is a curious correlation with the present market cycle stage & sentiment. Maybe he's got some big bids below $6000 he wants fulfilled? That sounds like a much more likely scenario than "rich intelligent eccentric believes he's The 2nd Coming of Alexander the Great" or whatever

Equally possible, I suppose.  Crazies gonna crazy.

I love that even on the rare occasion we're on the same side, we still somehow manage to find a difference of opinion to argue over, heh.  As long as we agree that Anonymint is delusional, that's good enough for me.  The "how" and "why" are largely immaterial on this one.
legendary
Activity: 3430
Merit: 3080
June 28, 2018, 06:59:48 AM
#25
You're simply believing any words written by questionable people on the internet if you think that small changes to the 0.5 codebase can actually perform the initial block download, someone with some kind of reputation to defend would have to corroborate that by compiling the code and trying. You said it yourself: one can compile any code for a Bitcoin node with any version string they want, and recent versions of Bitcoin allow the user to simply add a command line argument to edit the version string without recompiling.

How do you know that the supposed 10 nodes aren't simply regular version 14 nodes using the uacomment argument to falsely advertise some different version? Of course there are ways to test based on whether modern network messages generate expected responses, but that tells you only a limited amount about what code any given node is running, it wouldn't be a lot of work to selectively disable some message types to spoof a 0.5 era node.


And I prefer to think that this is rational behaviour, and that all of this is a highly orchestrated act. The only possible benefit for Popescu to behave like this is to spread FUD, and the present timing of the reappearance of his "supporters" (all 1 of them) is a curious correlation with the present market cycle stage & sentiment. Maybe he's got some big bids below $6000 he wants fulfilled? That sounds like a much more likely scenario than "rich intelligent eccentric believes he's The 2nd Coming of Alexander the Great" or whatever
legendary
Activity: 3948
Merit: 3191
Leave no FUD unchallenged
June 27, 2018, 06:36:25 PM
#24
So, I am "so sure about that part". What reason have you got to believe any of this nonsense?

Don't get me wrong here, I don't believe there's any chance at all they'd be successful in such a ludicrous "attack".  I just wouldn't rule out the possibility of them having the groundwork already in place due to the sheer level of egomania they're prone to.  It's simply not wise to underestimate those who may be mentally unhinged.  As Last of the V8s pointed out, there are 10 TRB nodes openly disclosing their version.  Apparently they've managed to synchronise and download the full blockchain just fine.  And it's impossible to tell if any others might be out there that are masking the version they run.  

It may not be the simplest thing to do, it might be a load of belligerent, regressionist, hardliner groupthink, but damned if they aren't delusional enough to do it anyway.  I don't question their belief or determination, just their common sense and grasp of reality.  The fact that such an attack isn't remotely practical in the real world doesn't preclude them from running outdated nodes simply because that's what they see as "right".

It is nonsense, clearly, but that alone wouldn't stop them even if they recognised the fact.  You're expecting them to behave rationally.  Consider they might not be doing that.  It seems they have their own definition of "rational" and it isn't remotely the same as ours.

They literally believe they're the New World Order.  Your new Kings.  Gods amongst men.  That sort of self-aggrandising lunacy.
legendary
Activity: 3430
Merit: 3080
June 27, 2018, 06:05:33 PM
#23
every block would need to have every transaction validated by seeking back to the block that every output was spent from
That's bitcoin. It's the only way to be sure.

You can make a list of every unspent output as the blockchain progresses, this is new technology called "UTXO set" (fresh from 2011 Cheesy)



Did they implement the anti-Satoshi UTXO set tech? How long does it take to sync now, less than a year maybe?
legendary
Activity: 1652
Merit: 4392
Be a bank
June 27, 2018, 05:51:01 PM
#22
every block would need to have every transaction validated by seeking back to the block that every output was spent from
That's bitcoin. It's the only way to be sure.

If it's completely impractical to sync a "Satoshi immutable" node
It isn't.
They fixed that bug
http://therealbitcoin.org/ml/btc-dev/attachments/20171225/ben_vulpes_increase_aggression_levels.vpatch?sha1=998650bc516061a0b756e402608cb2b34bd0e620

http://btcbase.org/log/2018-06-25#1829413

legendary
Activity: 3430
Merit: 3080
June 27, 2018, 05:25:58 PM
#21
there are no 0.5 nodes at all on the Bitcoin network, that's zero precisely.  

I wouldn't be so sure about that part.  I distinctly recall some of MP's fervent disciples openly encouraging client spoofing as a means to derail support for XT.  It's unlikely they're displaying their actual software version.  It's not difficult to change.  And it makes sense if you're an extremist who wants to stay under the radar.  I'd agree there probably aren't many "0.5.4." nodes running, but I suspect it's more than zero.

Well, if you want to continue along these lines, consider something else.

Bitcoin version 0.5 would take a very, very long time to download & verify the full Bitcoin blockchain in 2018, probably several months (0.5 didn't even use a UTXO set, every block would need to have every transaction validated by seeking back to the block that every output was spent from). Anyone trying to switch to 0.5.4 using their current blockdata would find it doesn't work, unless all the latest un-Satoshisms have been backported to it (which would make the whole concept that little bit more ridiculous), this vaunted hard fork attack couldn't take place using 0.5 era software even if someone wanted to do it (no takers so far on all the "vulnerable" P2SH addresses, which only contain BTC 4.3 MILLION at this point in time, but of course the Schelling point hasn't been reached yet, 4.3 million BTC isn't worth it, lol)  

If it's completely impractical to sync a "Satoshi immutable" node, how many people could really be a part of this regressionist hard fork movement that's the Bitcoin equivalent of a 19th century steam driven car? It's a very bad joke


So, I am "so sure about that part". What reason have you got to believe any of this nonsense?
legendary
Activity: 1652
Merit: 4392
Be a bank
June 27, 2018, 03:43:17 PM
#20
there are no 0.5 nodes at all on the Bitcoin network, that's zero precisely.  

I wouldn't be so sure about that part.  I distinctly recall some of MP's fervent disciples openly encouraging client spoofing as a means to derail support for XT.  It's unlikely they're displaying their actual software version.  It's not difficult to change.  And it makes sense if you're an extremist who wants to stay under the radar.  I'd agree there probably aren't many "0.5.4." nodes running, but I suspect it's more than zero.

It's ten TRB nodes for now: https://coin.dance/nodes (note you may need to follow this too http://btcbase.org/log-search?q=emergent+consensus lol)
legendary
Activity: 3948
Merit: 3191
Leave no FUD unchallenged
June 27, 2018, 02:55:33 PM
#19
Recently I've learned about BLS  (Boneh-Lynn-Shacham) signatures and it sounds all great. Fixes the problems Schnorr brought to the table.

My questions are: Is this to be deployed with a hard-fork or soft-fork?

If it's a soft-fork, when can we expect it to happen? Since it would be a new address format if im not mistaken, would it be controversial like SegWit was? Also could we bypass Schnorr and just go BLS?

At this stage, I'd recommend posting a brand new, self-moderated, topic to discuss this elsewhere.  Then you can nuke anything off-topic.  I don't think we're going to salvage this one.


there are no 0.5 nodes at all on the Bitcoin network, that's zero precisely.  

I wouldn't be so sure about that part.  I distinctly recall some of MP's fervent disciples openly encouraging client spoofing as a means to derail support for XT.  It's unlikely they're displaying their actual software version.  It's not difficult to change.  And it makes sense if you're an extremist who wants to stay under the radar.  I'd agree there probably aren't many "0.5.4." nodes running, but I suspect it's more than zero.
legendary
Activity: 3430
Merit: 3080
June 27, 2018, 02:36:31 PM
#18
trb follow bitcoin 0.5.3 protocol(not bitcoin 0.1 as you say), with some bug fixes. They call it bitcoin 0.5.4

Completely arbitrary according to the "cannot decode" basis of this proposed attack


If cannot decode "breaks Satoshi immutability" (such is the claim), then P2PKH (Bitcoin addresses beginning with 1) is also in violation, and hence unsafe to store money as it's subject to hard fork confiscation. There is no reason why miners shouldn't extend this attack to take all the Bitcoins from P2PKH addresses according to the "logic" of this hard forking attack


Any claims that this "Satoshi's Pure Bitcoin" has a following is a complete joke, there are no 0.5 nodes at all on the Bitcoin network, that's zero precisely. I wonder why this Mircea Popescu troll account Anonymint is pushing this FUD now, it's not like we're in a bear market waiting to capitulate or anything Smiley
member
Activity: 168
Merit: 47
8426 2618 9F5F C7BF 22BD E814 763A 57A1 AA19 E681
June 27, 2018, 01:43:56 PM
#17

Here's the major irony: this means P2PKH is out too, huh? Bitcoin addreses starting 1 are not safe either, miners will take it all as donations, Anonymint has spoken!!! Bitcoin 0.1 cannot decode P2PKH, it's back to P2PK for everyone! Hey that's kind of interesting, as only Satoshi era mining rewards are still held in P2PK outputs! Satoshi set everyone up, only his money from 2009 is safe, everyone else is going against his sacred immutability!

That's really the essence of your argument; anything that Bitcoin 0.1 cannot cope with is going to get eaten by a massive miner-led hardfork that takes us all the way back to January 3rd 2009. Have fun with that

trb follow bitcoin 0.5.3 protocol(not bitcoin 0.1 as you say), with some bug fixes. They call it bitcoin 0.5.4. the fight begun when p2sh was introduced(3address). MP not liked it and forked. I hope the main reason segwit was introduced as a softfork is because mp, and trb. Most users use an updated version of core client, and are able to update their node, so the only real reason I can think is mp.

I was thinking like you, but reading Anonymint arguments I began to reflect. Found mp and his follower are very powerful and influent. So his argument started to make some sense for me.

Segwit was an honeypot as previous transactions was not really commonly used and large amounts of bitcoins was stored in 1address format. Now with segwit a lot of bitcoins will be stored on p2wsh and p2wpk addresses, so the booty will grow too.

bitcoin 0.5.4 rules, as bitcoin 0.16 rule is the chain with the most accumulated pow is valid. Witness data is not inside the blockchain so his persistence cannot be guaranteed.

I see exchanges selling futures contracts, the eth/etc war, a lot of developers starting acting as politician and forking bitcoin blockchain as the new fashion manner to airdrop shitcoins.

I don't know if a chain that steal all coin in a cannotdecode output will have some value, but I hope it will happen for sure, the only question is: when?.


EDIT: please stop spamming this topic in every thread. That's not fair. Start a new thread if you want to talk about a segwit theft
legendary
Activity: 3430
Merit: 3080
June 27, 2018, 01:19:04 PM
#16
Bitcoin version 0.1 cannot decode P2PKH (the type of address you claim is safe from the "booty" attack)

Explain why your theory means that miners won't steal every Bitcoin going back to the introduction of P2PKH scripts



(BIP 65 is a typo I meant BIP66, strict canonical DER signatures Smiley)
newbie
Activity: 1
Merit: 1
June 26, 2018, 05:00:38 PM
#15
Anonymint

If you know Satoshi's protocol, you would know that ANYONECANPAY has existed since the very early days, and was always intended as a feature to upgrade script types such that old nodes didn't experience the new scripts as a hard fork, no doubt ANYONECANSPEND was used for the introduction of multisig addresses too (yet you're leaving those out of your TheftCoin idea for no reason at all). So you can keep pretending that the developers have deliberately created a vulnerable new spend type all you like, you're not fooling anyone (except apparently cellard, and your alter ego friend from trilemma.com).

You are mistaken yet again, OP_CHECKMULTISIG does not require P2SH:

https://bitcoin.org/en/glossary/multisig

ANYONECANSPEND is put there so that any idiot scammers who want to soft fork provide the miners the means to force the soft fork to forkoff in a hard fork by taking P2SH transactions as donations. It is provided so that miners and the economic majority (i.e. the whales) decide when to cause a soft fork to hardfuckoff. It is also put there to give the useless idiots a belief that they have some political control over Bitcoin to serve as a spanking lesson about how Satoshi Bitcoin destroys and disintermediates politics (even disintermediating the sovereignty of nation-states with jurisdictional arbitrage).

Gavin proposed OP_CHECKMULTISIG and P2SH. Let’s remember that that Gavin and John Nash were both at Princeton at the same time. Hmm.

What we can see is that Satoshi put in some invariants (1MB block size, limited number of sigs in a multi-sig) that would tempt others to want to attempt to upgrade his protocol. Those upgrades (no matter how they would have been proposed in a BIP) would only be a soft fork if old clients treat them as “cannot decode”. If there’s UTXO that is “cannot decode” then miners can create a spend script which has no sig for the payer from that “cannot decode” UTXO to a new UTXO which is a standard output understood by the Satoshi protocol. So that is why I say although Gavin proposed P2SH, Satoshi actually designed ANYONECANSPEND into his original protocol via the invariants and what he knew humans would try to do to his protocol.


There is no doubt in mind that Bitcoin will prosper when Core is kicked off.

Bitcoin is not driven by these useless minnows who think Bitcoin was created to be a popular transaction scalability system.

Besides when someone releases a proof-of-stake system without the nothing-at-stake flaw, then the on-chain transaction scalability problem is going to disappear overnight.

That will drive huge widespread demand for cryptocurrency in general and Bitcoin will continue to be the unit-of-account for power money. Thus my work will actually help grow Bitcoin.

I am not worried at all. The future looks like $billionaire around the corner for me. Now if y’all don‘t mind, I will STFU because I can’t get my work done while arguing on BCT.

Hi, Newbie here

I posit that the "event" that results in Core being kicked off Bitcoin won't necessarily be greed motivated but will be a direct result of "Re-introducing imperial barnacles".

Can someone point me to more information about "Safe" addresses. Are those legacy addresses? Or just 1addresses? How best to create, use?


http://trilema.com/2017/integration-is-bad-for-bitcoin/
Quote
I. Re-introducing imperial barnacles into the Bitcoin protocol is of no service to the Republic and something the Empire is entirely dependent on. There is absolutely no conceivable reason you might have to open a ssl connection to whoever you're paying. If you're willing to do that, which is to say : if you're willing to include the Great Inca in your payment structure, just fucking send a wire. It will be "cheaper"ii and "safer" than dicking around with Bitcoin, which evidently is not for you.

II. Giving minersiii pretexts to break the protocol is not in anyone's interest (miners themselves included). Excluding a validly signed transaction for any reason is breakage of Bitcoin, and should not be tolerated for the directly obvious consideration : the reasons will change down the road.

So no, integration is not good for Bitcoin, irrespective of whether you mean "integration of NSA into your payment flow", or "integration of merchants and customers", or "integration of payers and miners" or any other kind. Bitcoin is valuable and powerful for being fragmentary, not for being unitary. There already exists such a thing as the unitary payment stack, and not only everyone hates paypal but moreover we're here in the first place because we wanted an alternative. Which we now have. What's the grand idea, "take these torrents and make them moar like netflix" ? That's not much of an idea, is it now!

Needless to say, the reference Bitcoin implementation as maintained by the Bitcoin foundation (not to be confused with various scammers' phishing attemptsiv) will never implement or support such nonsense. I suppose, given Bitpay's absolutely minuscule size we don't even need to revisit 2015-era points about who's got the money and therefore who makes the rules.v

Never forget :

Bitcoin is valuable today because for the past five+ years I've been intransigently sinking each and every attempt of all the scum and barnacles sticking to its mighty hull to make it "more acceptable to governments" which is to say useless and stupid.

It was true in 2015 like it was true in 2013 like it is true in 2017 and like it will stay true in 2019.

http://trilema.com/2018/the-republic-without-mp/
Quote
-Snip
They'll want to have a Republic without MP, a WoT without the WoT, a Pizarro without the Pizarro, a this without the that. Absolutely typical pantsuitism,

-Snip

Bitcoin is feudal, you understand. Do you understand ?

Do you ?

The time while the lords are still even looking for more knights is drawing to a close, like all windows of opportunity ever
legendary
Activity: 3430
Merit: 3080
June 26, 2018, 04:41:57 PM
#14
ANYONECANSPEND is put there so that any idiot scammers who want to soft fork provide the miners the means to force the soft fork to forkoff in a hard fork by taking P2SH transactions as donations. It is provided so that miners and the economic majority (i.e. the whales) decide when to cause a soft fork to hardfuckoff. It is also put there to give the useless idiots a belief that they have some political control over Bitcoin to serve as a spanking lesson about how Satoshi Bitcoin destroys and disintermediates politics (even disintermediating the sovereignty of nation-states with jurisdictional arbitrage).

Right, so Satoshi specifically introduced ANYONECANPAY so that miners would steal funds from any scripts using softforked protocol rules ? That's actually what your argument is?

And you've changed your argument, you're now claiming all P2SH funds are vulnerable? Have you changed your argument because of it's inconsistency with the ways that ANYONECANPAY has been used before the Segwit soft fork to introduce new script types? What if you're ignorant about other script types that have been soft-forked using ANYONECANPAY backwards compatibility? Why wouldn't you be, after this concession? Do you know?

 
What about people who use P2SH as a way of using compressed keys? What next, are compressed keys anti-Satoshi too, whether P2SH wrapped or not? Have you thought any of this through? Will you change your argument again?


I am not worried at all. The future looks like $billionaire around the corner for me. Now if y’all don‘t mind, I will STFU because I can’t get my work done while arguing on BCT.

Please do, we're all really, really interested in the latest developments in your years of work on your coin. Or, any information at all would suffice, seeing as you've never produced even some beta testing code after 5 years of (alot of) talk
legendary
Activity: 3430
Merit: 3080
June 26, 2018, 11:50:23 AM
#13
If you know Satoshi's protocol, you would know that ANYONECANPAY has existed since the very early days, and was always intended as a feature to upgrade script types such that old nodes didn't experience the new scripts as a hard fork, no doubt ANYONECANSPEND was used for the introduction of multisig addresses too (yet you're leaving those out of your TheftCoin idea for no reason at all). So you can keep pretending that the developers have deliberately created a vulnerable new spend type all you like, you're not fooling anyone (except apparently cellard, and your alter ego friend from trilemma.com).

Wrong, I have always questioned if Bitcoin could survive a post-SegWit attack scenario and still do, miners would need to consider if it's worth it because if it ends up killing Bitcoin they would be left with massive amounts of useless gear they cannot use again to milk from transactions since trust in crypto as a whole would be lost. I don't believe this will happen 100% guaranteed but you can't claim it will not happen 100% guaranteed (and if you do, it's a mistake), therefore it's only sane to move your funds in 1addresses, I don't lose anything by doing so.


Replies are for meaningful conversations, you have to say at least something about what the person you're replying to said.


You've got no reason to believe Segwit addresses are a special case somehow, if a hard fork is to steal BTC, then everything is up for grabs. Provide reasoning.

Why do you continue to evade this point? Is it because your whole argument relies on evading reality? *




* Notice how this (at least broadly) addresses your non-reply
legendary
Activity: 1372
Merit: 1252
June 26, 2018, 11:23:57 AM
#12
The recovery of SegWit donations doesn’t require a 50+% attack. That you continue to repeat that nonsense exemplifies either your dishonesty or incompetence or both.

When the Satoshi miners start spending the anyonecanspend SegWit donations to themselves in blocks that they win, the Core protocol will fork off and not accept those blocks.

There will be two chains. So the Satoshi chain doesn’t need 50+% of the Core chain’s hashrate. The Satoshi protocol chain only needs enough hashrate to get the snowball rolling and then miners will jumping for joy to go anonymously join in the bonanza.

If your proposed fork can't even get a majority hashrate, then everyone currently using Bitcoin will experience it as just the latest minority fork. That's no different to any other Bitcoin hardfork, with the attractive property that the miners following it will be exclusively composed of thieves.

No-one will realistically trust those miners to not steal coins again in another hard fork. Hence your "Satoshi" fork will actually be ThiefCoin, that zero users or businesses will follow. Price crashes, not even worth trying to sell the ThiefCoin airdrop.

You have a genius' 165 IQ, yet this is the best scare story you can summon up? Whatever test you took, ask for your money back IMO



You can't never know if the hashrate supporting the SegWit-friendly fork is going to be honest in the future, you can't even know if they were part of the thieft. Attempting to cartel-up on legacy addresses doesn't take the same resources as moving SegWit addresses. If/After SegWit gets expossed, I fail to understand why anyone would ever trust a SegWit-supporting fork?

Anonymint

If you know Satoshi's protocol, you would know that ANYONECANPAY has existed since the very early days, and was always intended as a feature to upgrade script types such that old nodes didn't experience the new scripts as a hard fork, no doubt ANYONECANSPEND was used for the introduction of multisig addresses too (yet you're leaving those out of your TheftCoin idea for no reason at all). So you can keep pretending that the developers have deliberately created a vulnerable new spend type all you like, you're not fooling anyone (except apparently cellard, and your alter ego friend from trilemma.com).

Wrong, I have always questioned if Bitcoin could survive a post-SegWit attack scenario and still do, miners would need to consider if it's worth it because if it ends up killing Bitcoin they would be left with massive amounts of useless gear they cannot use again to milk from transactions since trust in crypto as a whole would be lost. I don't believe this will happen 100% guaranteed but you can't claim it will not happen 100% guaranteed (and if you do, it's a mistake), therefore it's only sane to move your funds in 1addresses, I don't lose anything by doing so.
Pages:
Jump to: