Re: [bitcoin-dev] BIP 158 Flexibility and Filter Size

2018-05-23 Thread Conner Fromknecht via bitcoin-dev 
Hi all,

Jimpo, thanks for looking into those stats! I had always imagined that there
would be a more significant savings in having all filters in one bundle, as
opposed to separate. These results are interesting, to say the least, and
definitely offer us some flexibility in options for filter sharding.

So far, the bulk of this discussion has centered around bandwidth. I am
concerned, however, that splitting up the filters is at odds with the other
goal of the proposal in offering improved privacy.

Allowing clients to choose individual filter sets trivially exposes the
type of
data that client is interested in. This alone might be enough to
fingerprint the
function of a peer and reduce anonymity set justifying their potential
behavior.

Furthermore, if a match is encountered, and block requested, full nodes have
more targeted insight into what caused a particular match. They could infer
that
the client received funds in a particular block, e.g., if they are only
requesting
output scripts.

This is above and beyond the additional complexity of now syncing,
validating,
and managing five or six distinct header/filter-header/filter/block chains.

I agree that saving on bandwidth is an important goal, but bandwidth and
privacy
are always seemingly at odds. Strictly comparing the bandwidth requirements
of
a system that heavily weighs privacy to existing ones, e.g. BIP39, that
don't is a
losing battle IMO.

I'm not fundamentally opposed to splitting the filters, I certainly see the
arguments for flexibility. However, I also want to ensure we are
considering the
second order effects that fall out of optimizing for one metric when others
exist.

Cheers,
Conner
On Wed, May 23, 2018 at 10:29 Gregory Maxwell via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Any chance you could add a graph of input-scripts  (instead of input
> outpoints)?
>
> On Wed, May 23, 2018 at 7:38 AM, Jim Posen via bitcoin-dev
>  wrote:
> > So I checked filter sizes (as a proportion of block size) for each of the
> > sub-filters. The graph is attached.
> >
> > As interpretation, the first ~120,000 blocks are so small that the
> > Golomb-Rice coding can't compress the filters that well, which is why the
> > filter sizes are so high proportional to the block size. Except for the
> > input filter, because the coinbase input is skipped, so many of them
> have 0
> > elements. But after block 120,000 or so, the filter compression converges
> > pretty quickly to near the optimal value. The encouraging thing here is
> that
> > if you look at the ratio of the combined size of the separated filters vs
> > the size of a filter containing all of them (currently known as the basic
> > filter), they are pretty much the same size. The mean of the ratio
> between
> > them after block 150,000 is 99.4%. So basically, not much compression
> > efficiently is lost by separating the basic filter into sub-filters.
> >
> > On Tue, May 22, 2018 at 5:42 PM, Jim Posen  wrote:
> >>>
> >>> My suggestion was to advertise a bitfield for each filter type the node
> >>> serves,
> >>> where the bitfield indicates what elements are part of the filters.
> This
> >>> essentially
> >>> removes the notion of decided filter types and instead leaves the
> >>> decision to
> >>> full-nodes.
> >>
> >>
> >> I think it makes more sense to construct entirely separate filters for
> the
> >> different types of elements and allow clients to download only the ones
> they
> >> care about. If there are enough elements per filter, the compression
> ratio
> >> shouldn't be much worse by splitting them up. This prevents the
> exponential
> >> blowup in the number of filters that you mention, Johan, and it works
> nicely
> >> with service bits for advertising different filter types independently.
> >>
> >> So if we created three separate filter types, one for output scripts,
> one
> >> for input outpoints, and one for TXIDs, each signaled with a separate
> >> service bit, are people good with that? Or do you think there shouldn't
> be a
> >> TXID filter at all, Matt? I didn't include the option of a prev output
> >> script filter or rolling that into the block output script filter
> because it
> >> changes the security model (cannot be proven to be correct/incorrect
> >> succinctly).
> >>
> >> Then there's the question of whether to separate or combine the headers.
> >> I'd lean towards keeping them separate because it's simpler that way.
> >
> >
> >
> > ___
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/b

Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable

2017-06-08 Thread Conner Fromknecht via bitcoin-dev 
I don't normally post here, but I'm sorry, if you don't see those two as
equal, then I think you have misunderstood the *entire* value proposition
of cryptocurrencies.

The state of any cryptocurrency should entirely (and only) be defined by
its ledger. If the state of the system can be altered outside of the rules
governing its ledger, then the system isn't secure. It doesn't matter
whether the people making those changes are the ones that are leading the
project or not. An "irregular state change" is a fancy term for a bailout.

I'm sure I speak for more than myself in saying that an "irregular state
change" is equivalent to modifying the underlying ledger. Let's not let
semantics keep us from recognizing what actually took place.

-Conner

On Wed, Jun 7, 2017 at 14:14 Nick Johnson via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> On Wed, Jun 7, 2017 at 5:27 PM Tao Effect  wrote:
>
>> Nick,
>>
>> Please don't spread misinformation. Whatever you think of the DAO hard
>> fork, it's a simple fact that the Ethereum ledger was not edited.
>>
>>
>> This sort of email is unhelpful to this conversation, and it certainly
>> doesn't help with the perception that Ethereum is nothing but a bunch of
>> hypocritical Bankers 2.0.
>>
>
>
>>
>> Everyone knows you didn't edit Ethereum Classic, but the the hard fork,
>> which was re-branded as Ethereum, was edited.
>>
>
> That's not what I was suggesting. My point is that the ledger was never
> edited. An 'irregular state change' was added at a specific block height,
> but the ledger remains inviolate.
>
> I'm sure I don't have to explain the difference between the ledger and the
> state to you, or why it's significant that the ledger wasn't (and can't be,
> practically) modified.
>
> -Nick
>
>
>> - Greg
>>
>> --
>> Please do not email me anything that you are not comfortable also sharing 
>> with
>> the NSA.
>>
>> On Jun 7, 2017, at 6:25 AM, Nick Johnson  wrote:
>>
>> On Wed, Jun 7, 2017 at 12:02 AM Gregory Maxwell via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> On Tue, Jun 6, 2017 at 10:39 PM, Tao Effect via bitcoin-dev
>>>  wrote:
>>> > I believe the severity of replay attacks is going unvoiced and is not
>>> > understood within the bitcoin community because of their lack of
>>> experience
>>> > with them.
>>>
>>> Please don't insult our community-- the issues with replay were
>>> pointed out by us to Ethereum in advance and were cited specifically
>>> in prior hardfork discussions long before Ethereum started editing
>>> their ledger for the economic benefit of its centralized
>>> administrators.
>>
>>
>> Please don't spread misinformation. Whatever you think of the DAO hard
>> fork, it's a simple fact that the Ethereum ledger was not edited.
>>
>> -Nick Johnson
>>
>>
>> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev