#bitcoin-core-dev log

19:01:19 <wumpus> #startmeeting
19:01:19 <lightningbot> Meeting started Thu Sep 29 19:01:19 2016 UTC.  The chair is wumpus. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:01:19 <lightningbot> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:01:26 <BakSAj> hi
19:01:36 <CodeShark> meeting time!
19:01:46 <MarcoFalke> meeting!
19:01:56 <wumpus> #bitcoin-core-dev Meeting: wumpus sipa gmaxwell jonasschnelli morcos luke-jr btcdrak sdaftuar jtimon cfields petertodd kanzure bluematt instagibbs phantomcircuit codeshark michagogo marcofalke paveljanik NicolasDorier
19:02:04 <MarcoFalke> (oh already started)
19:02:07 <btcdrak> here
19:02:07 <cfields_> hi
19:02:12 <kanzure> hi
19:02:20 <wumpus> any proposed topics?
19:02:24 <jonasschnelli> topic proposal: pruning and blockrelay
19:02:56 <petertodd> hi
19:03:11 <sipa> policy against uncompressed keys or not
19:03:11 <wumpus> #topic pruning and blockrelay
19:03:38 <jonasschnelli> I think we should add a service flag for block relay with a min-height
19:03:52 <jonasschnelli> NODE_PRUNENETWORK or something
19:03:57 <sipa> there have been multiple ideas around that
19:04:35 <petertodd> IMO whatever we do, we should recognise that w/ segwit's larger blocks we can expect a lot of full nodes to run out of disk space quite soon
19:04:35 <sipa> the easiest is just to add a flag that says you relay valid blocks and transactions, but not historical blocks more than a few deep
19:04:35 <jonasschnelli> I guess people slowly start to prune the blockchain to a max of 80GB or similar... but I guess not everyone is aware of the fact that you don't relay then
19:04:36 <wumpus> it would be nice to support more than one range, e.g. also archive nodes that host part of the old blocks
19:04:49 <sipa> it becomes harder when you want multiple ranger
19:04:57 <petertodd> do we have a reason for more than one range?
19:05:00 <jonasschnelli> We could introduce another message type... blockrange  or so
19:05:01 <sipa> it becomes even harder when you want to support sharding in an efficient way
19:05:08 <wumpus> I'm not sure why itb ecomes hard, just add a query message that returns what ranges are supported
19:05:11 <petertodd> sipa: what do you mean by sharding exactly?
19:05:25 <sipa> petertodd: you'd configure your node to maintain a certain % of blocks
19:05:45 <jonasschnelli> wumpus: query, yes, why not, or just inform like we do with sendheaders
19:05:47 <petertodd> sipa: see, given that the bitcoin protocol can't be safely sharded right now, I think we can safely say that we don't need to support sharding in block relay yet
19:05:55 <petertodd> sipa: doing so might even be dangerous if people start using it
19:06:04 <sipa> petertodd: not in block relay
19:06:08 <sipa> petertodd: for block archival
19:06:16 <petertodd> sipa: but why shard vs. keep ranges?
19:06:23 <petertodd> sipa: (ranges of full blocks)
19:06:25 <luke-jr> BitTorrent already does this. Surely we can learn from that?
19:06:38 <petertodd> luke-jr: I don't think so - bittorrent is a very different problem than bitcoin
19:06:38 <wumpus> this is for letting other peers know what ranges of blocks are hosted, I don't think this should affect releay
19:06:41 <sipa> so, i've been running statistics on what block depths are being requested from nodes
19:06:47 <luke-jr> petertodd: learn from it, not use it directly
19:07:01 <luke-jr> petertodd: BitTorrent's problem isn't very different from IBD
19:07:08 <jonasschnelli> sipa: interesting.. do you have the stats public available somewhere
19:07:16 <jonasschnelli> I wanted to do this a long time
19:07:20 <petertodd> luke-jr: so, the thing is bittorrent has the problem of a diverse set of files, we just don't have that problem and can optimise differently because everyone needs access t othe same set of data
19:08:03 <sipa> there are something like 4 meaningful 'ranges' 1) the top 2 blocks (just relay) 2) up to ~2500 blocks deep... requested very often 3) up to ~10000 deep... requested a few times more than the next range 4) the rest
19:08:15 <wumpus> otoh bittorrent has a fixed block size :)
19:08:22 <sipa> wumpus: so do we *ducks*
19:08:38 <petertodd> sipa: that probably corresponds to how long people leave their nodes offline :)
19:08:51 <btcdrak> inb4 Bittorrent XT
19:09:04 <sipa> jonasschnelli: they're not available, and the ranges i gave above are just from me quickly glancing over the result
19:09:04 <petertodd> btcdrak: I use Bittorrent Unlimited myself
19:09:05 <jonasschnelli> What about fingerprinting issued in conjunction with available ranges?
19:09:16 <jonasschnelli> *issues
19:09:20 <petertodd> jonasschnelli: make them powers of two?
19:09:33 <sipa> well 4 ranges can be done with 2 service bit flags
19:09:45 <sipa> gmaxwell: you've worked on these ideas before, comments?
19:09:47 <jonasschnelli> But would that work with the flexible pruning option based on MB?
19:10:05 <petertodd> jonasschnelli: sure, just find the biggest range less than the pruning amount
19:10:12 <sipa> jonasschnelli: you'd change your service bits on the fly
19:10:20 <wumpus> why would the ranges need to be in the flags?
19:10:30 <gmaxwell> sorry, I missed that the meeting started.
19:10:32 <jonasschnelli> Yes. Why? Better add an explicit message for the range
19:10:34 <sipa> how would you otherwise discover what nodes to connect to?
19:10:45 <sipa> just randomly try?
19:10:45 <petertodd> jonasschnelli: oh right, you mean if MB != blocks... sorry.
19:10:49 <wumpus> I think you'll need a service flag to show support for the protocol, but not what ranges you have
19:10:52 <jonasschnelli> query or inform the other node if proto-ver > NODE_PRUNENETWORK
19:11:00 <wumpus> well that can be negotiated later, like bittorrent does I guess
19:11:08 <sipa> wumpus: well you do want addr messages to contain this information
19:11:18 <wumpus> I doubt bitcoin has 'service flags' in its tracker what blocks nodes have
19:11:18 <petertodd> sipa: so the nice thing about bitcoin, is just randomly try will probably work fairly often due to the low number of ranges out there
19:11:26 <wumpus> as that changes all the time anyhow
19:11:29 <gmaxwell> I was strongly of the view that we needed to signal at least two ranges. Sipa's latest measurements make me think at least three are needed.
19:11:31 <wumpus> s/bitcoin/bittorrent/
19:11:37 <jonasschnelli> I think informing other nodes ranges over addr is another thing...
19:11:46 <jonasschnelli> A first step would be a information after connect
19:11:55 <wumpus> yes, addr is another thing
19:12:22 <gmaxwell> I think ranges in service bits are no big deal, the harder question is what to do about the history. having nodes with 150GB of history in order to serve the last range is not very viable.
19:12:23 <wumpus> could be done later if an efficient way is needed to *locate* peers with certain ranges
19:12:31 <wumpus> but that seems premature optimization
19:12:36 <gmaxwell> We will need to redo addr sometime relatively soon in any case, as our messages are not compatible with HS-NG.
19:12:52 <petertodd> gmaxwell: oh, you mean Tor's new hidden services standard right?
19:12:56 <gmaxwell> petertodd: yes.
19:13:02 <gmaxwell> (also I2P though thats not new)
19:13:18 <wumpus> I think the number of ranges should be variable
19:13:24 <wumpus> redesigning addr is a different topic
19:13:35 <wumpus> also necessary, but again, doesn't need to be on one heap
19:13:45 <gmaxwell> wumpus: when I'm saying ranges I am specifically referring to the top-N zomes.
19:14:14 <petertodd> well, so if we add service bits for recent history ranges, that should be possible to implement as a separate feature to archival history ranges, and it'd be a big first step
19:14:22 <wumpus> I think it should be possible to, say, only host the first 20GB of blocks
19:14:37 <jonasschnelli> historic only nodes
19:14:37 <wumpus> I don't see why it should be restricted to only recent history
19:14:38 <petertodd> I don't think it's likely we'll see the two different features collide, so maybe implement recent history ranges first
19:14:55 <wumpus> or I mean first 20GB + last 144 blocks
19:15:07 <gmaxwell> For history storage, I was previously working on a proposal where nodes could signal a small (32 bit) seed and a size and from that everyone would know what parts of the history they would store.  I was so far unable to unify two different schemes, one which was computationally efficient to figure out who had what, and one which never required a peer to fetch a block it had previously deleted.
19:15:15 <sipa> so very quick breakdown: out of 7M requested blocks, 100k were for the tip, range 2-2500 has around 200-2000 requests per block, and from 10000 to genesis deep there are around 20 per block
19:16:19 <gmaxwell> I think for now we should not worry about the old history part and only worry about Top-n vs everything, as that fits into the pruning we already have and can be accomplished purely with service bits.
19:16:22 <wumpus> the bittorrent problem is different in that there the goal of each node is to have everything
19:16:25 <petertodd> so a social consideration here, is we can think in terms of recent history as "if there's a flaw, how much would we ever reorg w/o just saying bitcoin has failed?"
19:16:44 <gmaxwell> petertodd: thats partly why we have the 288 block maximum amount of pruning.
19:17:13 <petertodd> gmaxwell: indeed, and that's only two days...
19:17:36 <jonasschnelli> Using multiple service bits for 4 ranges seems to be a hackish-design IMO
19:17:49 <gmaxwell> at 100 blocks any reorg will _necessarily_ cause unrecoverable losses. So 288 basically gives a day plus an extra day for overhead.
19:17:50 <petertodd> there's also a natural time criteria from how the difficulty adjustments reduce your resistance to 51% attack - if your node is offline longer, the minimum attacker size to fool you goes down
19:17:52 <sipa> strangely enough: i see much more requests around 1000 deep than around 100 deep
19:18:04 <gmaxwell> jonasschnelli: I don't see anything hackish.
19:18:05 <wumpus> jonasschnelli: I also think it's a strange use of service bits
19:18:07 <jonasschnelli> I'd prefere using a single service bit to state pruned blockchain and then a new message (or append something to version?)
19:18:24 <petertodd> sipa: probably because people don't turn their nodes on and off every day
19:18:25 <gmaxwell> sipa: you probably want to filter out the bitnodes spider, as I believe it requests a block to check the node is working.
19:18:35 <sipa> gmaxwell: ah.
19:18:53 <gmaxwell> petertodd: someone who hasn't turned their node on will request all of 0 to -1000. so it will not make 1000 greater.
19:19:07 <gmaxwell> jonasschnelli: NAK.
19:19:07 <petertodd> gmaxwell: oh! I didn't know we did that
19:19:09 <sipa> i'm a bit surprised people think there is no need to have the available block ranges indicated in addr messages
19:19:30 <sipa> (whether through service bits, or some extension)
19:19:30 <jonasschnelli> I think there is a need... but it could be a second step
19:19:38 <wumpus> jonasschnelli: appending to version should be unnecessary, that's also a hack :)
19:19:50 <sipa> jonasschnelli: if it's a second step, we need to extend addr, and the whole management of addresses
19:19:51 <jonasschnelli> Okay. Agree. What about a new message type?
19:19:55 <jonasschnelli> blockrange
19:19:58 <sipa> jonasschnelli: you don't understand.
19:20:18 <gmaxwell> jonasschnelli: look at pieter's request figures, if nodes are effectively forced to go to peers that have everything whenever they connect becuase if they don't know they'll be able to fetch any blocks at all, then it will put lots more load on them.. causing people to stop offering blocks... causing more pressure on what remains.
19:20:56 <sipa> jonasschnelli: the point of having it in service bits is so nodes can find peers that have the range they need
19:20:58 <wumpus> but addr information gets old really fast
19:21:17 <sipa> wumpus: much less so with feeler connections
19:21:26 <wumpus> nodes may dynamically change what blocks they have, so there will always be cases of nodes connecting and realizing they have nothing to offer each other
19:21:27 <jonasschnelli> Okay. I see the point.
19:21:29 <sipa> (presumably, i don't have numbers)
19:21:54 <wumpus> just like currently nodes will try to connect into black holes that no longer host a node
19:22:24 <petertodd> so another interesting thing here is that ranges are queried linearly - you download blocks in a roughly linear fashion - so we could take advantage of that by making sure that nodes with one range keep track of nodes with adjacent ranges
19:22:29 <wumpus> sipa: sure, feeler connections make it somewhat better
19:22:35 <gmaxwell> wumpus: yes, sometimes the data is wrong. But there is a big difference between having 80% of the nodes on the network giving you no idea if they'll be useful at all until after you connect, vs a suggestion that might sometimes be wrong.
19:22:41 <wumpus> but I don't think addr is a very up-to-date information source
19:22:46 <petertodd> thus, as you sync the first time, ask nodes with the range you're syncing at this moment for the next range you need
19:23:08 <luke-jr> wumpus: if ranges are deterministic, they don't need to be up to date
19:23:15 <sipa> petertodd: yes, any sharding plan wouldn't randomly distribute the kept blocks, but keep randomly distributed ranges
19:23:32 <gmaxwell> wumpus: I don't know if you realize that sipa and I are not thinking in terms of absolute ranges here. but nodes saying "I keep the last 288" or "I keep the last 2016" or "I have all of history".
19:23:38 <wumpus> gmaxwell: but indeed this is a different problem from the bittorrent problem where everyone's goal is to have everything
19:23:56 <sipa> gmaxwell: well that's sharding... maybe that is something to postpone for later
19:24:01 <petertodd> sipa: sure, I'm more talking about how the linearity affects the network p2p design - prefentially peering with peers with the adjacent range may even be a reasonable design
19:24:03 <luke-jr> wumpus: eh, everyone needs to get everything
19:24:03 <wumpus> there, nodes can just connect randomly and have a high change the other nodes has something to offer them
19:24:04 <gmaxwell> wumpus: and I wouldn't expect that data to go out of date fast.. pretty much only when nodes go up and down.
19:24:04 <sipa> oh, nvm, i'm misreading
19:24:20 <wumpus> luke-jr: only initially
19:24:28 <luke-jr> oh, I see the distinction
19:24:41 <wumpus> luke-jr: bittorrent nodes don't throw away blocks, generally
19:24:53 <luke-jr> f(best-height, seed-in-addr) -> ranges
19:25:12 <gmaxwell> for the spreading the history around, as mentioned I came up with concrete schemes (based on consistent hashes) that have nice properties.
19:25:30 <sipa> i wonder whether we need to have that in the first go at this
19:26:04 <jonasschnelli> I think a first simple solution that allow to extend it further would be appriciated.
19:26:10 <sipa> even just having serve-everything and server-the-last-288-and-relay-at-tip would be a good addition
19:26:15 <wumpus> making the ranges deterministic makes some sense, on the other hand, it does restrict the flexibilty of nodes to choose what ranges they host, it means everything has to be got right in first try
19:26:23 <gmaxwell> sipa: thats what I am saying.
19:26:27 <jonasschnelli> sipa: agree
19:26:30 <gmaxwell> I do not think we can do better immediately anyways.
19:26:45 <sipa> 21:18:07 < jonasschnelli> I'd prefere using a single service bit to state pruned blockchain and then a new message (or append something to version?)
19:26:47 <gmaxwell> sipa: though your latest figures suggest that the 2016 depth is important too.
19:26:48 <sipa> 21:19:07 < gmaxwell> jonasschnelli: NAK.
19:27:10 <petertodd> if nodes attempt to maintain a few connections to peers that have the next range after they have, maybe it doesn't matter exactly what the ranges actually are? any given node would have a few connections to the next range, and anyone syncing from them could ask for those connections
19:27:15 <gmaxwell> sipa: my understanding of jonasschnelli comment was there should be a bit that says "I relay blocks but don't have history" I am NAK on that.
19:27:36 <wumpus> as there is no scope for later optimization, because all nodes have to agree what ranges are implied
19:27:40 <jonasschnelli> We could add a service bit that says "I relay only the last 288 blocks"
19:27:50 <wumpus> jannes: yes that would be the initial idea
19:27:54 <wumpus> jonasschnelli*
19:28:08 <sipa> gmaxwell: how is that different from what i suggested?
19:28:11 <sipa> 21:26:10 < sipa> even just having serve-everything and server-the-last-288-and-relay-at-tip would be a good addition
19:28:21 <jonasschnelli> I think my initial idea with the general pruning sevice bit and a new message type is to complex and inflexible
19:28:28 <gmaxwell> jonasschnelli: yes, that would be better, though pieter's data suggests that there are a LOT of requests at 1000. I think if I had that data I would have been suggesting the maximum pruning should be 2016, and then had the bit at that dep.
19:28:50 <gmaxwell> sipa: the ability to relay blocks at depth -10.
19:29:04 <sipa> gmaxwell: less than 2% of blocks requested from my node are at the tip
19:29:22 <sipa> (but the tip is still 100x more frequent than any other individual depth)
19:29:50 <sipa> gmaxwell: "a service bit to indicate pruned blockchain" implies you can serve 288 deep :)
19:30:08 <petertodd> gmaxwell: re: maximum pruning depth, it's reasonable for that to be a similar % of the total data that storing the UTXO set takes - if you have 10GB of UTXO, 2GB of block data isn't a big change
19:30:11 <wumpus> yes, you could define it as that
19:30:15 <gmaxwell> I don't think there is any remaining disagreement on using bit(s) to signal I have a top-n.  But I have some doubt on N. it needs to capture the largest amount of the block realy bandwidth without being unduely pruning incompatible.
19:30:37 <wumpus> 288 is the minimum pruning amount in bitcoin core already so it'd be a valid choice
19:30:44 <morcos> as a first pass, i wonder if you preferentially downloaded from pruned peers whenever you were behind by less than 288 blocks, that would take enough load of peers serving full history?
19:30:50 <gmaxwell> morcos: absolutely.
19:31:01 <jonasschnelli> Good idea
19:31:09 <wumpus> yes, that would make sense
19:31:23 <gmaxwell> unfortunately, sipa's data suggests that 288 sheds less traffic than measurements years ago suggested.
19:31:43 <sipa> maybe i should compute statistics in bytes rather than blocks
19:31:45 <morcos> gmaxwell: it wasn't clear to me what the integral from 1 to 288 was compared to 288 to inf
19:31:46 <wumpus> well it is a compromise
19:31:53 <wumpus> putting the threshold higher makes some peers completely useless
19:31:57 <sipa> to see what percentage of bandwidth is needed in 1-288
19:31:58 <wumpus> which reduces morcos 's argument
19:32:04 <jonasschnelli> Yes. I guess you convinced me to use two service bits then. -288 and -2016
19:32:16 <gmaxwell> which is why it might be useful to use two bits and be able to signal 1-288, 1-2016... and perhaps start encouraging people to not prune shorter than 2016.
19:32:37 <sipa> i think we're getting into a design discussion here
19:32:47 <sipa> my number are very premature and not well analysed
19:32:50 <wumpus> it'd also be possible to add a 288-flag now, and then consider a 2016 flag later
19:32:54 <gmaxwell> sipa: indeed, thought that was the input you requested from me.
19:32:57 <morcos> wumpus: yes, thats what i'm saying
19:32:59 <gmaxwell> wumpus: yes! indeed.
19:33:03 <jonasschnelli> Agree with wumpus
19:33:04 <wumpus> if it turns out to be necessary
19:33:10 <petertodd> wumpus: ACK
19:33:15 <sipa> yes, i think just a 1-288 one seems useful
19:33:16 <wumpus> good :)
19:33:16 <jonasschnelli> Start with a simple tip-288 relay, and get some experience
19:33:23 <gmaxwell> wumpus: it looks pretty clearly necessary but no need to do everything at once.
19:33:30 <petertodd> wumpus: basically advice is, turn your node on at least once every two days
19:33:54 <wumpus> petertodd: yes
19:33:55 <gmaxwell> petertodd: we really should have cron mode for the daemon where it just syncs up and shuts off. :P
19:34:06 <gmaxwell> bitcoind -oneshot
19:34:08 <gmaxwell> :P
19:34:17 <petertodd> gmaxwell: heh, that's not a crazy idea - I'd use it on my laptop
19:34:18 <jonasschnelli> didn't we once had a proposal for the pause option?
19:34:24 <wumpus> right, there's a flag that quits after reindex, but none that exits after sync
19:34:31 <wumpus> would be easy to add tho
19:34:41 <morcos> we could just ask for the utxo set, shoudl we discuss ideas how to do that
19:34:51 <CodeShark> ^ yes :)
19:34:58 <petertodd> make -oneshot run in the foreground with a progress bar :)
19:34:59 <wumpus> without utxo commitment that's a no-go
19:35:05 <morcos> thanks codeshark
19:35:20 <petertodd> wumpus: +1
19:35:42 <gmaxwell> morcos: pointless when we were unable to get past the discussion for the security model change to not validate the past history based on proof of work.
19:35:48 <petertodd> and lets not underestimate how dangerous UTXO commitments can be - I'm very dubious about committing to the (U)TXO set more recently than maybe a month or two
19:35:51 <CodeShark> would be great to query utxo for quick sync, then go backwards in time fetching blocks to increase security...but yes, this is a design discussion
19:35:53 <morcos> i was making a joke, sorry
19:36:18 <CodeShark> alas, quick sync doesn't look feasible in the nearterm
19:36:20 <wumpus> ok, next topic?
19:36:36 <gmaxwell> but since that was brought up... Can we talk about removing checkpoints?
19:36:55 <wumpus> #topic removing checkpoints
19:36:59 <sipa> what % of transactions are before the last checkpoint
19:37:01 <sipa> does anyone know?
19:37:03 <morcos> someone should write up a design proposal for that to be evaluated
19:37:18 <gmaxwell> Right now they're used for two things, preventing header flooding with low difficulty headers; and skipping signatures in earlier blocks.
19:37:21 <petertodd> gmaxwell: just removing checkpoints, or assuming sigs are valid if buried deep enough?
19:37:27 <sipa> gmaxwell: and 3) estimating progress
19:37:45 <wumpus> keeping something for estimating progress would make sense
19:37:47 <sipa> i think 1) remains needed and 3) remains useful
19:37:50 <wumpus> that doesn't need to be checkpoints
19:38:06 <gmaxwell> because very few percentage of the transactions are below the checkpoint .. since libsecp256k1 (and I expect the checkqueue)-- my point two is basically pointless, and I think it could just be removed
19:38:29 <gmaxwell> I think on a desktop it only adds 15-20 minutes to the sync.
19:38:29 <petertodd> gmaxwell: I'd ACK simply removing checkpoints entirely; I'm not happy to see them replaced with another scheme to skip sig checking
19:38:33 <wumpus> a block-height-to-relative-difficulty map would have much less of a stigma
19:38:46 <wumpus> eh, verification difficulty that is
19:38:52 <sipa> gmaxwell: really?
19:38:54 <gmaxwell> petertodd: I think we could remove CP from reason two without implementing the replcement.
19:39:06 <gmaxwell> petertodd: morcos is right that needs a design proposal outside of the meeting.
19:39:12 <sdaftuar> i'm a bit confused about how to think about checkpoints for signature skipping
19:39:22 <gmaxwell> sipa: I benchmarked before but I'm going off of memory, I could be wildly wrong. I will test again if there is interest.
19:39:52 <jonasschnelli> Removing checkpoints would slow down (maybe insignificant) a scan in a possible SPV hybrid mode?
19:39:54 <gmaxwell> For reason (1) the only answer I have is that I think we should proposal a bit to perpetually increase the minimum difficulty from 1 to something else.
19:40:00 <sdaftuar> for instance the recent ISM change caused us to do less validation for certain blocks in our history (blocks in a softfork between the 75% and 95% thresholds)
19:40:10 <sipa> jonasschnelli: SPV mode won't validate *anything* at all
19:40:28 <gmaxwell> (with a checkpoint like bypass of that new rule, for existing blocks that break it) As little as 100,000 would eliminate the header flooding vulenrablity.
19:40:33 <jonasschnelli> Yes. But assume we would add an SPV hibrid mode in oder to received payment during IBD
19:40:50 <jonasschnelli> One would need to download 400k headers without a checkpoint at h400k
19:40:53 <luke-jr> maybe checkpoints should just be disabled by default before complete removal?
19:41:00 <sipa> jonasschnelli: i think you're confused
19:41:07 <gmaxwell> for Sipa's (3) reason for 'checkpoints' I don't give a darn, use chicken bones for progress estimation for all I care. :P it's historical accident that checkpoints and progress use the same data structure.
19:41:24 <morcos> gmaxwell: :) +1
19:41:28 <wumpus> gmaxwell: yes, my point too
19:41:34 <sipa> gmaxwell: agree, those could be completely separated
19:41:36 <petertodd> gmaxwell: ACK checken bones
19:41:36 <gmaxwell> Might as well fit a cubic spline to the height vs txn count... and store the parameters.
19:41:53 <wumpus> right
19:42:09 <petertodd> gmaxwell: heh, if we do that with floating point math that has the advantage that it _can't_ be used for consensus :)
19:42:18 * sipa now remembers a song our student organization wrote to the melody of staying alive, called 'cubic spline'
19:42:21 <gmaxwell> so my proposal, if there is interest, is that I'll measure the performance impact of removing the signature skippingentirely (esp post checkqueue). And if it's not awful, we'll remove.
19:42:37 <wumpus> +1
19:42:44 <sipa> gmaxwell: i'm unconvinced
19:42:52 <wumpus> it doesn't hurt to benchmark
19:43:00 <gmaxwell> and maybe I'll tender a proposal to up the minimum difficulty, but I'd like to know what people think about that.
19:43:04 <wumpus> measuring is always better than making assumptions
19:43:11 <sipa> with a replacement for sig skipping that isn't based on checkpoints we could significantly improve things
19:43:39 <petertodd> sipa: I don't think such a replacement can exist without changing the security assumptions; I'd *rather* have checkpoints than trusting hashing power for that
19:43:44 <sipa> the last checkpoint currently is very old for the very reason that we've been planning to replace it
19:43:47 <gmaxwell> sipa: would you like to help work on a proposal for that? it has been controversial in the past. I'd like to do something good, because otherwise imprudent attempts will be adopted instead.
19:44:15 <sipa> so it's unfair to use the "the last checkpoint is old" as a given; it's something we've affected indirectly
19:44:19 <petertodd> sipa: though what checkpoints should do is say "Something big has changed; you can disable checkpoints with --no-checkpoints, but you should find out what this means before doing so."
19:44:29 <gmaxwell> (for example Bitcoin Classic's current behavior simply looks at block header timestamps and ignores signatures when they're more than 24 hours (*par) old by the local clock. It's easily exploited and makes me sad.
19:44:40 <sipa> petertodd: it's my opinion that on a timescale of months, it doesn't matter
19:44:53 <sipa> IF you can guarantee it's actually a timescale of months
19:44:55 <wumpus> yes that makes me sad too
19:44:58 <petertodd> sipa: on a timescale of months, checkpoints shouldn't matter either...
19:45:06 <wumpus> anything based on time seems very brittle
19:45:27 <sipa> petertodd: look at the current hashrate; what's 3 months worth of chain work at that hashrate
19:45:31 <petertodd> wumpus: and anything based on work isn't much better if you're running an old client, and mining has advanced significantly
19:45:37 <jonasschnelli> sipa: I (hope) I'm not confused. If we would add a SPV hybrid mode directly fetch blocks at the tip (in order to received payments), no available checkpoint would result in downloading all headers *losing* maybe 3-4mins before you can start using SPV... minor issue though, I agree
19:45:38 <petertodd> sipa: that assumes you know what the current hashrate is
19:45:41 <gmaxwell> wumpus: the prior proposals were based on work,  e.g. skip if the best chain you see dominates the next conflicted chain at that hight by N months of work.
19:45:44 <Chris_Stewart_5> gmaxwell: How have we solved the problem that checkpoints were originally created for? You have an excerpt in here: https://en.bitcoin.it/wiki/Bitcoin_Core_0.11_(ch_5):_Initial_Block_Download#Checkpoints
19:45:45 <petertodd> sipa: your node might be surrounded by sybils
19:45:52 <gmaxwell> wumpus: with a 'minimum total work' coded in as part of the release proces.
19:46:00 <sipa> Chris_Stewart_5: headers first sync
19:46:08 <sipa> Chris_Stewart_5: 0.10
19:46:08 <gmaxwell> Chris_Stewart_5: headers first sync.
19:46:09 <wumpus> gmaxwell: right. Well, at the least it should be measured whether such a change is really worth it.
19:46:16 <sipa> petertodd: yes, i know...
19:46:21 <sipa> so, let's measure.
19:46:25 <sipa> and discuss later
19:46:37 <gmaxwell> Chris_Stewart_5: and the signature skipping behavior in checkpoints was actually a result of a bug fixed years ago.. mlock being used on all allocations making script validation INSANELY slow.
19:46:41 <wumpus> so much of the verification overhead is looking up UTXOs
19:46:44 <gmaxwell> sipa: okay.
19:46:47 <wumpus> something you'll not avoid
19:47:20 <gmaxwell> Chris_Stewart_5: but then with chain growth we became dependant on it to keep sync times reasonable. but libsecp256k1 made signature validation >5x faster.
19:47:21 <wumpus> especially for recent blocks
19:47:38 <wumpus> if you do any benchmarking please look at the recent blocks, not the first N
19:48:04 <gmaxwell> wumpus: it's still a major speed up on existing blocks.
19:48:07 <sipa> in a side node: i've already updated my logging to measure bandwidth vs blockdepth instead of just count.
19:48:11 <Chris_Stewart_5> So header sync solves the attack of flooding disk space, but not having your entire network hijacked, correct?
19:48:32 <wumpus> Chris_Stewart_5: huh?
19:48:41 <wumpus> gmaxwell: sure, could be
19:48:42 <gmaxwell> Chris_Stewart_5: isolation can be resolved by simply knowing what the total work of the best chain was at release.
19:49:00 <gmaxwell> Chris_Stewart_5: sorry, this was discussed prior times removing checkpoints had come up, I haven't completely described the background.
19:49:19 <Chris_Stewart_5> gmaxwell: Thanks for the explanation, i'll keep digging.
19:49:45 <wumpus> Chris_Stewart_5: ah, you mean being isolated and being fed a wrong chain, sorry I was imaginging some wacky things at having your network hijacked :)
19:51:01 <wumpus> ok, next topic?
19:51:01 <gmaxwell> wumpus: just the "you got a faithful bitcoin core download but the attacker controls your network"... but that doesn't need a checkpoint to fix, a simple partitioning detction that knows the total work of the best chain at releast time is sufficient.
19:51:01 <gmaxwell> Thanks for the discussion.
19:51:13 <wumpus> #topic segwit against uncompressed keys or not
19:51:17 <wumpus> (10 minutes to go)
19:51:24 <wumpus> (9 minutes to go)
19:51:27 <petertodd> so to be clear, *just* segwit right?
19:51:30 <CodeShark> does anyone still use uncompressed keys?
19:51:33 <wumpus> yes, only segwit
19:51:39 <achow101> CodeShark: armory does
19:51:42 <luke-jr> seems uncontroversial
19:51:49 <petertodd> I'm happy to ACK that given just segwit
19:51:57 <achow101> having segwit enforce uncompressed keys would delay segwit adoption for armory users
19:52:03 <achow101> *compressed
19:52:05 <jl2012_> it's in #8499
19:52:09 <luke-jr> achow101: why? just compress them
19:52:13 <wumpus> gmaxwell: yes, though we had a lot of trouble with partitioning detection, I remember some code being stripped out and such. But anyhow, yes that's the better approach if it can be gotten to work.
19:52:22 <sipa> achow101: sigh, does armory still not do that?
19:52:30 <achow101> luke-jr: we have to change the whole wallet structure (it's still going to happen anyways)
19:53:34 <wumpus> gmaxwell: without too much false positives
19:53:34 <luke-jr> achow101: why?
19:53:34 <sipa> achow101: alan said somewhere in 2013 he was implementing it...
19:53:34 <achow101> alan's gone now..
19:53:34 <luke-jr> afaik the only downside to using compressed keys is it changes the address, which segwit is changing anyway
19:53:34 <CodeShark> it's not a very complicated change
19:53:34 <wumpus> armory still uses uncompressed keys?!
19:53:34 <luke-jr> there's no reason you'd need to change the wallet structure I can see
19:53:34 <wumpus> in any case this only applies to segwit, not to old transactions
19:53:34 <achow101> the plan is to have a new wallet structure with bip32 that supports segwit and compressed keys
19:53:41 <gmaxwell> wumpus: "you're partitioned until you see a header chain with at least work X" is a pretty simple critera. :P
19:53:44 <sipa> luke-jr: it had fixed size records in its wallet format for pubkeys
19:54:05 <sipa> achow101: well if a new wallet format is needed for segwit anyway, it doesn't matter right?
19:54:10 <gmaxwell> achow101: oh god please do not use uncompressed keys with segwit. why would you do that?
19:54:13 <luke-jr> sipa: zero-pad it?
19:54:35 <achow101> sipa: well no, we don't need a new wallet for segwit as it could still work with the old one with a little bit of hacking
19:54:48 <achow101> that was the original plan
19:54:48 <luke-jr> achow101: no less than compressed could
19:55:15 <luke-jr> sipa: or store the uncompressed key, and compress it at address-generation/signing
19:55:26 <gmaxwell> achow101: why cant the same hack that indicates segwit is in use indicate compressed.. you just chop off some bytes of the key pretty much.
19:55:43 <sipa> btw, uncompressed keys account for 0.7% of used keys in succesful sigs on the network (in the past 2 hours)
19:55:44 <gmaxwell> it could be done entirely inside the process that seralizes the segwit scriptpubkey.
19:56:06 <achow101> gmaxwell: idk. ask goatpig
19:56:06 <gmaxwell> achow101: okay
19:56:09 * michagogo pokes his head in belatedly
19:56:10 <CodeShark> I think we should encourage all wallets to use compressed keys - achow101, if you need help with this I'd be willing to help
19:56:25 <sipa> agree - we should help
19:56:27 <gmaxwell> yes, lots of people would be glad to help.
19:56:32 <sipa> instead of just yell
19:56:50 <gmaxwell> well I offered to help armory move off uncompressed keys to alan several times, including offering to pay to do it.
19:56:56 <gmaxwell> so please don't say anyone just yelled.
19:58:39 <CodeShark> I initially designed my account structures to only use compressed keys - but later added a compressed bit to support legacy stuff
19:59:06 <petertodd> CodeShark: what legacy stuff specifically? legacy armory users?
19:59:08 <wumpus> CodeShark: bah,it's kind of sad that to hear some things seem to be going back instead of forward :)
19:59:18 <CodeShark> yes, to support other wallets
19:59:27 <wumpus> it's time
19:59:50 <CodeShark> but I think we really do need to prod all wallets to move to compressed keys
20:00:07 <CodeShark> there's really no reason to continue to support uncompressed keys - other than perhaps some migration tools
20:00:15 <wumpus> #endmeeting