Re: [bitcoin-dev] Opinion on proof of stake in future

2021-05-21 Thread vizeet srivastava via bitcoin-dev 
It is difficult to understand how energy usage is a bad thing.
At one end we talk about energy usage as a bad thing and we also talk about
global warming.
If Earth is receiving extra energy which is causing global warming
shouldn't we use extra energy to do something useful.


On Fri, May 21, 2021 at 2:52 PM Billy Tetrud via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> I think there is a lot of misinformation and bias against Proof of Stake.
> Yes there have been lots of shady coins that use insecure PoS mechanisms.
> Yes there have been massive issues with distribution of PoS coins (of
> course there have also been massive issues with PoW coins as well).
> However, I want to remind everyone that there is a difference between
> "proved to be impossible" and "have not achieved recognized success yet".
> Most of the arguments levied against PoS are out of date or rely on
> unproven assumptions or extrapolation from the analysis of a particular PoS
> system. I certainly don't think we should experiment with bitcoin by
> switching to PoS, but from my research, it seems very likely that there is
> a proof of stake consensus protocol we could build that has substantially
> higher security (cost / capital required to execute an attack) while at the
> same time costing far less resources (which do translate to fees on the
> network) *without* compromising any of the critical security properties
> bitcoin relies on. I think the critical piece of this is the disagreements
> around hardcoded checkpoints, which is a critical piece solving attacks
> that could be levied on a PoS chain, and how that does (or doesn't) affect
> the security model.
>
> @Eric Your proof of stake fallacy seems to be saying that PoS is worse
> when a 51% attack happens. While I agree, I think that line of thinking
> omits important facts:
> * The capital required to 51% attack a PoS chain can be made substantially
> greater than on a PoS chain.
> * The capital the attacker stands to lose can be substantially greater as
> well if the attack is successful.
> * The effectiveness of paying miners to raise the honest fraction of
> miners above 50% may be quite bad.
> * Allowing a 51% attack is already unacceptable. It should be considered
> whether what happens in the case of a 51% may not be significantly
> different. The currency would likely be critically damaged in a 51% attack
> regardless of consensus mechanism.
>
> > Proof-of-stake tends towards oligopolistic control
>
> People repeat this often, but the facts support this. There is no
> centralization pressure in any proof of stake mechanism that I'm aware of.
> IE if you have 10 times as much coin that you use to mint blocks, you
> should expect to earn 10x as much minting revenue - not more than 10x. By
> contrast, proof of work does in fact have clear centralization pressure -
> this is not disputed. Our goal in relation to that is to ensure that the
> centralization pressure remains insignifiant. Proof of work also clearly
> has a lot more barriers to entry than any proof of stake system does. Both
> of these mean the tendency towards oligopolistic control is worse for PoW.
>
> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>
> I certainly agree. Bitcoin's energy usage at the moment is I think quite
> warranted. However, the question is: can we do substantially better. I
> think if we can, we probably should... eventually.
>
> > Proof of Stake is only resilient to ⅓ of the network demonstrating a
> Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>
> I see no mention of this in the pos.pdf
>  you linked to. I'm not
> aware of any proof that *all *PoS systems have a failure threshold of
> 1/3. I know that staking systems like Casper do in fact have that 1/3
> requirement. However there are PoS designs that should exceed that up to
> nearly 50% as far as I'm aware. Proof of work is not in fact resilient up
> to the 1/2 threshold in the way you would think. IE, if 100% of miners are
> currently honest and have a collective 100 exahashes/s hashpower, an
> attacker does not need to obtain 100 exahashes/s, but actually only needs
> to accumulate 50 exahashes/s. This is because as the attacker accumulates
> hashpower, it drives honest miners out of the market as the difficulty
> increases to beyond what is economically sustainable. Also, its been shown
> that the best proof of work can do is require an attacker to obtain 33% of
> the hashpower because of the selfish mining attack
> 
>  discussed
> in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both
> of these things reduce PoW's security by a factor of about 83% (1 -
> 50%*33%).
>
>  > Proof of Stake requires other trade-offs which are incompatible with
> Bitcoin's objective (to be a trustless digital cash) — specifi

Re: [bitcoin-dev] SLIP-0039: Shamir's Secret-Sharing for Mnemonic Codes

2018-09-21 Thread vizeet srivastava via bitcoin-dev 
I see one benefit which i am looking for. I may not need to use all public
keys in p2sh script instead i can use p2pkh and retrieve funds by using
threshold number of keys..so in case i loose a public key along with
private key i still may have other public key private key pairs to
retrieve. For me it sounds interesting. I need to understand how it is
going to get implemented in more detail.

On Sat 22 Sep, 2018, 9:53 AM Christopher Allen via bitcoin-dev, <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> On Fri, Sep 21, 2018 at 11:18 AM Andrew Kozlik via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> We are currently writing a new specification for splitting BIP-32 master
>> seeds into multiple mnemonics using Shamir's secret sharing scheme. We
>> would be interested in getting your feedback with regard to the
>> high-level design of the new spec:
>> https://github.com/satoshilabs/slips/blob/master/slip-0039.md
>> Please focus your attention on the section entitled "Master secret
>> derivation functions", which proposes several different solutions. Note
>> that there is a Design Rationale section at the very end of the
>> document, which should answer some of the questions you may have. The
>> document is a work in progress and we are aware that some technical
>> details have not been fully specified. These will be completed once the
>> high level design has been settled.
>>
>
> I and a number of companies & communities I am involved with are very
> interested in this.
>
> A challenge is that Shamir Secret Sharing has subtleties. To quote Greg
> Maxwell:
>
> > I think Shamir Secret Sharing (and a number of other things, RNGs for
> example), suffer from a property where they are just complex enough that
> people are excited to implement them often for little good reason, and then
> they are complex enough (or have few enough reasons to invest significant
> time) they implement them poorly”.
>
> Some questions for you:
>
> * What other teams or communities besides Trezor are committed to
> standardizing a Shamir Secret Sharing Scheme? I can say that the
> #RebootingWebOfTrust community (meeting again for the 7th time next week in
> Toronto https://rwot7.eventbrite.com) are very interested.
>
> * Where do you want to hold discussions on this? Do people object to
> having this discussion on this mailing list? Or should it be issues in
> SLIPS repo or on some other mailing list?
>
> * Presuming a successful split of secrets, I don’t know all the
> adversarial problems that are associated with recovery of a SSS. As this
> would be an interactive event, I presume an attacker can DOS a request to
> reassemble keys (so maybe some the of integrity of each share vs all is
> required). And of course there are the biggest problems:  impersonation of
> a reassembly request and a MitM of a reassembly request. Are there other
> attacks? Are you trying to mitigate any of these?
>
> Two comments:
>
> * The Lightning Network community has added to their BIP32 mnemonics the
> ability to have a birthday in the seed, to make it easier  to scan the
> blockchain for keys, as well as a byte with some way to know how to derive
> keys paths for it. I don’t seee a BOLT for this (it was mentioned in
> https://bitcoin.stackexchange.com/questions/74805/what-is-birthday-in-the-context-of-bip39-lightning-seed-generation)
>  I would suggest that you also get some of their latest thoughts and
> incorporate them.
>
> * I worked with Chris Vickery while at Blockstrham on various possible
> ways to improve mnemonic word lists. I’m not suggesting that you
> necessarily go as far as we did to try to create a mnemonic that is iambic
> pentameter poetry (inspired by
> https://www.isi.edu/natural-language/mt/memorize-random-60.pdf), however,
> we did find sources for words that are concrete (for example table is more
> concrete than truth
> http://crr.ugent.be/papers/Brysbaert_Warriner_Kuperman_BRM_Concreteness_ratings.pdf
> ) or have strong emotional valence attachment (truth is more emotional than
> table), both of which make can words more memorable. I also found lists of
> words that are hard to pronounce unless you are English native, and
> eliminated them from my own list.
>
> Among the results of this was a new BIP-39 2048 word compatible word list
> filtered for memorability (concreteness & emotional valence) and
> suitability for iambic pentameter, which is located:
>
>
> https://github.com/ChristopherA/iambic-mnemonic/blob/master/word-lists/iambic-wordlist.json
>
>
> …which was created from the repo at
>
> https://github.com/ChristopherA/password_poem
>
> You can a number of other word lists that I’ve collected here
> https://github.com/ChristopherA/iambic-mnemonic/blob/master/word-lists/
>
> If you want to replicate what we did with your own criteria, you may want
> to incorporate information from the CMU dictitionary
> http://www.speech.cs.cmu.edu/cgi-bin/cmudict, the top 5000 words
> https://github.com/Christop

Re: [bitcoin-dev] A BIP proposal for transactions that are 'cancellable'

2018-09-06 Thread vizeet srivastava via bitcoin-dev 
I feel it is breaking a principle that if a transaction is valid it remains
valid. There might be dangerous repercussions to breaking that rule. For
instance chain of transaction become invalid which might lead to losses.

On Thu 6 Sep, 2018, 6:37 PM Alejandro Ranchal Pedrosa via bitcoin-dev, <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Hello everyone,
>
> We would like to propose a new BIP to extend OP_CSV (and/or OP_CLTV) in
> order for these to allow and interpret negative values. This way,
> taking the example shown in BIP 112:
>
> HASH160  EQUAL
> IF
>  
> ELSE
>  "24h" CHECKSEQUENCEVERIFY DROP
>  
> ENDIF
> CHECKSIG
>
> that gives ownership only to Bob for the first 24 hours and then to
> whichever spends first, we basically propose using the negative bit value:
>
> HASH160  EQUAL
> IF
>  
> ELSE
>  "-24h" CHECKSEQUENCEVERIFY DROP
>  
> ENDIF
> CHECKSIG
>
> meaning that both would have ownership for the first 24 hours, but
> after that only Bob would own such coins. Its implementation should
> not be too tedious, and in fact it simply implies considering negative
> values that are at the moment discarded as for the specification of
> BIP-112, leaving the sign bit unused.
>
> This, we argue, an increase the fairness of the users, and can at times
> be more cost-effective for users to do rather than trying a Replace-By-Fee
> transaction, should they want to modify such payment.
>
> We would like to have a discussion about this before proposing the
> BIP, for which we are preparing the text.
>
> You can find our paper discussing it here:
> https://hal-cea.archives-ouvertes.fr/cea-01867357 (find attached as well)
>
> Best,
>
> --
> Alejandro Ranchal Pedrosa, Önder Gürcan and Sara Tucci-Piergiovanni
>
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev