Author

Topic: letstalkbitcoin on committed tx, homomorphic value, fungibility, privacy (Read 4159 times)

legendary
Activity: 905
Merit: 1012
@d'aniel Turing completeness has a very specific academic definition that the language I am co-designing probably won't meet[1], but that distinction is not interesting or important. In a Turing-complete language you can write an infinite loop, but why would you ever need to do that in practice? There are more limited forms of recursion and required type safety which allow expression of solutions to nearly all real world problems, or the emulation of space- or time-constrained variants of Turing-complete solutions.

I don't consider this overkill or window dressing at all. There are some very serious applications (e.g. restricted buy back) which require these features if they are to be emulated in Script; I wouldn't be working on this otherwise. We should probably move this to the thread linked to by Adam, however.

[1] I haven't seen this proven yet, but it looks like we'll probably have to choose between decidability and Turing-completeness in the type system, and for this application decidability is far more important as I foresee wallets using theorem proving to determine script safety and to categorize / quarantine coins by their attached covenants. For similar reasons, it may make sense to restrict ourselves to a total functional programming language (which restricts the range of expressible programs to those which are provably terminating, and therefore not Turing-complete in the strict sense, but nevertheless sufficiently expressive just about any actual use).
donator
Activity: 129
Merit: 100
Swimming in a sea of data
Listening to Adam's interview was one of the best hour and forty-five minutes I've spent in a long time.  Adam has a lot of really great ideas for the bitcoin community, and we'd do well to take him seriously.  These are the ideas which I think are the most important:

1. Preservation of fungibility through enhanced privacy.
2. Releasing major changes to the protocol as a parallel implementation that allows migration of coins from the old to the new.
3. Focusing on the improvement of bitcoin rather than wasting time and resources on alt coins (with point 2 considered when major improvements require a hard fork).

Adam, I sent you a nice tip, but it's orders of magnitude below the value you've added to the community.  It's unfortunate that you haven't profited more from cryptocurrencies given your contributions over the years.

sr. member
Activity: 404
Merit: 362
in bitcoin we trust
Thanks d'aniel.  My initial feeling is that Turing-completeness is not necessary for bitcoin and would very likely lead to unforeseen problems and instability (mostly related to the halting problem).  Money isn't a computer.

I moved this question about risks with turing complete scripting to this thread on turing complete / ethereum and added some comments.

https://bitcointalk.org/index.php?topic=431513.new#new

Adam
legendary
Activity: 1162
Merit: 1007
I doubt it'll be Turing-complete, like Ethereum's, as that's likely overkill/window dressing.

I'm drinking wine and haven't looked into Ethereum at all, so please excuse me if I'm being ignorant, but even NAND gates and Rule #110 Wolfram Cellular Automaton are Turing complete, no?  The complexity required for universal computation is surprisingly low.  
Here's a recent discussion on this: https://bitcointalksearch.org/topic/turing-complete-language-vs-non-turing-complete-ethereum-vs-bitcoin-431513

Thanks d'aniel.  My initial feeling is that Turing-completeness is not necessary for bitcoin and would very likely lead to unforeseen problems and instability (mostly related to the halting problem).  Money isn't a computer.
sr. member
Activity: 461
Merit: 251
I doubt it'll be Turing-complete, like Ethereum's, as that's likely overkill/window dressing.

I'm drinking wine and haven't looked into Ethereum at all, so please excuse me if I'm being ignorant, but even NAND gates and Rule #110 Wolfram Cellular Automaton are Turing complete, no?  The complexity required for universal computation is surprisingly low. 
Here's a recent discussion on this: https://bitcointalksearch.org/topic/turing-complete-language-vs-non-turing-complete-ethereum-vs-bitcoin-431513
legendary
Activity: 1162
Merit: 1007
I doubt it'll be Turing-complete, like Ethereum's, as that's likely overkill/window dressing.

I'm drinking wine and haven't looked into Ethereum at all, so please excuse me if I'm being ignorant, but even NAND gates and Rule #110 Wolfram Cellular Automaton are Turing complete, no?  The complexity required for universal computation is surprisingly low. 
sr. member
Activity: 461
Merit: 251
So regarding scripts and Bitcoin-Dev, what is the current thinking regarding re-implementing all of the scripts in Bitcoin?
Is anyone considering it? If so, how would it be similar or different from what they are proposing in Ethereum?
I worry about too much misplaced hype coming from Ethereum, leading to the problem Adam mentioned, so it'd be nice to take the wind out of their sails with a script 2.0.  Adam said in the interview that Mark Friedenbach (maaku) was working on a good implementation.  I doubt it'll be Turing-complete, like Ethereum's, as that's likely overkill/window dressing.
newbie
Activity: 5
Merit: 0
What an enthralling discussion! I took notes as I listened. Andreas asking questions? You know its got to be informative.
Would love to see the content of this show written up as an article (not a transcript), with references. The information was tightly packed, and that's saying something for a longer show.

Most fascinating idea I picked out was the Bitcoin-Dev idea, whereby new features could be tested on a prototype track and bitcoin could be moved into it. Has any work been done on it since October? Loved the thought that all mindshare should be focused on Bitcoin.

Next most interesting: scripts disabled in Bitcoin.  And of course, fungibility needs anonymity.

So regarding scripts and Bitcoin-Dev, what is the current thinking regarding re-implementing all of the scripts in Bitcoin?
Is anyone considering it? If so, how would it be similar or different from what they are proposing in Ethereum?
sr. member
Activity: 404
Merit: 362
in bitcoin we trust
Thanks, I really enjoyed the talk!

I'm wondering what the devs thought of the beta chain idea?  Any objections beyond aesthetics?  (Of course there's the required hard fork, but these are going to have to happen in the future anyway.)
Forgot to link that topic.  You can see the comments yourself below threads (positive).  1-way peg doesnt need any bitcoin main protocol changes we could do it now.

A new even better but bitcoin-main change-requiring variant figured out since.  And someone who can comment if they wish said on #bitcoin-wizards IRC (about the hard fork of this variant) that a) maybe it can be done without a hard fork, and b) anyway its the "one change to rule them all".  Ie after you've done it, other changes can happen on a pegged merge-mined side chain with no bitcoin main security risk.

Bitcoin-dev threads see comments for yourself (thread comments are at visible at the bottom of the pages):

Generically n of n multisig (with one owner or a single owner with pre-split private key) is compact with schnorr.  Shnorr is a better sig than DSA, NSA reduced its flexibility when they tweaked it to avoid Prof Schnorr's patent.

Schnorr also supports efficient threshold signatures (k of n multisig) so you can also do k of n multisig in the space of one signature on the validation side.


and as I said EC Schnorr (EdDSA) also supports blind signatures, which are not so far known to be possible with ECDSA.  CoinJoin uses blind signatures based on RSA I think, so it'd be nicer, faster, more compact, to use the native EC Schnorr blind sig.

EC Schnorr also makes possible wallet with observer (Stefan Brands concept) which allows a hardware wallet to be made subliminal channel free (wallet prevents offline double spend up to tamper resistance but cant mark coins nor leak private key).  But I spoke about a more advanced wallet observer, what I described (on the podcast) is actually a use of Brands issuing protocol to extend wallet observer so the wallet can sign a transaction and has a ZKP that the subliminal channel free signature it is making is bound to the message it can then display on the bigger hw wallet screen.

Subliminal channel free means the wallet has no way to leak the private key even if it is malicious (short of having a radio emitter inside it)

Adam
sr. member
Activity: 461
Merit: 251
Thanks, I really enjoyed the talk!

I'm wondering what the devs thought of the beta chain idea?  Any objections beyond aesthetics?  (Of course there's the required hard fork, but these are going to have to happen in the future anyway.)
sr. member
Activity: 404
Merit: 362
in bitcoin we trust
A podcast from letstalkbitcoin where I am talking with Andreas Antonopulous: maybe a better summary of the committed tx & homomorphic value, the threads here were full of crypto-math and perhaps hard to decipher, also fungibility/red-list & tx-cost and how that relates to indentity and privacy; also hashcash, decentralization, coinjoin/payment protocol, zerocoin/zerocash, some history.  1h45 of "light" listening Smiley

http://letstalkbitcoin.com/e77-the-adam-back-interview/

Some bitcoin talk links to the topics discussed:

Committed transactions (that really needs a summary top post, too much design evolution through it):

coinjoin
Enjoy Smiley

Adam
Jump to: