Claymore's Dual Ethereum AMD+NVIDIA GPU Miner ... - Bitcoin

Always bet on RED

[link]

Win the big prize!

JackpotCoin is a new cryptocurrency with a fun incentive to mine.
[link]

Myriad - A coin for everyone.

Myriad (XMY) is a Multi-PoW consensus protocol secured by 5 mining algorithms. Each one suits different hardware.
[link]

Technical: Taproot: Why Activate?

This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/
Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else wants it, but why would I, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else because I swapped XXX fiat for Bitcoin unlike all those nocoiners?
And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess.
First, let's consider some principles of Bitcoin.
I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can get privacy, it just requires effort to do so).
So, how does Taproot affect those principles?

Taproot and Your /Coins

Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash).
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input).
However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits!
Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh?
With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save!
And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a softfork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well!
(P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1)
Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least 2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service!
So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win!
(even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot)
And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally. First do no harm!

Taproot and Your Contracts

No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade.
So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust.
Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade.
However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade.
In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address.
Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants).
But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer).
Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables more of these setups to happen for more gains from trade for everyone, also, moon and lambos).
(technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer).

Taproot and Your Contracts, Part 2: Cryptographic Boogaloo

Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code.
This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded.
And you can do that, with HTLCs, today.
Of course, HTLCs do have problems:
Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar".
Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given public key to you.
Another nice thing with PTLCs is that they are deniable. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige).
(Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key).
So:
Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script.
(technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.)

Quantum Quibbles!

Now if you were really paying attention, you might have noticed this parenthetical:
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...)
So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable??
Well, in theory yes. In practice, they probably are not.
It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from a P2WPKH/P2PKH pay-to-public-key-hash.
When you spend from a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key.
So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key.
(public keys should be public, that's why they're called public keys, LOL)
And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions.
So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort.
Further, if you have ever, in the past, spent from the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers.
For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two.
So:
For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages).

Summary

I Wanna Be The Taprooter!

So, do you want to help activate Taproot? Here's what you, mister sovereign Bitcoin HODLer, can do!

But I Hate Taproot!!

That's fine!

Discussions About Taproot Activation

submitted by almkglor to Bitcoin [link] [comments]

[ Bitcoin ] Technical: Taproot: Why Activate?

Topic originally posted in Bitcoin by almkglor [link]
This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/
Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else wants it, but why would I, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else because I swapped XXX fiat for Bitcoin unlike all those nocoiners?
And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess.
First, let's consider some principles of Bitcoin.
I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can get privacy, it just requires effort to do so).
So, how does Taproot affect those principles?

Taproot and Your /Coins

Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash).
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input).
However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits!
Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh?
With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save!
And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a softfork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well!
(P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1)
Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least 2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service!
So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win!
(even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot)
And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally. First do no harm!

Taproot and Your Contracts

No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade.
So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust.
Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade.
However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade.
In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address.
Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants).
But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer).
Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables more of these setups to happen for more gains from trade for everyone, also, moon and lambos).
(technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer).

Taproot and Your Contracts, Part 2: Cryptographic Boogaloo

Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code.
This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded.
And you can do that, with HTLCs, today.
Of course, HTLCs do have problems:
Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar".
Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given private key to you.
Another nice thing with PTLCs is that they are deniable. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige).
(Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key).
So:
Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script.
(technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.)

Quantum Quibbles!

Now if you were really paying attention, you might have noticed this parenthetical:
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...)
So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable??
Well, in theory yes. In practice, they probably are not.
It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from a P2WPKH/P2PKH pay-to-public-key-hash.
When you spend from a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key.
So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key.
(public keys should be public, that's why they're called public keys, LOL)
And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions.
So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort.
Further, if you have ever, in the past, spent from the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers.
For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two.
So:
For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages).

Summary

I Wanna Be The Taprooter!

So, do you want to help activate Taproot? Here's what you, mister sovereign Bitcoin HODLer, can do!

But I Hate Taproot!!

That's fine!

Discussions About Taproot Activation

almkglor your post has been copied because one or more comments in this topic have been removed. This copy will preserve unmoderated topic. If you would like to opt-out, please send a message using [this link].
[deleted comment]
[deleted comment]
[deleted comment]
submitted by anticensor_bot to u/anticensor_bot [link] [comments]

⚡ Lightning Network Megathread ⚡

Last updated 2018-01-29
This post is a collaboration with the Bitcoin community to create a one-stop source for Lightning Network information.
There are still questions in the FAQ that are unanswered, if you know the answer and can provide a source please do so!

⚡What is the Lightning Network? ⚡

Explanations:

Image Explanations:

Specifications / White Papers

Videos

Lightning Network Experts on Reddit

  • starkbot - (Elizabeth Stark - Lightning Labs)
  • roasbeef - (Olaoluwa Osuntokun - Lightning Labs)
  • stile65 - (Alex Akselrod - Lightning Labs)
  • cfromknecht - (Conner Fromknecht - Lightning Labs)
  • RustyReddit - (Rusty Russell - Blockstream)
  • cdecker - (Christian Decker - Blockstream)
  • Dryja - (Tadge Dryja - Digital Currency Initiative)
  • josephpoon - (Joseph Poon)
  • fdrn - (Fabrice Drouin - ACINQ )
  • pmpadiou - (Pierre-Marie Padiou - ACINQ)

Lightning Network Experts on Twitter

  • @starkness - (Elizabeth Stark - Lightning Labs)
  • @roasbeef - (Olaoluwa Osuntokun - Lightning Labs)
  • @stile65 - (Alex Akselrod - Lightning Labs)
  • @bitconner - (Conner Fromknecht - Lightning Labs)
  • @johanth - (Johan Halseth - Lightning Labs)
  • @bvu - (Bryan Vu - Lightning Labs)
  • @rusty_twit - (Rusty Russell - Blockstream)
  • @snyke - (Christian Decker - Blockstream)
  • @JackMallers - (Jack Mallers - Zap)
  • @tdryja - (Tadge Dryja - Digital Currency Initiative)
  • @jcp - (Joseph Poon)
  • @alexbosworth - (Alex Bosworth - yalls.org)

Medium Posts

Learning Resources

Books

Desktop Interfaces

Web Interfaces

Tutorials and resources

Lightning on Testnet

Lightning Wallets

Place a testnet transaction

Altcoin Trading using Lightning

  • ZigZag - Disclaimer You must trust ZigZag to send to Target Address

Lightning on Mainnet

Warning - Testing should be done on Testnet

Atomic Swaps

Developer Documentation and Resources

Lightning implementations

  • LND - Lightning Network Daemon (Golang)
  • eclair - A Scala implementation of the Lightning Network (Scala)
  • c-lightning - A Lightning Network implementation in C
  • lit - Lightning Network node software (Golang)
  • lightning-onion - Onion Routed Micropayments for the Lightning Network (Golang)
  • lightning-integration - Lightning Integration Testing Framework
  • ptarmigan - C++ BOLT-Compliant Lightning Network Implementation [Incomplete]

Libraries

Lightning Network Visualizers/Explorers

Testnet

Mainnet

Payment Processors

  • BTCPay - Next stable version will include Lightning Network

Community

Slack

IRC

Slack Channel

Discord Channel

Miscellaneous

⚡ Lightning FAQs ⚡

If you can answer please PM me and include source if possible. Feel free to help keep these answers up to date and as brief but correct as possible
Is Lightning Bitcoin?
Yes. You pick a peer and after some setup, create a bitcoin transaction to fund the lightning channel; it’ll then take another transaction to close it and release your funds. You and your peer always hold a bitcoin transaction to get your funds whenever you want: just broadcast to the blockchain like normal. In other words, you and your peer create a shared account, and then use Lightning to securely negotiate who gets how much from that shared account, without waiting for the bitcoin blockchain.
Is the Lightning Network open source?
Yes, Lightning is open source. Anyone can review the code (in the same way as the bitcoin code)
Who owns and controls the Lightning Network?
Similar to the bitcoin network, no one will ever own or control the Lightning Network. The code is open source and free for anyone to download and review. Anyone can run a node and be part of the network.
I’ve heard that Lightning transactions are happening “off-chain”…Does that mean that my bitcoin will be removed from the blockchain?
No, your bitcoin will never leave the blockchain. Instead your bitcoin will be held in a multi-signature address as long as your channel stays open. When the channel is closed; the final transaction will be added to the blockchain. “Off-chain” is not a perfect term, but it is used due to the fact that the transfer of ownership is no longer reflected on the blockchain until the channel is closed.
Do I need a constant connection to run a lightning node?
Not necessarily,
Example: A and B have a channel. 1 BTC each. A sends B 0.5 BTC. B sends back 0.25 BTC. Balance should be A = 0.75, B = 1.25. If A gets disconnected, B can publish the first Tx where the balance was A = 0.5 and B = 1.5. If the node B does in fact attempt to cheat by publishing an old state (such as the A=0.5 and B=1.5 state), this cheat can then be detected on-chain and used to steal the cheaters funds, i.e., A can see the closing transaction, notice it's an old one and grab all funds in the channel (A=2, B=0). The time that A has in order to react to the cheating counterparty is given by the CheckLockTimeVerify (CLTV) in the cheating transaction, which is adjustable. So if A foresees that it'll be able to check in about once every 24 hours it'll require that the CLTV is at least that large, if it's once a week then that's fine too. You definitely do not need to be online and watching the chain 24/7, just make sure to check in once in a while before the CLTV expires. Alternatively you can outsource the watch duties, in order to keep the CLTV timeouts low. This can be achieved both with trusted third parties or untrusted ones (watchtowers). In the case of a unilateral close, e.g., you just go offline and never come back, the other endpoint will have to wait for that timeout to expire to get its funds back. So peers might not accept channels with extremely high CLTV timeouts. -- Source
What Are Lightning’s Advantages?
Tiny payments are possible: since fees are proportional to the payment amount, you can pay a fraction of a cent; accounting is even done in thousandths of a satoshi. Payments are settled instantly: the money is sent in the time it takes to cross the network to your destination and back, typically a fraction of a second.
Does Lightning require Segregated Witness?
Yes, but not in theory. You could make a poorer lightning network without it, which has higher risks when establishing channels (you might have to wait a month if things go wrong!), has limited channel lifetime, longer minimum payment expiry times on each hop, is less efficient and has less robust outsourcing. The entire spec as written today assumes segregated witness, as it solves all these problems.
Can I Send Funds From Lightning to a Normal Bitcoin Address?
No, for now. For the first version of the protocol, if you wanted to send a normal bitcoin transaction using your channel, you have to close it, send the funds, then reopen the channel (3 transactions). In future versions, you and your peer would agree to spend out of your lightning channel funds just like a normal bitcoin payment, allowing you to use your lightning wallet like a normal bitcoin wallet.
Can I Make Money Running a Lightning Node?
Not really. Anyone can set up a node, and so it’s a race to the bottom on fees. In practice, we may see the network use a nominal fee and not change very much, which only provides an incremental incentive to route on a node you’re going to use yourself, and not enough to run one merely for fees. Having clients use criteria other than fees (e.g. randomness, diversity) in route selection will also help this.
What is the release date for Lightning on Mainnet?
Lightning is already being tested on the Mainnet Twitter Link but as for a specific date, Jameson Lopp says it best
Would there be any KYC/AML issues with certain nodes?
Nope, because there is no custody ever involved. It's just like forwarding packets. -- Source
What is the delay time for the recipient of a transaction receiving confirmation?
Furthermore, the Lightning Network scales not with the transaction throughput of the underlying blockchain, but with modern data processing and latency limits - payments can be made nearly as quickly as packets can be sent. -- Source
How does the lightning network prevent centralization?
Bitcoin Stack Exchange Answer
What are Channel Factories and how do they work?
Bitcoin Stack Exchange Answer
How does the Lightning network work in simple terms?
Bitcoin Stack Exchange Answer
How are paths found in Lightning Network?
Bitcoin Stack Exchange Answer
How would the lightning network work between exchanges?
Each exchange will get to decide and need to implement the software into their system, but some ideas have been outlined here: Google Doc - Lightning Exchanges
Note that by virtue of the usual benefits of cost-less, instantaneous transactions, lightning will make arbitrage between exchanges much more efficient and thus lead to consistent pricing across exchange that adopt it. -- Source
How do lightning nodes find other lightning nodes?
Stack Exchange Answer
Does every user need to store the state of the complete Lightning Network?
According to Rusty's calculations we should be able to store 1 million nodes in about 100 MB, so that should work even for mobile phones. Beyond that we have some proposals ready to lighten the load on endpoints, but we'll cross that bridge when we get there. -- Source
Would I need to download the complete state every time I open the App and make a payment?
No you'd remember the information from the last time you started the app and only sync the differences. This is not yet implemented, but it shouldn't be too hard to get a preliminary protocol working if that turns out to be a problem. -- Source
What needs to happen for the Lightning Network to be deployed and what can I do as a user to help?
Lightning is based on participants in the network running lightning node software that enables them to interact with other nodes. This does not require being a full bitcoin node, but you will have to run "lnd", "eclair", or one of the other node softwares listed above.
All lightning wallets have node software integrated into them, because that is necessary to create payment channels and conduct payments on the network, but you can also intentionally run lnd or similar for public benefit - e.g. you can hold open payment channels or channels with higher volume, than you need for your own transactions. You would be compensated in modest fees by those who transact across your node with multi-hop payments. -- Source
Is there anyway for someone who isn't a developer to meaningfully contribute?
Sure, you can help write up educational material. You can learn and read more about the tech at http://dev.lightning.community/resources. You can test the various desktop and mobile apps out there (Lightning Desktop, Zap, Eclair apps). -- Source
Do I need to be a miner to be a Lightning Network node?
No -- Source
Do I need to run a full Bitcoin node to run a lightning node?
lit doesn't depend on having your own full node -- it automatically connects to full nodes on the network. -- Source
LND uses a light client mode, so it doesn't require a full node. The name of the light client it uses is called neutrino
How does the lightning network stop "Cheating" (Someone broadcasting an old transaction)?
Upon opening a channel, the two endpoints first agree on a reserve value, below which the channel balance may not drop. This is to make sure that both endpoints always have some skin in the game as rustyreddit puts it :-)
For a cheat to become worth it, the opponent has to be absolutely sure that you cannot retaliate against him during the timeout. So he has to make sure you never ever get network connectivity during that time. Having someone else also watching for channel closures and notifying you, or releasing a canned retaliation, makes this even harder for the attacker. This is because if he misjudged you being truly offline you can retaliate by grabbing all of its funds. Spotty connections, DDoS, and similar will not provide the attacker the necessary guarantees to make cheating worthwhile. Any form of uncertainty about your online status acts as a deterrent to the other endpoint. -- Source
How many times would someone need to open and close their lightning channels?
You typically want to have more than one channel open at any given time for redundancy's sake. And we imagine open and close will probably be automated for the most part. In fact we already have a feature in LND called autopilot that can automatically open channels for a user.
Frequency will depend whether the funds are needed on-chain or more useful on LN. -- Source
Will the lightning network reduce BTC Liquidity due to "locking-up" funds in channels?
Stack Exchange Answer
Can the Lightning Network work on any other cryptocurrency? How?
Stack Exchange Answer
When setting up a Lightning Network Node are fees set for the entire node, or each channel when opened?
You don't really set up a "node" in the sense that anyone with more than one channel can automatically be a node and route payments. Fees on LN can be set by the node, and can change dynamically on the network. -- Source
Can Lightning routing fees be changed dynamically, without closing channels?
Yes but it has to be implemented in the Lightning software being used. -- Source
How can you make sure that there will be routes with large enough balances to handle transactions?
You won't have to do anything. With autopilot enabled, it'll automatically open and close channels based on the availability of the network. -- Source
How does the Lightning Network stop flooding nodes (DDoS) with micro transactions? Is this even an issue?
Stack Exchange Answer

Unanswered Questions

How do on-chain fees work when opening and closing channels? Who pays the fee?
How does the Lightning Network work for mobile users?
What are the best practices for securing a lightning node?
What is a lightning "hub"?
How does lightning handle cross chain (Atomic) swaps?

Special Thanks and Notes

  • Many links found from awesome-lightning-network github
  • Everyone who submitted a question or concern!
  • I'm continuing to format for an easier Mobile experience!
submitted by codedaway to Bitcoin [link] [comments]

Introducing Tari: A Decentralised Assets Protocol Built on Monero

What is Tari?

Tari is a decentralised assets protocol that is going to be built on top of Monero. Think of it as something like coloured coins or CounterParty, but for Monero and a lot more scalable (ie. not using an embedded consensus mechanism).

How is it built "on top of Monero"?

Tari will have a native token, like Counterparty, but it will operate as a merge-mined sidechain. Miners will be able to earn Tari block reward and fees as they mine Monero. In addition to binding itself to Monero's security model, Tari will also support atomic swaps between itself and Monero.

Who is building it?

Everyone! Tari will be an open-source project very much in the spirit of Monero, to the point of reusing a lot of the patterns we've developed for Monero over the years. However, it will initially be a little bit more centralised than Monero, which is fine as it is a layer 2 project that can afford to experiment a little without impacting on the purity of Monero's robustness and decentralisation.
This early form of centralisation comes in the form of the Tari organisation, which will act as a steward of the protocol in much the same way as the Monero Core Team acts as a steward of Monero. However, we have also formed Tari Labs based out of Johannesburg, South Africa, and we are in the process of hiring researchers, developers, and others, who will be among the first contributors to Tari.
That said, we do not believe that Tari Labs should be the sole owners of the ever-evolving design and architecture of the protocol, nor should they be the decision makers. They are merely a bunch of clever people working alongside anyone in the community that wishes to contribute to the Tari protocol.
If you would like to work at Tari Labs, and live in South Africa or are willing to relocate, then please do look at the available positions on the Tari website. Please note that on principle Tari Labs will not employ existing Monero contributors, so as not to place a drain on the relatively limited developer resources available to the Monero project.

You keep saying "we"...who is "we"?

Tari has been founded by myself (Riccardo Spagni), Naveen Jain, and Dan Teree. You can read more about us, as well as some of the other contributors to this very nascent project, on the About page on the Tari website.

So you're doing an ICO?

I will slay you where you stand.

Well then how will you pay for this?

I've decided to sell my watch and my power glove, obviously:-P
Seriously, though, Tari is backed by some of the world's leading top-tier VC firms, such as Redpoint, Trinity Ventures, Canaan Partners, Slow Ventures, Aspect Ventures, as well as some of the leading blockchain VC firms.

How does this benefit Monero?

Our investors believe in what we want to build with Tari, but they also believe in Monero as the world's leading private digital currency, and also as a powerful base layer upon which projects can be built. Because of this, we have capital that we are using to not only build the Tari protocol, but to enhance aspects of the Monero software stack and ecosystem.
Consider three examples of areas the Tari Labs team will be focusing on over the next year:
In addition, Tari has plans for ways we can more directly support Monero development in the future through the creation of development hubs around the world, where people will be able to apply for grants that will let them work on Monero or Tari for a period of time. This concept, whilst still in its infancy and quite far away from inception, will provide people with the opportunity to contribute to the Monero codebase, research, and ecosystem on a more regular, full-time basis.

Does this mean fluffypony is leaving Monero?!

No, not at all! In order to free up time for me to work on Tari I have taken two major steps in my professional life:
  1. I have stepped down as CEO of MyMonero, and have handed the reins to the very competent Paul Shapiro (aka endogenic). We are in the process of the last few bits being totally handed over, after which I will be non-operational on MyMonero.
  2. I have stepped down as CEO of GloBee, and have appointed a new CEO to replace me, Felix Honigwachs. Felix comes with a wealth of experience, having been a senior manager at Microsoft and at SAP, and more recently having been the founder and now-former CEO of one of the most influential healthcare software startups in South Africa. I have already become largely non-operational on GloBee as Felix has slid nicely into the role, even taking over my office and making me move to our management company's offices next door;)
That said, over the past year I've been reducing my roles within the Monero project itself, in order to ensure I am never a bus factor. Members of the community have stepped up to fill these roles, including Monero Core Team member luigi1111 taking over as lead maintainer on the Monero website and Monero GUI repos. I am determined to further reduce any reliance on me over time by continuing this trend, with an eventual goal of handing off the task of lead maintainer on the Monero CLI repo once we have added full support for deterministic builds.
My role in Monero will then solely focus on advocacy for Monero and privacy, technical advice and counsel to the contributors and maintainers where necessary, and I will continue to serve on the Core Team for as long as I am required and able to. In addition, I will also be spending a lot more time on the Monero Enterprise Alliance, which I hope to one day meme into existence.

What technologies will Tari be buit in?

While some of the moving parts will be determined among the development community as it comes together, one thing we have already decided on is to use Rust as our language of choice for the Tari protocol software. The decision to use Rust is partly because we believe that Rust is an incredibly capable language that is purpose-built for lower-level high performance software like this, but largely because we want to make sure that Tari does not drain any of the existing Monero contributor support.

This all sounds exciting...where do I sign up?

As mentioned before, we're reusing a lot of the patterns that have served the Monero community well over the past four years, some of which I'm directly responsible for and was quite surprised they worked at all;) The best places to join in the discussion and get involved with the burgeoning community are at:
submitted by fluffyponyza to Monero [link] [comments]

Surae's (me) end-of-November (2017!) update.

You can check it out on the forums here. Here's a copypasta:
Surae's End of November (2017!) Update
Hello, everyone! Sarang posted his update a few days ago to give the community time to review his work before the end of the month. I was hoping to finish multisig off before the end of this month... so I held off on writing this update until then... but it looks like I'm somewhere between 2 days and a week behind on that estimate.
MRL Announcements
Meetings. We are holding weekly meetings on Mondays at 17:00 UTC. Logs are to be posted on my github soon(tm). Usually we alternate between "office hours" and "research meetings." At office hours, we want members of the community to come in and be able to ask questions, so we are considering opening up a relay to the freenode channel during office hours times, unless things get out of hand.
POW-Difficulty Replacement Contest. Some time in December, I am going to formalize an FFS "idea" to open up a multiple-round contest for possible replacements for our proof of work game. The first round would have a 3- or 6-month deadline. Personally, I would love it if this FFS could have an unbounded reward amount. If the community is extremely generous, we could easily whip up a large enough reward to spur lots and lots of interest across the world.
The Bitcoin POW game uses SHA256 to find nonces that produce hashes with sufficiently small digests according to the Bitcoin difficulty metric. Our current POW game uses CryptoNight to find nonces that produce hashes with sufficiently small digests according to the CryptoNote difficulty metric. The winner need not be proof of work. My current thoughts are roughly this:
All submissions will be public. Submissions that minimize incentives for centralized mining (or maximize disincentives) will be preferred over submissions that do not. Submissions that are elegant will be preferred over submissions that are not. Submissions that have provable claims about desirable properties will be preferred over submissions that do not (e.g. for either the Bitcoin or the Monero POW games, the necessary and sufficient network conditions for these games to produce blocks in a Poisson process have not been identified, to my understanding). Submissions that have a smaller environmental impact will be preferred over submissions that have a larger impact. And so on. I would like as many ideas as possible about a judging rubric for the first round. Especially if a large amount of money will be put up as a prize.
The details of the next round would be announced along with the winners of the first round. The reward funds should be released when a set of judges agree on a winner. MRL and Monero Core should each have representation on the panel of judges, and there ought to be at least one independent judge not directly associated with the Monero Project, like Peter Todd, Tim Ruffing, or someone along those lines. But, again, this is just an idea. If the community doesn't like it, we can drop it.
Here is a rundown for November
Multisig. Almost done. I know, I know, it's been forever. We, as a community, have recently come to see how important it is to carefully and formally ensure the correctness of our schemes before proceeding. Multisig is a delicate thing because a naively implemented multisig can reveal information about the participants.
I'm finishing vetting key creation today, finishing signatures tomorrow and the next day. Then I'm passing the result off to moneromooo and luigi to ensure that my description of their code is accurate up to their understanding. Then onto Sarang for final reviews before submission, hopefully by the end of the month. I have my life until Sunday evening blocked off to finish this. A copy of the document will be made available to the community ASAP (an older version is on my github), after more checking and writing is completed.
This whitepaper on multisig will be broken into two papers: one will be intended for peer review describing multi-ring signatures, and one will be a Monero Standard. More about that later...
RTRS RingCT column-linkability and amortization. You may say "what? I thought we were putting RTRS RingCT on the back burner?" Well, I'm still think ing about amortization of signatures. I'm thinking it will be possible (although perhaps not feasible) for miners to include amortized signatures upon finding new blocks. This would allow users to cite an amortized signature for fast verification, but has some possible drawbacks. But more exciting, I'm also chatting with Tim Ruffing, one of the authors on the RTRS RingCT papers: he thinks he has a solution to our "linkability by columns" problem with MLSAG and RingCT. Currently we try to avoid using more than one ring signature per recipient. This avoids linking distinct outputs based on bundling of these ring signatures. Ruffing believes RTRS RingCT can be tweaked to prove several commitments in a vector of commitments; this would allow a single RTRS RingCT to be computed and checked for each output being spent.
Once all the details are checked, I'll write up a document and make a copy of it available to the community. If it works, of course.
Consequences of bulletproofs. In my last end-of-month update I hinted at issues with an exponential space-time trade-off in RTRS RingCT. Due to the speed and space savings with bulletproofs, it may now be feasible to implement RTRS RingCT. With improved verification time savings with bulletproofs we can relax our requirements for verification times for signatures. This will allow the slightly longer verification times of RTRS RingCT to be counter-acted. Solving the problem "what ring sizes can we really get away with?" involves some modeling and solving some linear programming problems (linear programming, or linear optimization, is an anachronistically named area of applied mathematics involved with optimizing logistic problems... see here for more information).
Hence, we will be inserting bulletproofs into Monero with low friction, and then we will look into the logistics of moving to RTRS RingCT.
Monero Standards. Right now, we don't have a comprehensive list of how Monero works, all the various primitives and how they all fit together. Sarang and I have begun working on some Monero Standards that are similar to the original Cryptonote Standards (see here for more information). For each standard, from our hash function on upward, we will describe the standard, provide a justification for Monero's choices in those standards (complete with references), as well as a list of possible replacement standards. For example, our Monero RingCT Standard should describe the RingCT scheme described by shen, which is essentially a ring signature with linear combinations of signing keys + amount commitments. Under the "possible replacements" section, we would describe both the RTRS RingCT scheme and the doubly efficient zk-snark technology as two separate options.
These standards may take awhile to complete, and will be living documents as we change the protocol over the years. In the meantime, it will make it dramatically easier for future researchers to step into MRL and pick up where previous researchers have left off.
Hierarchical view keys. Exploiting the algebra we currently use for computing one-time keys, the sub-address scheme plays with view keys in a certain way, allowing a user to have one single view key for many wallets. Similarly, we may split a view key into several shares, where each subset of shares can be used to grant partial view access to the wallet. A receiver can request that a sender use a particular basepoint in their transaction key where different subsets of shares of the view key grant access to transactions with different basepoints in their transaction keys. None of these are protocol-level observations, they are wallet-level observations. Moreover, these require only that a receiver optionally specify a basepoint.
In other words: hierarchical view keys are a latent feature of our one-time address scheme that has not seen specific development yet. It's a rather low priority compared to the other projects under development; it grants users fine-grained control over their legal compliance, but Monero Standards will have great long-term impact on development and research at Monero.
Criticisms. Monero has suffered some recent criticisms about our hash function. I want to briefly address them.
First, I believe part of the criticism came from a confusion between Keccak3, SHA-3, and Keccak: we have never claimed to use SHA-3 as our hash function, we have only used the Keccak3 hash function, which is a legacy choice inherited from the original CryptoNote reference code. Many developers confuse the two, but Keccak3 was the hash function on which SHA-3 is based. In particular, the Keccak sponge construction can be used to fashion lots and lots of primitives, all of which could fairly be called "Keccak:" both Keccak3 and SHA-3 are Keccak constructions. This may be a subtle nomenclature issue, but it's important because a good portion of our criticisms say "Hey, they aren't using SHA-3!"
Second, I believe part of the criticism also comes from our choice of library, which in my opinion isn't a big deal as long as the library does what it says on the tin. In this case, our hash function is a valid implementation of Keccak3 according to the Keccak3 documentation. The most important criticism, from my point of view, is our choice of pre-SHA-3 Keccak3 as our hash function. Keccak3 underwent lots of analysis during the SHA contest, and Keccak3 is a well-vetted hash funtion. However, it has not been chosen as an international standard. There is a sentiment in the cryptocurrency community to distrust standards, which is probably a healthy sentiment. In this case, however, it means that our choice of hash function is not likely to be supported in common, well-vetted libraries in the future. Moreover, since SHA-3 is an international standard, it shall be undergoing heavy stress testing over the coming decades, a benefit Keccak3 shall not enjoy.
Last month, after some discussions, we made changes to our choice of PRNG in Monero to match the PRNG for Bitcoin. There has since been some discussions instantiated by anonimal about this choice of PRNG. We at MRL are doing our best to assist the core team in weighing the relative costs and benefits of switching to a library like crypto++, and so we believe these criticisms fall into the same category. We intend to address these issues and make formal recommendations in the aforementioned Monero Standards. Sorry for using the word aforementioned.
Things that didn't move much include a) educational outreach, b) SPECTRE, c) anti-ASIC roadmap, d) refund transactions. Most of which was on hold to complete multisig.
As far as educational outreach, I contacted a few members of a few math/cs depts at universities around me, but I haven't gotten anything hopeful yet. I wanted to go local (with respect to me) to make it easier to organize, but that's looking less likely. No matter how enthusiastic of a department we find, garnering participation from faculty members, beginning an application process for new students, squirelling up funding, working out logistics of getting teachers or lecturers/speakers from point A to point B, where to stash students, etc would be a challenge to finish before, say, July. And some schools start their fall semesters in mid-August. So I'm thinking that Summer 2019 is reasonable as the first Monero Summer School... and would be a real fun way to finish off a two-year post-doc!
December plan. I am going to finish multisig, and then finish the zk-lit review with Jeffrey Quesnelle, since these are both slam dunks. Any other time in December I have will be devoted to a) looking into the logistics of using the bulletproofs + RTRS RingCT set-up, b) reading the new zk-stark paper and assessing its importance for Monero, c) beginning work on Monero Standards, which includes addressing our hash function criticisms, our PRNG, etc.
Thank you again! This is an incredible opportunity, and this community is filled with some smart cookies. Every day is a challenge, and I couldn't ask for a more fun thing to be doing with my life right now. I'm hoping that my work ends up making Monero better for you.
submitted by snoether to Monero [link] [comments]

Welcome! If you're new to Monero, please take a few minutes to learn WHY Monero is different :)

Hello new and old faces! I noticed that there are more new faces here than usual, and I hope this post can help those who are perhaps a little lost.
The vast majority of existing members are here since we feel Monero is revolutionary. Monero is a tool that people can actually use. It makes receiving payments hassle-free, since merchants and individuals no longer need to fear the source of funds they are accepting. With transparent systems like Bitcoin, Ethereum, Verge, or Dash, these people need to hope (or spend substantial resources verifying) the sender did not use the funds illicitly. Furthermore, merchants do not want all their vendors known, and individually do not want everyone to know how much they are spending. If I spend more than I should at Newegg, that's my own business.
Monero is different because every transaction is always private. There is no way for pools and exchanges to opt out of sending private transactions. Thus, Monero's anonymity set far exceeds any other coin's anonymity set. Over 86,000 transactions in the past month hid the sender and receiver, and about 99.95% of them also hid the amount (will increase to 100% of all new transactions in September)! There is no suspicion in using a private transaction, since all transactions are private. A single transaction does not stick out.*
This privacy is afforded with the best technology. I implore you to take a few minutes to learn about the four main technologies that Monero uses to provide privacy:
  1. Ring signatures hide where the money comes from. Spent inputs in a transaction are hidden among several others that also appear to be spent. Thus, no one knows which source of money is actually being spent. Think of inputs as individual dollars or euros. View a video about this topic here. Note: this is NOT the same as mixing.
  2. RingCT hides the amount. Instead of spending a known value of an input, you can cryptographically commit to a certain value without revealing what the value actually is. This is a very complicated topic, so please view this video for more information.
  3. Kovri is a work-in-progress tool to hide the transaction broadcast. Kovri will make it easy for users to hide their IP address when telling the network that they would like to make a transaction. Kovri will work with other cryptocurrencies and other projects through a common API, and Kovri can be used in a way to hide that you are using Monero at all. Kovri adds additional layers of network security for miners and pools, and it allows for the highest level of censorship resistance possible. A video for this project is not available yet, but you can check out the Kovri website. In the meantime, there are several guides to using Monero with Tor that work today, including an unofficial Tails build.
  4. Stealth addresses hide where the money goes to. Instead of sending money to a specific address directly, certain outputs are allocated for addresses, but outside observers do not know which addresses these belong to. Even if ring signatures were compromised for some reason, then people would still not know the sending address in a transaction thanks to stealth addresses. View a video about this topic here.
There are several other things that make Monero great! It has a smooth tail emission, dynamic blocks and fees, and an accessible Proof of Work (mining) algorithm. Feel free to ask around to learn more about these features. Try asking questions on the Monero StackExchange, or hop on IRC! Explore the website and community resources.
Monero's community is large, and we have several other subreddits to help organize it! Please also subscribe to the following that interest you:
  1. /xmrtrader for price speculation and talk.
  2. /MoneroMining for, er, Monero mining.
  3. /MoneroCommunity for those who want to help grow the community.
  4. /moonero for shitposts and memes.
  5. /MoneroMarket for buying and selling wares for Monero.
  6. /MoneroSupport for, you guessed it, Monero support.
Finally, Monero has the best team. Over 270 contributors have brought Monero to where it is today. The vast majority of people donate their time to help Monero, but a few get paid through the Forum Funding System (FFS). This is how Monero can be a strong project despite not taking a portion of the block rewards or launching with a premine.
Anyway, we hope you stick around beyond the hype. Monero has a lot going for it, and we hope you agree! We really need your help, since this project is entirely driven by the community!
P.S. Want a quick-start, simple your-grandma-could-do-it guide? Here's a great one!.
*You can optionally choose a very large, unusual ringsize to make the transaction stick out. This is not recommended, and normal users who leave the ringsize at the default setting will not experience any issues. Also, it's possible for a user to manually add identifying information to the tx_extra field, which is something that a user must seriously go out of their way to do.
submitted by SamsungGalaxyPlayer to Monero [link] [comments]

Heated discussion in #bitcoin-core-dev: " luke-jr: you are abusive towards me and the other contributors."

Small excerpt:
luke-jr sipa: we don't know that yet, and our recommendations should always be what is sane even if they get ignored.
sipa luke-jr: that's a reasonable position... but the code is written from a viewpoint that we will get weight-limited block construction
luke-jr: and the release notes should describe the code
luke-jr then the code is broken (sabotaged, it sounds like) and fixing it should be considered a blocker for any release.
sipa if that is your viewpoint, then it is segwit that is sabotaged
i disagree strongly with that
Further:
gmaxwell I am fed up with this.
luke-jr same here.
gmaxwell luke-jr: you are abusive towards me and the other contributors.
you are obsessing over minutia on top of minutia.
You are wasting countless hours exhausting all patience.
Over matters which do not matter. The few obscure miners which will set non-defaults even though they get abusive and threatening contact from users (which drives away their hashpower); can still do so. If it's slightly slower? so what--- the latest software is dozens of times faster to creates blocks than older software and they hardly cared to upgrade.
it litterally makes no difference in the world, and yet you force people to spend hours and hours debating these things.
and I get to spend my time asking others to not leave the project because they are exhausted by you; but it even exhausts me too.
The last block from eligius was 64 hours ago. It contained NO transactions. I would say that createnew block being merely 29.5 times faster than the old code it was running until recently instead of 30x faster won't matter. ... except it won't even see that difference when it mines empty blocks with no transactions at all.
When it does actually include transactions-- it appears to produce maximum size blocks just like everyone else: https://blockchain.info/block/00000000000000000...
The entire discussion is interesting. The conversation roughly starts here.
More context: https://github.com/bitcoin/bitcoin/pull/8459
submitted by SpiderImAlright to btc [link] [comments]

PSA: Users, (solo)miners, exchanges/merchants, and pool operators must be on v0.10.1 in advance of the hardfork otherwise you will get forked/booted off the network. Miners, please contact your pool operator to ask them if they have upgraded | Monero v0.10.1 released - mandatory upgrade!

Approximately the 9th of January there will be a hardfork on the Monero network. Most pools have upgraded or are in the process of upgrading, but some have not upgraded yet. If they don't upgrade before the hardfork they will get forked/booted off the network. As a result you will miss out on revenue if you are mining on these pools. Thus, if you are mining on one of the pools that hasn't upgraded yet or hasn't scheduled an upgrade, please contact your pool owner as soon as possible and urge them to upgrade. Alternatively, you can switch to a pool that is on the right version.
Pool Upgraded Contact
MoneroHash YES [email protected] & https://monerohash.com/#support
MoneroWorld YES [email protected] & https://moneroworld.com/#support
mineXMR YES [email protected] & http://minexmr.com/#support
PoolTo YES [email protected] & http://webchat.freenode.net/?channels=%23poolto.be
Moneropool YES [email protected] & https://moneropool.com/#support
Prohash YES [email protected] & http://xmr.prohash.net/#support
Crypto-pool YES [email protected] & http://monero.crypto-pool.f
Dwarfpool YES [email protected] & http://dwarfpool.com/contact/
Alimabi YES [email protected] & http://xmr.alimabi.cn/#support
CryptMonero YES [email protected] & http://cryptmonero.com/#support
Minergate YES https://forum.minergate.com/
SupportXMR YES [email protected] & http://supportxmr.com/#support
XMRpool YES [email protected] & http://xmrpool.eu/#support
Sheepman YES [email protected] & http://sheepman.mine.bz/#support
CoolPool YES [email protected] & http://xmr.coolpool.io/#support
US.to YES http://monero.us.to/#support
MakeXMR YES [email protected] & https://makexmr.com/#support
USXmrPool YES [email protected] & https://www.usxmrpool.com/#support
SuprNova YES https://xmr.suprnova.cc/index.php?page=contactform&action=
PoolDD YES [email protected] & http://pooldd.com/#support
XMRpool.net YES -
XMRpool Murmansoft YES [email protected] & [email protected] & http://xmrpool.murmansoft.ru/#support
XMR Miningspeed YES [email protected] & http://xmr.miningspeed.com/#support

An important message for pool operators and miners

From MoneroMooo:
To all pool operators:
If you haven't already, you will need to update the node-cryptonote-util software in order for your pool to cross the january fork. I think many of the pool ops have done so already, but for those who are not in #monero-pools, you will need this patch: https://paste.fedoraproject.org/506116/17116821/
This applies to zone117x's version of the pool. There is a version of this ported to clintar's fork, which is here: https://github.com/M5M400/node-cryptonote-util/commit/37f50f9b535f0258c3a1c6f7247a891b4c211ff3.
If you're not running this when the fork happens, you will be forked off.
For pool miners, you may want to check with your pool op that they're running the patch a few days before the fork, and switch to a known good pool otherwise. Please prefer smaller pools when doing so.
Also bear in mind that running v0.10.1 or the GUI beta is mandatory. Any other versions will get booted off the network. Thus, miners, please email your pools and ask them if they are running v0.10.1 and have applied aforementioned patch.

General hardfork information

The upcoming fork will enable Ring Confidential Transactions. This will significantly enhance Monero's privacy. Note that they will not be enforced yet. That is, this hardfork will enable them, whereas the hardfork of September 2017 will enforce them. If you want to read more about Ring Confidential Transactions, see:
https://lab.getmonero.org/pubs/MRL-0005.pdf
https://monero.stackexchange.com/questions/tagged/ringct
Due to variance the hard fork will likely be on the 9th or 10th of January. A specific block height was determined for the hardfork, not a specific date. The specific blockheight for the hardfork can be found here. That is:
// version 4 starts from block 1220516
As an user you need to run either v0.10.1 or the Monero Core GUI Beta 1.

Monero v0.10.1 - Wolfram Warptangent - release

First and foremost, please upgrade to this version. A blockchain resync is not needed. Only this version will work after the fork of January 5. Note that this fork will enable Ring CT transactions, but will not enforce them yet.

Overview

This is a necessary point release of Monero v0.10 "Wolfram Warptangent", and is highly recommended as it includes consensus-changing fixes to the RingCT implementation and various other bug fixes.
Some highlights of this release are:

Official Download Links:

All available binaries can be found on the getmonero download page or on Github (at the bottom).
Official Direct Links:

Download Hashes

If you would like to verify that you have downloaded the correct file, please use the following SHA256 hashes:

Updating: Wallet Files

Simply create a new directory with the 0.10.1 binaries and copy your wallet files over to there. Make sure to backup your wallet files properly. If you need any help, feel free to PM me or respond in this thread. Note that your wallet contains three files, namely wallet.keys (this is the most important file, since it contains your keys), wallet (this is the wallet cache, which contains your transaction history and private tx keys), and wallet.address (which is just your public address). In addition, if you incur a bug whilst upgrading, you can always restore your wallet with the mnemonic seed as follows:
For Mac and Linux:
./monero-wallet-cli --restore-deterministic-wallet
On Windows make sure to launch it from the command line. Go to the folder monero-cli-wallet is located and make sure your cursor isn't located on any of the files. Subsequently do SHIFT + right click and it will give you an option to "Open command window here". Lastly, type the following command:
monero-wallet-cli.exe --restore-deterministic-wallet
If you want to restore from the private keys instead of the mnemonic seed, replace --restore-deterministic-wallet with --generate-from-keys

Contributors for this Release

This release was the direct result of 29 people who worked, largely unpaid and altruistically, to put out 481 commits containing 10 517 new lines of code. We'd like to thank them very much for their time and effort. In no particular order they are:

GUI

You can find the release (and binaries) of the first beta here.
submitted by dEBRUYNE_1 to Monero [link] [comments]

BITCOIN DIVORCE – BITCOIN CORE VS BITCOIN CASH EXPLAINED

Bitcoin and Bitcoin Cash are confusing, especially to newbies. They are likely unaware of the history and reasoning for the existence of these two coins. This ignorance is likely persisted by the censorship practised at bitcoin and Bitcointalk.org for several years. (rbitcoinbanned includes examples of the censoring.)
Most of the following is an explanation of the history of Bitcoin, when there was only one Bitcoin. Then it explains the in-fighting and why it forked into two Bitcoins: 1) Bitcoin Legacy and 2) Bitcoin Cash, which happens in the last section (THE DIVORCE). Feel free to suggest edits or corrections. Later, I will publish this on Medium as well.
BITCOIN WAS AN INSTRUMENT OF WAR
For Satoshi Nakamoto, the creator, and the initial supporters, Bitcoin was more than just a new currency. It was an instrument of war.
Who are they fighting against?
The government and central banks.
There is an abundance of evidence of this, starting with Satoshi Nakamoto’s original software.
BATTLE FOR ONLINE GAMBLING
Governments around the world ban online gambling by banning their currency from being used as payment. The original Bitcoin software included code for Poker. Yes, Poker.
Here is the original code: https://github.com/trottieoriginal-bitcoin/blob/mastesrc/uibase.cpp
Search for “Poker”, “Deal Me Out”, “Deal Hand”, “Fold”, “Call”, “Raise”, “Leave Table”, “DitchPlayer”.
Bitcoin gave the middle finger to the government and found a way to get around their ban. In the initial years, it was mainly gambling operators that used Bitcoin, such as SatoshiDice. Was this a coincidence? Gambling is one of the best, if not, the best application for Bitcoin. It was no wonder that gambling operators embraced Bitcoin, including gambling mogul Calvin Ayre.
Bitcoin enabled people to rebel against the government in other ways as well, such as Silk Road, which enabled people to buy and sell drugs.
ANTI-GOVERNMENT LIBERTARIANS AND CYPHERPUNKS
Libertarians seek to maximize political freedom and autonomy. They are against authority and state power. Cypherpunks are activists advocating widespread use of cryptography as a route to social and political change. Their common thread is their dislike for the government.
Bitcoin was created by libertarians and cypherpunks.
Satoshi Nakamoto used cryptography mailing lists to communicate with other cypherpunks such as Wei Dai. Satoshi Nakamoto wrote:
“It’s very attractive to the libertarian viewpoint if we can explain it properly. I’m better with code than with words though.”
Satoshi Nakamoto was rebellious to government control. Someone argued with Satoshi by stating: “You will not find a solution to political problems in cryptography.” Satoshi replied:
"Yes, but we can win a major battle in the arms race and gain a new territory of freedom for several years.
Governments are good at cutting off the heads of a centrally controlled networks like Napster, but pure P2P networks like Gnutella and Tor seem to be holding their own.”
Nakamoto was critical of the central bank. He wrote:
"The root problem with conventional currency is all the trust that's required to make it work. The central bank must be trusted not to debase the currency, but the history of fiat currencies is full of breaches of that trust. Banks must be trusted to hold our money and transfer it electronically, but they lend it out in waves of credit bubbles with barely a fraction in reserve. We have to trust them with our privacy, trust them not to let identity thieves drain our accounts.”
It is no wonder that the first supporters of Bitcoin were libertarians as well, who agreed with Satoshi’s ideology and saw the potential of Bitcoin to fulfill their ideology.
One of the biggest benefits that Bitcoin supporters want, is “censorship resistance”. What does this mean? It means: to be able to spend your money any way you want. It means: how to get around government regulations and bans. It means: how to do something despite the government.
Roger Ver, an early Bitcoin supporter, heavily criticizes the government for engaging in wars around the world that kills civilians and children. When he ran as a Libertarian candidate in an election against the Republicans and Democrats, he criticized the ATF and FBI for murdering children in their raid in Waco, Texas. At the time, Ver and many other merchants were selling fireworks on eBay without a license. The ATF charged Ver and sent him to prison, but did not charge any of the other merchants. (https://youtu.be/N6NscwzbMvI?t=47m50s) This must have angered Ver a lot.
Since then, Ver has been on a mission to weaken and shrink the government. When he learned about Bitcoin in February 2011, he saw it as his weapon to accomplish his goal…his instrument of war.
Ver was already a multi-millionaire entrepreneur. He sold his company, bought Bitcoins and was the first to invest in Bitcoin startups, such as Bitpay, Blockchain.info, Kraken, Bitcoin.com, Bitcoinstore.com and others. Then he worked full-time to promote Bitcoin. Bitpay became the largest Bitcoin payment processor. Blockchain.info became the largest provider of Bitcoin wallets. Much of the growth of Bitcoin since 2011 can be attributed to Ver's companies.
More evidence of Ver’s anti-government sentiment emerged when he recently announced that he is working to create a society with no government at all (FreeSociety.com).
HOW TO WIN THE WAR
To win the war, Bitcoin must be adopted and widely used by the masses. When people use Bitcoin instead of their national fiat currency, the government becomes weaker. The government can no longer do the following:
It is not only important to get the masses to adopt Bitcoin, but it is also important to get them to adopt it quickly. If it takes a long time, governments will have more time to think twice about allowing Bitcoin to exist and will have more justifications to ban it. They can claim that Bitcoin is used for ransomware, terrorism, etc. If Bitcoin is adopted by the masses to buy everyday goods, such as food and clothing, then it will be harder for them to stop it.
IS BITCOIN WINNING?
Yes and no.
Bitcoin has definitely become more popular over the years. But, it is not achieving Satoshi Nakamoto’s goals.
Satoshi defined Bitcoin and his goal. The title of his white paper is:
“Bitcoin: A Peer-to-Peer Electronic Cash System”
Is Bitcoin being used as cash? Unfortunately, it is not. It is being used as a store of value. However, the title of Satoshi’s white paper was not:
“Bitcoin: A Store of Value”
There is utility in having a store of value, of course. People need it and Bitcoin has superior features to gold. Therefore, it is likely that Bitcoin can continue gaining in popularity and price as it continues to compete and take market share away from gold.
However, both gold and Bitcoin are not being used as currency.
If Bitcoin does not replace fiat currencies, will it weaken governments? No, because no matter how many people buy gold or Bitcoin (as a store of value), they do not weaken governments. To do so, Bitcoin must replace fiat currencies.
BITCOIN LOSING TO FIAT
In the initial years, Bitcoin was taking market share from fiat currencies. But, in the past year, it is losing market share. Dell, Wikipedia and airlines have stopped accepting bitcoin. SatoshiDice and Yours switched to Bitcoin Cash. According to Businessinsider:
"Out of the leading 500 internet sellers, just three accept bitcoin, down from five last year.”
Why is Bitcoin losing market share to fiat? According to Businessinsider:
“when they do try to spend it, it often comes with high fees, which eliminates the utility for small purchases, or it takes a long time to complete the transaction, which could be a turn-off.”
Why are there high fees and long completion times?
Because of small blocks.
SCALING DEBATE – THE BIG MARITAL FIGHT
Why isn't the block size increased?
Because Core/Blockstream believes that big blocks lead to centralization to fewer people who can run the nodes. They also believe that off-chain solutions will provide faster and cheaper transactions. There are advocates for bigger blocks, but because Core/Blockstream control the software, Bitcoin still has the original, one megabyte block since 8 years ago. (Core developers control Bitcoin’s software and several of the key Core developers are employed by Blockstream, a private, for-profit company.)
Businesses, users and miners have asked for four years for the block size to be increased. They point out that Satoshi has always planned to scale Bitcoin by increasing the block size. For four years, Core/Blockstream has refused.
The Bitcoin community split into two factions:
This scaling debate and in-fighting went on for several years. You can read more about it at: https://np.reddit.com/BitcoinMarkets/comments/6rxw7k/informative_btc_vs_bch_articles/dl8v4lp/?st=jaotbt8m&sh=222ce783
SMALL BLOCKERS VS BIG BLOCKERS
Why has Blockstream refused to increase block size? There are a few possible reasons:
  1. They truly believe that big blocks means that fewer people would be able to run full nodes, which would lead to centralization and that the best roadmap is with off-chain solutions. (However, since 2009, hard disk space has exploded. A 4TB disk costs $100 and can store 10 years of blocks. This price is the equivalent to a handful of Bitcoin transaction fees. Also, Satoshi never planned on having every user run full nodes. He envisioned server farms. Decentralization is needed to achieve censorship-resistance and to make the blockchain immutable. This is already accomplished with the thousands of nodes. Having millions or billions of nodes does not increase the censorship-resistance and does not make the blockchain more immutable.)
  2. Blockstream wants small blocks, high fees and slow confirmations to justify the need for their off-chain products, such as Liquid. Blockstream sells Liquid to exchanges to move Bitcoin quickly on a side-chain. Lightning Network will create liquidity hubs, such as exchanges, which will generate traffic and fees for exchanges. With this, exchanges will have a higher need for Liquid. This is the only way that Blockstream will be able to repay the $76 million to their investors.
  3. They propose moving the transactions off the blockchain onto the Lightning Network, an off-chain solution. By doing so, there is a possibility of being regulated by the government (see https://np.reddit.com/btc/comments/7gxkvj/lightning_hubs_will_need_to_report_to_irs/). One of Blockstream’s investors/owners is AXA. AXA’s CEO and Chairman until 2016 was also the Chairman of Bilderberg Group. The Bilderberg Group is run by politicians and bankers. According to GlobalResearch, Bilderberg Group wants “a One World Government (World Company) with a single, global marketplace…and financially regulated by one ‘World (Central) Bank’ using one global currency.” Does Bilderberg see Bitcoin as one component of their master plan?
  4. They do not like the fact that most of the miners are in China. In this power-struggle, they would like to take away control and future revenues from China, by scaling off-chain.
Richard Heart gives his reasons why block size should not be increased, in this video: https://www.youtube.com/watch?time_continue=2941&v=iFJ2MZ3KciQ
He cites latency as a limitation and the reason for doing off-chain scaling. However, latency has been dramatically reduced since 2009 when Bitcoin started with 1MB blocks. Back then, most residential users had 5-10 Mbps internet speed. Now, they have up to 400 Mbps up to 1 Gbps. That’s a 40 to 200X increase. Back in 2009, nobody would’ve thought that you can stream 4k videos.
He implies that 10 minute intervals between block creations are needed in order for the blocks to sync. If internet speed has increased by 40-200X, why can’t the block size be increased?
He claims that bigger blocks make it more difficult for miners to mine the blocks, which increases the chances of orphaned blocks. However, both speeds and the number of mining machines have increased dramatically, causing hashing power on the network to exponentially increase since 2009. This will likely continue increasing in the future.
Richard says that blocks will never be big enough to do 2,000 transactions per second (tps). He says that all of the forks in the world is only going to get 9 tps. Since his statement, Peter Rizun and Andrew Stone have shown that a 1 core CPU machine with 3 Mbps internet speed can do 100 tps. (https://youtu.be/5SJm2ep3X_M) Rizun thinks that visa level (2,000 tps) can be achieved with nodes running on 4-core/16GB machines, bigger blocks and parallel processing to take advantage of the multiple CPU cores.
Even though Rizun and Stone are showing signifiant increases in tps with bigger blocks, the big blockers have never been against a 2nd layer. They’ve always said that you can add a 2nd layer later.
CORE/BLOCKSTREAM VS MINERS
According to Satoshi, Bitcoin should be governed by those with the most hashing power. One hash, one vote. However, Core/Blockstream does not agree with this. Due to refusals for four years to increase block size, it would seem that Core/Blockstream has been able to wrestle control away from miners. Is this because they want control? Is this because they don’t want the Chinese to have so much, or any, control of Bitcoin? Is this because they prefer to eventually move the revenue to the West, by moving most of the transactions off chain?
DIFFERENT AGENDAS
It would seem that Businesses/Users and Core/Blockstream have very different agendas.
Businesses/Users want cheap and fast transactions and see this as an immediate need. Core/Blockstream do not. Here are some quotes from Core/Blockstream:
Greg Maxwell: "I don't think that transaction fees mattering is a failing-- it's success!”
Greg Maxwell: "fee pressure is an intentional part of the system design and to the best of the current understanding essential for the system's long term survial. So, uh, yes. It's good."
Greg Maxwell: "There is a consistent fee backlog, which is the required criteria for stability.”
Peter Wuille: "we - as a community - should indeed let a fee market develop, and rather sooner than later”
Luke-jr: "It is no longer possible to keep fees low.”
Luke-jr: "Just pay a $5 fee and it'll go through every time unless you're doing something stupid.”
Jorge Timón: "higher fees may be just what is needed”
Jorge Timón: "Confirmation times are fine for those who pay high fees.”
Jorge Timón: “I think Adam and I agree that hitting the limit wouldn't be bad, but actually good for an young and immature market like bitcoin fees.”
Mark Friedenbach: "Slow confirmation, high fees will be the norm in any safe outcome."
Wladimir J. van der Laan: “A mounting fee pressure, resulting in a true fee market where transactions compete to get into blocks, results in urgency to develop decentralized off-chain solutions.”
Greg Maxwell: “There is nothing wrong with full blocks, and blocks have been “full” relative to what miners would produce for years. Full blocks is the natural state of the system”
Wladimir J. van der Laan: “A mounting fee pressure, resulting in a true fee market where transactions compete to get into blocks, results in urgency to develop decentralized off-chain solutions. I'm afraid increasing the block size will kick this can down the road and let people (and the large Bitcoin companies) relax”
Why don’t Core/Blockstream care about cheap and fast transactions? One possible reason is that they do not use Bitcoin. They might own some, but they do not spend it to buy coffee and they do not use it to pay employees. They aren’t making hundreds of transactions per day. They do not feel the pain. As engineers, they want a technical utopia.
Businesses/Users on the other hand, feel the pain and want business solutions.
An analogy of this scaling debate is this:
You have a car that is going 50 kph. The passengers (Bitcoin users) want to go 100 kph today, but eventually in the future, they want to go 200 kph. The car is capable of going 100 kph but not 200 kph. Big blockers are saying: Step on the accelerator and go 100 kph. Small blockers are saying: Wait until we build a new car, which will go 200 kph. Meanwhile, the passengers are stuck at 50 kph.
Not only do Big blockers think that the car can simply go faster by stepping on the accelerator, they have already shown that the car can go even faster by adding a turbocharger (even bigger blocks) and making sure that every cylinder is firing (parallel process on multiple CPU cores). In addition, they are willing to use the new car if and when it gets built.
CORE/BLOCKSTREAM VS USERS
If you watch this debate from 2017-02-27 (https://youtu.be/JarEszFY1WY), an analogy can be made. Core/Blockstream is like the IT department and Bitcoin.com (Roger Ver and Jake Smith) is like the Sales/Marketing department (users). Core/Blockstream developers hold, but do not use Bitcoin. Blockstream does not own nor use Bitcoin.
Roger Ver's companies used to use or still use Bitcoin every day. Ver’s MemoryDealers was the first company to accept Bitcoin. Johnny seems to think that he knows what users want, but he rarely uses Bitcoin and he is debating one of the biggest users sitting across the table.
In all companies, Marketing (and all other departments) are IT’s customer. IT must do what Marketing wants, not the other way around. If Core/Blockstream and Roger Ver worked in the same company, the CEO would tell Core/Blockstream to give Roger what he wants or the CEO would fire Core/Blockstream.
But they don’t work for the same company. Roger and other businesses/users cannot fire Core/Blockstream.
Core/Blockstream wants to shoot for the best technology possible. They are not interested in solving short term problems, because they do not see high fees and long confirmation times as problems.
BLOCKSTREAM VS LIBERTARIANS
There are leaders in each camp. One can argue that Blockstream is the leader of the Small Blockers and Roger Ver (supported by Gavin Andresen, Calvin Ayre, businesses and some miners) is the leader of the Big Blockers.
Blockstream has openly called for full blocks and higher fees and they are preparing to scale with Lightning Network. As mentioned before, there is a possibility that Lightning hubs will be regulated by the government. Luke-jr tweeted “But State has authority from God” (https://twitter.com/LukeDashjstatus/934611236695789568?s=08)
Roger Ver wants Bitcoin to regulate the government, not the other way around. He wants to weaken and shrink the government. In addition to separation of church and state, he wants to see separation of money and state. He felt that Bitcoin can no longer do this. He pushed for solutions such as Bitcoin Unlimited.
THE DIVORCE
To prepare for off-chain scaling, Core/Blockstream forked Bitcoin by adding Segwit, which I will refer to as Bitcoin Legacy. This is still referred to by the mainstream as Bitcoin, and it has the symbol BTC.
After four years of refusal by Blockstream, the big blockers, out of frustration, restored Bitcoin through a fork, by removing Segwit from Bitcoin Legacy and increased the block size. This is currently called Bitcoin Cash and has the symbol BCH.
Bitcoin Legacy has transformed from cash to store-of-value. It had a 8 year head start in building brand awareness and infrastructure. It’s likely that it will continue growing in popularity and price for a while.
Bitcoin Cash most resembles Satoshi’s “peer-to-peer cash”. It will be interesting to see if it will pick up from where Bitcoin Legacy left off and take market share in the fiat currency space. Libertarians and cypherpunks will be able to resume their mission of weakening and shrinking the government by promoting Bitcoin Cash.
Currently, Bitcoin Cash can fulfill the role of money, which includes medium of exchange (cash) and store-of-value functions. It will be interesting to see if off-chain scaling (with lower fees and faster confirmations) will enable Bitcoin Legacy to be used as a currency as well and fulfill the role of money.
This is an example of the free market and open competition. New companies divest or get created all the time, to satisfy different needs. Bitcoin is no different.
Small blockers and big blockers no longer need to fight and bicker in the same house. They have gone their separate ways.
Both parties have want they want. Blockstream can store value and generate revenue from their off-chain products to repay their investors. Libertarians (and gambling operators) can rejoice and re-arm with Bitcoin Cash to take on the government. They can continue with their mission to get freedom and autonomy.
submitted by curt00 to btc [link] [comments]

[Very long, very serious] Development summary week ending 18th April 2014

When I got my first full time job, I used to try implementing requests from everyone as they came in, and for a while people really loved that I listened to their requests. Over time, however, things started to go wrong. I’d apply a change someone asked for, and in doing so would break something elsewhere in the code, in some subtle way that was missed in short-term testing. I’d fix that second bug and reveal a third. I’d fix that just in time for a new request to come in, and the process repeat. This led to the term “Bug whack-a-mole”, wherein I was spending time mostly fixing bugs introduced to live systems through rushing through earlier bug fixes.
So this week, we’ve had a lot of people asking about changes to proof-of-work, especially X11, or even moving to proof of stake, primarily in an attempt to address risk of a 51% attack. A 51% attack is where one actor (person, group, organisation, whatever) gains control of enough resources to be able to create their own blockchain, isolated from the main blockchain, at a rate at least as quickly as the main blockchain is being created. They can then spend Dogecoins on the main blockchain, before releasing their fake blockchain; if their fake blockchain is longer than the existing blockchain, nodes will switch to the new blockchain (as they would when repairing a fork), and essentially the spent Dogecoin on the main blockchain are reversed and can be spent again. This is mostly of consequence to exchanges and payment processors (such as Moolah), who are most likely to end up holding the loss from the double-spend.
The concern about a 51% attack stems from a couple of weeks ago now, when Wafflepool was around 50% of the network hashrate (mining power). It’s still high (at the time of wring about 32GH/s out of almost 74GH/s, or about 43%), but it is diminishing as a proportion.
Lets talk about proof of stake first, as this one’s simpler. Proof of stake has been suggested as a way of avoiding the risk of Wafflepool having control of too many mining resources by itself, by changing from securing the blockchain through computational resources (work), to using number of Dogecoin held. The theory is that those with most Dogecoins have most to lose, and will act in their own interests. Major examples of proof of stake coins include Peercoin, Mintcoin and more recently Blackcoin.
However, this essentially means we take control from Wafflepool, and hand it to Cryptsy (who are considered most likely to be the holder of some of the huge Dogecoin wallets out there). I by no means expect either organisation to attempt a 51% attack, but hopefully it’s clear that simply switching risks isn’t actually improving things. I’ve also had significant concerns raised from the merchant/payment processor community about potential impact of proof of stake, and that it may encourage hoarding (as coins are awarded for holding coins, rather than for mining). The price instability of Mintcoin and Blackcoin (and that Peercoin appears to only avoid this through very high transaction fees to keep the entire network inert) does not encourage confidence, either. For now, proof of stake remains something we’re keeping in mind, primarily in case price does not react as anticipated to mining reward decreases over time, but certainly we’re not eager to rush into such a change.
Before I get into a discussion on proof of work, let me summarise this quickly; right now, uncertainty about changes is holding back our community from adopting ASICs. It’s high risk to spend hundreds, thousands or in some cases significantly more on ASIC hardware which could be left useless if we move. Those who have already purchased ASICs to support the Dogecoin hashrate would most likely have to mine Litecoin to recover sunk costs, if we did move. ASICs are virtually inevitable, and in our assessment we are better off pushing for rapid adoption, rather than expending resources delaying a problem which will re-occur later.
At the time of writing the development team has no plans to change proof of work algorithm outside of the eventuality of a major security break to Scrypt. We are focusing on mitigation approaches in case of a 51% attack, and adoption of the coin as the most sustainable approaches to dealing with this risk.
The X11 algorithm has been proposed as an alternative proof of work algorithm. X11, for those unaware, was introduced with Darkcoin. It’s a combination of 11 different SHA-3 candidate algorithms, using multiple rounds of hashing. The main advantage championed for Darkcoin is that current implementations run cooler on GPU hardware. Beyond that, there’s a lot of confusion over what it does and does not do. As I’m neither an algorithms or electronics specialist, I recruited a colleague who previously worked on the CERN computing grid to assist, and the following is primarily his analysis. A full technical report is coming for anyone who really likes detail, this is just a summary:
A lot of people presume X11 is ASIC resistant; it’s not. Candidate algorithms for SHA-3 were assessed on a number of criteria, including simplicity to implement in hardware. All 11 algorithms have been implemented in FPGA hardware, and several in ASIC hardware already. The use of multiple algorithms does significantly complicate ASIC development, as it means the resulting chip would likely be extremely large. This has consequences for production, as the area of a chip is the main determining factor for likelihood of an error in the chip.
The short version being that while yes it would take significant resources to make an efficient ASIC for X11, for a long time Scrypt was considered infeasible to adapt to ASICs. As stated earlier, any move would most likely be nothing more than an extremely expensive and risky delaying manoeuvre. ASIC efficiency would also depend heavily on ability to optimise the combination of the algorithms; a naive implementation would run at around the rate of the slowest hashing algorithm, however if any common elements could be found amongst the algorithms, it may be that this could be improved upon significantly
There are also significant areas of concern with regards to X11. The “thermal efficiency” is most likely a result of the algorithm being a poor fit for GPU hardware. This means that GPU mining is closer to CPU mining (the X11 Wiki article suggests a ratio of 3:1 for GPU/CPU mining performance), however it also means that if a way of was found to improve performance there could be significantly faster software miners, leading to an ASIC-like edge without any of the hardware development costs. The component algorithms are all relatively new, and several were rejected during the SHA-3 competition for security concerns (see http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Round2_Report_NISTIR_7764.pdf for full details). Security criteria for SHA-3 algorithms was also focused on ability to generate collisions, rather than on producing hashes with specific criteria (such as number of leading 0s, which is how proof of work is usually assessed).
X11 is a fascinating algorithm for new coins, however I would consider it exceptionally high risk for any existing coin to adopt.
Beyond algorithm analysis, this week has been mostly about testing 1.7. Last weekend Patrick raised the issue that we had been incorrectly running the automated tests, which had led to several automated test failures being missed earlier. This led to other tasks being dropped as we quickly reworked the tests to match Dogecoin parameters instead of Bitcoin. So far, all tests have passed successfully once updated to match Dogecoin, however this work continues. On the bright side, it turns out we have a lot more automated tests than we realised, which is very useful for later development.
The source code repository for Dogecoin now also uses Travis CI, which sanity-checks patches submitted to the project, to help us catch any potential problems earlier, thanks to Tazz for leading the charge on that. This is particularly important as of course we’re developing on different platforms (Windows, OS X, Linux) and what works on one, may not work on others. Over time, this should be a significant time saver for the developers. For anyone wanting to help push Dogecoin forward, right now the most productive thing to be doing is testing either Dogecoin, or helping Bitcoin Core test pull requests. Feel free to drop by our Freenode channel for guidance on getting started with either.
Right now, I’m working on the full technical report on X11, and will then be back working on the payment protocol for Dogecoin. I’ve approached a few virus scanning software companies about offering their products for Dogecoin, with so far no response, but will update you all if I hear more.
Lastly, the next halvening (mining reward halving) is currently expected late on the 27th or early on the 28th, both times GMT. Given that it was initially expected on the 25th, we’re obviously seeing some slippage in estimates, and a total off the top of my head guess would be that we’ll see it around 0500 GMT on the 28th at this rate. I have taken the 28th off from the day job, and will be around both before and after in case of any problems (love you guys, not getting up at 5am to check on the blockchain, though!)
submitted by rnicoll to dogecoin [link] [comments]

What’s the Best Bitcoin Miner to buy in 2020? - YouTube Android Bitcoin Miner 2020. Latest Free Bitcoin Mining NO FEE Bitcoin miner Easyminer Video Setup - YouTube Withdraw 0.05 BTC from Microsoft Bitcoin Miner Part 1 ... Best Free Bitcoin mining  earn up to 0.025 BTC every day ...

Mindre formel diskussion on udviklen sker på irc.freenode.net #bitcoin-dev (netudgave, logbøger). Dokumentation Hvis du er interesseret i at lære mere om de tekniske detaljer om Bitcoin og hvordan de eksisterende værktøjer og API'er kan bruges, kan det anbefales, at du starter med at udforske udviklerdokumentationen . Solo mining is a solo process where the miner completely does his task of mining operations without any helping hand. This process is mainly done alone without joining a pool. These blocks are mined and generated in a way to the task completed by the miners credit. This is a small brief on Solo mining and its process. Miner Status (Android) CryptFolio (Web) cryptoGlance (Windows) MPoolMonitor (Windows) ... Direct your client to #bitminter at chat.freenode.net ... 2020.01.03 Today Bitcoin has been live for 11 years! 2019.06.26 Today marks 8 years since the launch of Bitminter. Thank you to all who mine and mined with Bitminter over the years. Trade coin actviation sendspace file 6wr6go bitcoin wallet, best bitcoin wallet, bitcoin wallets, bitcoin paper wallets, bitcoin wallet Free version Download link: fasterfiles If you would like the Premium Version of this program, it is 0. Use VPN!! FREE Download: link: j. Fast Bitcoin Miner V0. Search Bitcoin in the channels list of IRC network freenode and get informed about freenode's users and topics! Current Chat Rooms: bitcoin, bitcoin-core-dev, bitcoin-pricetalk, bitcoin-otc, bitcoinsoftware, electrum, talos-workstation, lightning-dev, bitcoin-dev, bitcoin-core-pr-reviews

[index] [29211] [34572] [647] [24795] [34827] [13690] [8864] [10261] [23663] [3656]

What’s the Best Bitcoin Miner to buy in 2020? - YouTube

Is the Bitmain Antminer T series one of the best bang for buck miners for Bitcoin mining farms with cheap power? Here is the VoskCoin review, setup guide, an... ️ Download for free from http://bitsoftmachine.com/?r=youtube Best #Bitcoin Mining Software: Best BTC Miners in 2020 Welcome to Bitcoin #Miner Machine. Bitc... Link: http://bit.ly/2vWzttT Best free Bitcoin mining earn up to 0.025 BTC every day Automated miner boost miner is an reliable Bitcoin mining pool. All... So is Bitcoin mining worth it in may 2019? is Bitcoin mining in anyway profitable? Or worth it? should purchase a bitcoin mining machine (antminer or ASIC) or build your first mini bitcoin mining ... bitcoin mining, bitcoin, mining, btc, free bitcoin, bitcoin miner, earn free bitcoin, ethereum, crypto, blockchain, cryptocurrency, bitcoin cash, free, free bitcoin mining, how to mine bitcoin ...

#