#bitcoin-core-dev log

19:00:12 <wumpus> #startmeeting
19:00:12 <lightningbot> Meeting started Thu Jun 29 19:00:12 2017 UTC.  The chair is wumpus. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:12 <lightningbot> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:00:41 <sipa> oi
19:00:46 <instagibbs> #meetingbegin
19:00:58 <wumpus> topics?
19:00:59 <morcos> i'd like to discuss the fee changes needed for 0.15
19:01:06 <sipa> i have a few topics
19:01:16 <instagibbs> morcos, ack
19:01:19 <sipa> short update on signature aggregation
19:01:29 * BlueMatt wants to change priority review to #10652
19:01:31 <gribble> https://github.com/bitcoin/bitcoin/issues/10652 | Small step towards demangling cs_main from CNodeState by TheBlueMatt · Pull Request #10652 · bitcoin/bitcoin · GitHub
19:01:34 <gmaxwell> hurray for merges.
19:01:44 <sipa> the need for the watchonly rpc flag after multiwallet
19:01:47 <cfields> hi, here
19:02:09 <sipa> rolling utxo hashes
19:02:22 <wumpus> thanks for the topic suggestions, yes let's as usual start with high priority for review
19:02:33 <wumpus> #topic high priority for review
19:02:35 <wumpus> https://github.com/bitcoin/bitcoin/projects/8
19:02:38 <jonasschnelli> suggesting: again multiwallet endpoint vs json parameter
19:03:08 <wumpus> BlueMatt: instead of #10179?
19:03:11 <gribble> https://github.com/bitcoin/bitcoin/issues/10179 | Give CValidationInterface Support for calling notifications on the CScheduler Thread by TheBlueMatt · Pull Request #10179 · bitcoin/bitcoin · GitHub
19:03:15 <BlueMatt> correct
19:03:17 <kanzure> hi.
19:03:22 <BlueMatt> well, actually, its built on
19:03:22 <jonasschnelli> Replaced BlueMatt's 10179 with 10652
19:03:23 <BlueMatt> so...ehh
19:03:29 <BlueMatt> but, yea
19:03:46 <jonasschnelli> aha.. double pull binding strategy. :)
19:04:04 <BlueMatt> i mean 10179 is like one ack away, just want cfields to confirm i addressed his feedback sufficiently
19:04:25 <morcos> So I don't think I've had any there for a couple weeks, if I could add two?  It would be the first two of the fee changes, both have been open a little while, #10543 and #10589
19:04:26 <gribble> https://github.com/bitcoin/bitcoin/issues/10543 | Change API to estimaterawfee by morcos · Pull Request #10543 · bitcoin/bitcoin · GitHub
19:04:27 <gribble> https://github.com/bitcoin/bitcoin/issues/10589 | More economical fee estimates for RBF and RPC options to control by morcos · Pull Request #10589 · bitcoin/bitcoin · GitHub
19:04:35 <morcos> I apologize I have not been around to do more reviewing recently
19:05:09 <wumpus> BlueMatt: yes, as we discussed: it should still be merged, but it's no longer high-priority because you don't expect the dependent PR to get in in time to be safe for 0.15
19:05:22 <jonasschnelli> morcos: which one di you want to add to the high-prio list?
19:05:29 <jonasschnelli> *do
19:05:31 <wumpus> both
19:05:55 <morcos> both! :)  but i suppose 10589, if i can only have one
19:05:56 <jonasschnelli> Good
19:06:00 <BlueMatt> wumpus: well I want some glances at 10652 pre-15 to see if its too much or if it can go ahead...if its small enough for 15 I do want it for 15
19:06:19 <cfields> BlueMatt: yes, good enough. Will ACK it.
19:06:19 <jonasschnelli> We need both for 0.15
19:06:20 <BlueMatt> (since it fixes the kinda-not-a-big-deal provide-invalid-block attack thing)
19:07:15 <wumpus> ok - any other suggestions?
19:07:23 <wumpus> enough other topics otherwise
19:07:40 <wumpus> #topic short update on signature aggregation
19:07:43 <sipa> hi
19:07:43 <wumpus> (sipa)
19:07:54 <praxeology> Whats the status on the mempool data structure change?
19:08:05 <praxeology> woops not mempool
19:08:07 <sipa> this is just a status update of what gmaxwell, apoelstra and me have been working on lately
19:08:08 <praxeology> utxo
19:08:11 <wumpus> praxeology: you're interrupting a meeting
19:08:31 <sipa> i presented on this in milan, and later we wrote a paper for bitcoin17
19:08:37 <gmaxwell> praxeology: long since done.
19:08:50 <sipa> the paper was rejected with the very valuable feedback that a solution already existed
19:09:05 <sipa> namely a paper by Bellare & Neven from 2006
19:09:42 <sipa> it only solves one of the problems we were trying to solve (signature aggregation, not key aggregation)... but that's the only consensus-critical part if we'd want aggregation in bitcoin trnasactions
19:09:53 <gmaxwell> (which irritatingly never turned up in eons of searching for us)
19:10:15 <wumpus> so that solution is usable for bitcoin?
19:10:18 <sipa> yes
19:10:24 <sipa> the advantage is that this is peer-reviewed scheme with a strong security proof under very wide assumptions
19:10:26 <wumpus> nice!
19:10:29 <gmaxwell> Their solution is almost equivilent to ours (or is equivient with the right kind of squinting about hash function definitions).
19:10:31 <jonasschnelli> https://eprint.iacr.org/2006/285.pdf
19:10:38 <gmaxwell> so thats good too.
19:11:08 <wumpus> yes
19:11:12 <wumpus> good news
19:11:16 <gmaxwell> jonasschnelli: doesn't look like the right paper (though maybe its one they published to another venue)
19:11:17 <BlueMatt> cool!
19:11:48 <sipa> so what this scheme gives us is a way for transactions to have a single signature (as long as all signers cooperate, so even in the case of coinjoin) overall... regardless of the number of inputs or multisig
19:11:51 <wumpus> do we have a good link?
19:12:08 <sipa> https://cseweb.ucsd.edu/~mihir/papers/multisignatures-ccs.pdf
19:12:14 <sipa> ^
19:12:24 <gmaxwell> ^ thats it.
19:12:26 <wumpus> #link https://cseweb.ucsd.edu/~mihir/papers/multisignatures-ccs.pdf
19:12:35 <sipa> what it does not do is an ability to turn multisig into signle sig (but that could be added on top later, as it's purely a wallet interaction thing)
19:12:43 <sipa> it also supports batch validation
19:12:53 <cfields> ooh
19:12:56 <sipa> meaning that a whole block (or even multiple blocks) could be validated at once
19:13:16 <sipa> the speedup depends on the size of the batch, but may go as high as 5x (for 4000 signatures)
19:13:21 <gmaxwell> Unfortunately our paper isn't available because we need to update it to reflect that work,  but it is much more targeted for the Bitcoin application (and would probably be much more clear for people here).
19:13:50 <sipa> in the batch validation case (without aggregated signatures) the speedup would likely be restricted to 3.5x or so
19:13:55 <morcos> gmaxwell: is that something that'll happen?  can we just wait to read yours?
19:14:08 <sipa> yes, we'll definitely finish up the paper
19:14:18 <sipa> and discuss the change more widely
19:14:24 <sipa> just wanted to give a heads up here
19:14:31 <wumpus> yes, thanks for the update!
19:14:37 <morcos> if i could have next topic, i have to leave early
19:14:40 <cfields> sipa: what about that per-block aggregation that was briefly discussed? does this get us any closer to that?
19:14:50 <cfields> nm, will follow-up after meeting
19:15:07 <wumpus> morcos: what was your topic?
19:15:13 <gmaxwell> ~2.3x speedup for 32 signatures in the aggregate, fwiw.
19:15:17 <morcos> Fee changes for 0.15
19:15:27 <wumpus> #topic fee changes needed for 0.15
19:15:31 <wumpus> morcos: sorry, missed that one
19:15:50 <wumpus> morcos: you were actually first to propose a topic :)
19:16:05 <morcos> I'll be relatively quick for my part, I think I've got all the PR's out now that I think need to go in for 0.15, but I want to encourage people to think about a bunch of the RPC API changes so they are good in their first release
19:16:24 <morcos> But the other thign is there is one piece of missing functionality wheich I think is needed
19:16:36 <morcos> #10590
19:16:36 <gribble> https://github.com/bitcoin/bitcoin/issues/10590 | Access to longer fee estimates using GUI · Issue #10590 · bitcoin/bitcoin · GitHub
19:17:15 <morcos> Given how volatile fee estimates are and how much they change between short targets and long, I think it's important to give the GUI access to longer fee estimates
19:17:31 <morcos> But someone more familar with QT can probably whip that up a lot quicker than me
19:17:53 <morcos> Might be best to build it on top of all my other changes, #10707 shoudl have everything in one
19:17:54 <gribble> https://github.com/bitcoin/bitcoin/issues/10707 | Better API for estimatesmartfee RPC by morcos · Pull Request #10707 · bitcoin/bitcoin · GitHub
19:17:55 <jonasschnelli> I'll have a look.
19:18:13 <morcos> Thanks!  That's what I was hoping for. :)  instagibbs might have more on this topic?
19:18:21 <instagibbs> #10333 for fee bug fix :)
19:18:22 <gribble> https://github.com/bitcoin/bitcoin/issues/10333 | [wallet] fee fixes: always create change, adjust value, and p… by instagibbs · Pull Request #10333 · bitcoin/bitcoin · GitHub
19:18:36 <instagibbs> not much else, maybe I'll summon energy to review your PRs
19:18:39 <morcos> is that the only thing you feel is critical for 0.15?
19:18:46 <instagibbs> only realistic merge yeah
19:18:51 <morcos> most of mine are now easy to review i think
19:18:59 <gmaxwell> Do we have a feel for when bump will be generally usable enough to start making replacability a default? (or at least more visible?)
19:19:03 <instagibbs> some of my other work has been sucked up by achow101 so waiting on 0.16 for that stuff
19:19:54 <morcos> gmaxwell: at least it'll be easily accessible to choose RBF given the RPC and GUI options in 0.15
19:20:09 <instagibbs> I'd really like it to be able to add additional inputs as needed
19:20:13 <gmaxwell> Oh!  I often miss gui changes, I'll check that out.
19:20:20 <jonasschnelli> Yes. Not sure if we persist the RBF state across restarts (in the GUI)
19:20:21 <morcos> Might help us learn if there are other bump features needed...
19:20:23 <instagibbs> but it seems to me the logic is much simpler with effective value....
19:20:26 <jonasschnelli> Ideally we should
19:20:28 <instagibbs> some disagree
19:20:43 <gmaxwell> instagibbs: IIRC that was the big usability blocker for further use.
19:21:05 <wumpus> gmaxwell: https://github.com/bitcoin/bitcoin/pull/9527#issuecomment-311659024
19:21:09 <instagibbs> it randomly doesn't work which is disappointing UX
19:21:20 <morcos> gmaxwell: the ability to addother inputs?  isn't it pretty rare to not have change?
19:21:45 <jonasschnelli> But can happen...
19:21:46 <wumpus> no, we don't persist RBF state, it has to be selected per transaction
19:22:02 <jonasschnelli> wumpus: maybe the GUI should remember it
19:22:03 <instagibbs> morcos, we are going to target more exact matches in future, fwiw
19:22:04 <wumpus> the only way to make it persist is the command line option
19:22:15 <morcos> wumpus: the gui initializes with the the command line argument, and then persists during the session
19:22:15 <wumpus> jonasschnelli: meh, better to have it as "option" then
19:22:24 <gmaxwell> FWIW, I believe electrum defaults to replacable now and pushes pretty hard in that direction, though users can flip it off on a per tx basis.
19:22:29 <morcos> via checkbox
19:22:47 <wumpus> jonasschnelli: persisting non-option settings between restarts would be unexpected
19:23:03 <jonasschnelli> Yes. I guess your right..
19:23:03 <gmaxwell> In any case, I think the default is kind of moot until bumping is sufficiently mature.
19:23:21 <wumpus> between transactions in the same session makes sense I guess
19:23:25 <morcos> I suppose I have one more question on that
19:23:31 <jonasschnelli> Yes. If the bump won't work because it can't add another input the default should remain at the current state
19:23:37 <wumpus> yes
19:23:51 <jonasschnelli> It can happen quickly when fees are rising
19:23:59 <achow101> hi. I'm late
19:24:01 <morcos> Right now there are no options to the "Increase transaction fee" option in the GUI and it uses the default tx confirm target.  Should it instead use whatever the slider is set to?
19:24:19 <jonasschnelli> Yes
19:24:19 <morcos> If the slider is not in use and custom fee is set, shoudl it use that?
19:24:23 <wumpus> morcos: the slider is on another tab
19:24:24 <jonasschnelli> I'd like to work on the replacability in the GUI for 0.16
19:24:31 <morcos> Those would be easy changes to make after my PR
19:24:39 <BlueMatt> the slider is in another tab, thats strange
19:24:47 <wumpus> morcos: not sure that would be intuitive, people assume the slider is for new transactions, the bump option should probably have its own choice dialog
19:24:50 <jonasschnelli> First I though of bringing back to tx to the original send-tx screen (you could even add recipients... ) but meh
19:25:01 <morcos> wumpus: that seems maybe too much optionality
19:25:08 <jonasschnelli> The bump window should just be lager and has the slider
19:25:16 <wumpus> jonasschnelli: yes
19:25:27 <morcos> ok, thats fine.. so leave it as the wallet default confirm target for now?
19:25:35 <wumpus> yes
19:25:41 <BlueMatt> yea, sucks, but its easy and reasonable
19:25:47 <jonasschnelli> And also we have never really discussed the pre-signed bumps.. but that we should probably do in another meeting
19:25:57 <BlueMatt> yea, that sounds like a 16
19:25:59 <instagibbs> jonasschnelli, that will involve new strategy
19:26:00 <instagibbs> :)
19:26:17 <instagibbs> reasonably diff from after the fact fix imo
19:26:43 <jonasschnelli> I'd say focus on fee opt. in 0.15, rbf in 0.16
19:27:15 <wumpus> agreed
19:27:22 <wumpus> #topic the need for the watchonly rpc flag after multiwallet (sipa)
19:27:27 <sipa> hi!
19:27:38 <wumpus> (we need to move forward a bit, lots of topics)
19:27:43 <sipa> currently many RPCs have an optional flag "include watchonly"
19:27:44 <jonasschnelli> is that similar to the -disablehot?
19:27:53 * jonasschnelli is listening
19:28:14 <sipa> at the time the need for that flag existed because of a desire to keep your "hot" wallet separated from your "watch only" wallet
19:28:20 <sipa> i think that was a mistake
19:28:24 <wumpus> disablehot: #9662
19:28:25 <gribble> https://github.com/bitcoin/bitcoin/issues/9662 | Add `-disablehot` mode: a sane mode for watchonly-wallets by jonasschnelli · Pull Request #9662 · bitcoin/bitcoin · GitHub
19:28:41 <wumpus> sipa: yes, on the long term I agree with you
19:28:50 <jonasschnelli> sipa: you think with multiwallet the wallet should either be watch or hot?
19:28:55 <sipa> jonasschnelli: no
19:29:03 <wumpus> sipa: makes more sense to have a wallet either full-watchonly or has-keys
19:29:16 <sipa> wumpus: perhaps, but that's orthogonal
19:29:22 <wumpus> sipa: I don't understand you then
19:29:24 <instagibbs> ok get to the point :)
19:29:25 <BlueMatt> why is that a mistake?
19:29:32 <jonasschnelli> Let sipa explain...
19:29:33 <sipa> what i'm trying to get at is that the within-a-wallet separation is no longer needed
19:29:51 <wumpus> how is that different from what I said?
19:30:11 <wumpus> instead of watchonly within a wallet you'd have a watchonly wallet and a normal wallet
19:30:18 <sipa> i'm not arguing to remove the ability to have both keys and watchonly in one wallet
19:30:18 <gmaxwell> because if you want to have a mixed thing thats fine too, then you just have a mixed thing. No need to flag, if you want seperation, use two wallets.
19:30:19 <jonasschnelli> but I fail to see the difference then between only allowing watch-only or hot
19:30:32 <sipa> just that there is no need to just select coins that affect one part
19:30:38 <gmaxwell> you're suggesting an extra restriction.
19:30:38 <sipa> or see a 'balance' of just one part
19:30:51 <sipa> a wallet is a wallet, and has a single balance
19:31:01 <sipa> some of the keys may require decrypting your wallet
19:31:05 <wumpus> oh, right
19:31:06 <sipa> some of the keys may require a hardware wallet
19:31:18 <jonasschnelli> I see... yes.
19:31:21 <sipa> some of the key may be just watchonly and you need to use raw transactions to interact with thing
19:31:26 <BlueMatt> fair, this sounds like an 0.17 or 0.18 thing, though
19:31:30 <gmaxwell> Now, logically you probably will seperate or something, for convience, but I don't see a particular reason to require that right now.
19:31:32 <BlueMatt> are you asking if we should deprecate?
19:31:33 <sipa> i was hoping 0.15
19:31:33 <wumpus> BlueMatt: agree, long term
19:31:47 <sipa> just make the watchonly flag ignored and always set it to true
19:31:49 <wumpus> this is not something we're going to change in the RPC interface pre-0.15
19:31:54 <sipa> ok
19:31:55 <wumpus> peopel rely on this
19:32:01 <wumpus> we could document it as deprecated
19:32:03 <BlueMatt> we'd need to mark it deprecated
19:32:04 <morcos> sipa: that seems reasonable except what about identifying which things you have keys for and which you dont..
19:32:11 <BlueMatt> probably deprecate after we have working multiwallet that is stable
19:32:19 <wumpus> then remove the flag for 0.16 or 0.17, but this seems over-hurried
19:32:20 <BlueMatt> so maybe deprecate in 0.16...
19:32:24 <morcos> that seems a useful distinction to keep to me
19:32:25 <gmaxwell> with 0.15 and multiwallet we can start deprication at least-- e.g. advise that this will happen in the future, suggest people use seperate wallets. . The one problem with that however is that your seperate watchonly wallet still needs the stupid flag everywhere. :(
19:32:26 <BlueMatt> remove in 17 or 18
19:32:46 <wumpus> let's focus on actually getting multiwallet into 0.15
19:32:48 <jonasschnelli> I somehow think mixed wallets can be a footgun source... but right, it orthogonal
19:32:48 <instagibbs> related topic: some way to signal that the funds are "safe" when you expect a hardware wallet to have the privkey
19:32:52 <instagibbs> post-0.15 ofc
19:32:57 <sipa> maybe i haven't made this clear, but how do you deal with hardware wallets, for example?
19:33:07 <jonasschnelli> we need a standard!
19:33:08 <sipa> add a 2nd option everyone 'include hw wallet keys'
19:33:09 <morcos> +1 better support for hardware wallets!
19:33:14 <sipa> jonasschnelli: orthogonal
19:33:18 <wumpus> hardware wallets in bitcoin core is a different topic
19:33:23 <BlueMatt> we dont need to add a flag for hw wallets
19:33:30 <sipa> BlueMatt: then why do we need a flag for watchonly?
19:33:35 <wumpus> important, but certainly not one that's going to make it into 0.15
19:33:38 <BlueMatt> we can say "hw wallets are always included in balance, flag for watchonly is deprecated" starting in the version that supports hw wallets
19:33:40 <gmaxwell> sipa is pointing out that the model of 'watch only' when applied to also having hardware wallets starts adding combinitoric blowup.
19:33:54 <sipa> BlueMatt: fair enough
19:34:01 <jonasschnelli> If a wallet has no clear cur between hot and cold (watch-only), a code-level guarantee, I would not use it for hot funds...
19:34:02 <BlueMatt> yes, agreed, we should not make it worse, but we dont need to worry about this until at least 16, I think
19:34:06 <jonasschnelli> *cut
19:34:14 <wumpus> agree on not making it worse
19:34:15 <BlueMatt> need useable working good multiwallet first, which likely wont be 15
19:34:18 <gmaxwell> BlueMatt: thats a point. now just give me a flag for importmulti that gives me a watching key imported that way and it's good to go. :P
19:34:19 <sipa> jonasschnelli: again, orthogonal
19:34:34 <instagibbs> I have a working Core+Ledger system, and have a couple thoughts, but this is a different topic yep
19:34:39 <gmaxwell> BlueMatt: uhh, it's like done.
19:34:50 <jonasschnelli> sipa: but why not just separating pure watch-only wallets from hot wallets? Why would that be orthogonal?
19:35:03 <BlueMatt> gmaxwell: I know, but we need a cycle of finding more use-cases and making sure we've got it all covered, was my piont
19:35:11 <wumpus> yes multiwallet is almost done, but in 0.15 it will at least be experimental
19:35:15 <BlueMatt> eg createwallet flows within rpc, disconectwallet, etc
19:35:16 <sipa> jonasschnelli: "orthogonal" means you can still do that
19:35:23 <sipa> jonasschnelli: it has nothing to do with this issue
19:35:24 <wumpus> it's the first release it is in, after all
19:35:27 <gmaxwell> jonasschnelli: because that is an additional restriction that AFAIK isn't needed. maybe later its needed to not support mixed but it seems like a seperate issue to me.
19:35:46 <jonasschnelli> Okay
19:36:01 <BlueMatt> ok, so we all agree, eventually push people towards multiwallet away from watchonly :)
19:36:05 <BlueMatt> next topic? :p
19:36:07 <sipa> what i want to get add is that a wallet is just a collection of keys it considers "mine" - independent of its ability to actually fully sign
19:36:12 <sipa> BlueMatt: yes, agree
19:36:19 <wumpus> #topic rolling utxo hashes
19:36:22 <wumpus> (sipa again)
19:36:22 <sipa> hi!
19:36:30 <instagibbs> sipa, ISMINE_* tho :)
19:36:34 <instagibbs> ok next topic
19:36:54 <sipa> with pertxout we changed the serialized_hash because the new format no longer maintains the tx version of the utxo
19:37:11 <sipa> i posted about rolling utxo hashes a while ago on the ML
19:37:35 <sipa> i'm not proposing actually implementing that, but would it be worthwhile to immediately switch to a scheme that is compatible with it?
19:37:43 <sipa> so that there is no need to break the API again
19:38:01 <gmaxwell> sipa: as in don't do the rolling thing, but have the oneshot thing compute the same hash?
19:38:06 <sipa> yes
19:38:16 <sipa> downside: makes gettxoutsetinfo slower
19:38:30 <wumpus> how much slower?
19:38:32 <sipa> upside: allows us to make gettxoutsetinfo super fast in the future
19:38:42 <gmaxwell> lots slower.
19:38:44 <sipa> several times
19:38:56 <wumpus> could add a new RPC for it
19:39:02 <gmaxwell> sipa: Well a challenge there is that I'm not sure that we've settled on the field. So that isn't a guarentee of compatiblity.
19:39:03 <wumpus> instead of gettxoutsetinfo
19:39:27 <sipa> interesting, i hadn't considered that
19:39:30 <sipa> gmaxwell: yeah, i know
19:39:47 <gmaxwell> actually if we drop the hash from gettxoutsetinfo i think thats the only thing now that requires scanning the whole thing.
19:39:55 <sipa> no, everything does
19:40:01 <sipa> (txout count etc)
19:40:03 <wumpus> yes it's all aggregate statistics
19:40:06 <gmaxwell> yes but it wouldn't have to with rather trivial changes.
19:40:08 <sipa> though those things can be maintained on the fly
19:40:20 <gmaxwell> which would be robust and wouldn't change.
19:40:27 <sdaftuar> i think we will want an RPC that can scan the disk to calculate the answer, even if we are able to calculate everything on the fly
19:40:34 <sdaftuar> so that we know our on-disk data is correct
19:40:35 <sipa> sdaftuar: good point
19:40:39 <gmaxwell> sdaftuar: restart your node. :P
19:41:02 <sipa> an advantage of the fast hash is that you can compare it with a recompute-the-whole-thing
19:41:17 <wumpus> that'd be very nice
19:41:17 <gmaxwell> okay interesting points.
19:41:45 <wumpus> a utxo hash that would be quick to compute for every block would be very nice to have
19:42:20 <gmaxwell> (I was momentarily overestimating how easy it would be to switch to summary statistics, I forgot that they have to be saved and loaded across restart... or otherwise every startup needs the equal of a stats call)
19:43:03 <gmaxwell> wumpus: right thats the goal of pieter's work. It's just a bit immature now, and if we implmenet it at the moment we may want to switch to an incompatible version later.
19:43:39 <wumpus> I like to check that all my nodes have the same utxo hash, but calling getutxosetinfo for every block takes too much time, I've tried and given up :)
19:43:52 <gmaxwell> Assuming we stay with the multiplicative group hash,  we need to pick a prime where multiplication mod that prime is as fast as possible.  Sipa has done some work there, but it's a research project that can sink as much time as we want to put into it.
19:44:32 <sipa> or we could just use the elliptic curve version, which can probably be made ~2 slower than the GMP-based MuHash
19:44:38 <sipa> which is just a few lines of code
19:44:57 <wumpus> now doing it intermittently, but that means that when it fails we don't know exacly where it started to diverge
19:45:17 <gmaxwell> right, I want to have UpdateTip log the value.
19:45:23 <sipa> ^ that
19:45:31 <sdaftuar> wumpus: it's actually not clear to me how much the fast utxo hash calculation helps in comparing running nodes
19:46:11 <sipa> well the fast utxo hash lets you do a consistency check on just a single node
19:46:31 <sdaftuar> but what is exactly being compared as consistent?
19:46:32 <sipa> by having a fast incrementally-updated version, and a slow recompute-from-scratch one
19:46:33 <gmaxwell> sdaftuar: because you can log the utxo hash at each point, and so if they diverge in a way that the hash sees (e.g. not underlying disk corruption) you'll learn.   Also you could run a command that checks the disk against the running value to catch that disk corrouption.
19:46:56 <gmaxwell> so  your disk <> your running <> my running <> my disk
19:47:13 <sdaftuar> yes, i agree if you do the comparison with disk, then you get something valuable
19:47:25 <sdaftuar> but just comparing the fast calculation between nodes doesn't seem like it does much, does it?
19:47:28 <wumpus> hm yes good point
19:47:31 <gmaxwell> right now it is a PITA to compare you and I at disk because we have to do it at the same time (and hope there isn't a block at that instant. :P )
19:47:40 <sdaftuar> gmaxwell: agreed
19:47:47 <gmaxwell> sdaftuar: it depends on where the errors you're concerned about are happening.
19:48:23 <wumpus> gmaxwell: yes, even when you time the RPC command on blocknotify, it sometimes misses the block :)
19:48:31 <gmaxwell> if they're below the layer where the running hash runs you only gain if you also do periodic checks between it and the disk.  Above it, however, you have constant checking.
19:49:08 <gmaxwell> but the nice thing is that disk and running can be async checked... You and I don't need to do our disk comparisons at the same time.
19:49:36 <wumpus> indeed
19:49:49 <gmaxwell> sdaftuar: this is all also machinery we almost certantly need for a reasonable UTXO-assume-valid kind of sync in the future.
19:49:55 <wumpus> all in all a rolling utxo hash is an improvement, it creates more options, but you can still do the same as now if you want
19:50:03 <sdaftuar> gmaxwell: yeah i agree and that's the use case i'm most excited about :)
19:50:19 <sdaftuar> i was just trying to figure out exactly how i'd use to compare my own nodes, and wasn't sure of the utility
19:50:44 <gmaxwell> wumpus: the challange though is that it isn't free. muhash on the whole utxo set takes CPU minutes.
19:51:02 <wumpus> gmaxwell: yes I'm not sure it should replace the faster hash
19:51:15 <wumpus> maybe it should justb e an additional thing
19:51:23 <gmaxwell> well once it's a running hash its very fast. :P
19:51:41 <sdaftuar> hash_serialized_3? :P
19:51:41 <wumpus> OTOH we're already breaking the hash for 0.15
19:51:56 <wumpus> (which is kind of sad, as it makes it impossible to compare against older versions)
19:52:32 <gmaxwell> sipa backported the new hash to the old system for development testing, FWIW.
19:52:54 <gmaxwell> (it's a pretty trivial change, IIRC, just drop the version from it)
19:53:03 <wumpus> cool, that'd be useful, especially with the 0.14 to 0.15 database change it's important to be able to check synchronization
19:54:05 <gmaxwell> This patch existed at one point already, dunno if sipa still has it.
19:54:07 <sipa> the problem is that #10434 is quite a bit of intricate code
19:54:09 <gribble> https://github.com/bitcoin/bitcoin/issues/10434 | [WIP] 3072-bit MuHash based hash_serialized by sipa · Pull Request #10434 · bitcoin/bitcoin · GitHub
19:54:43 <sipa> the EC version would be many times less code (given that we already have secp256k1), but be a few times slower
19:55:36 <wumpus> I don't have a strong opinion on it
19:55:37 <sipa> on the other hand, MuHash is very simple to implement in anything that already has big integers (it's a few lines in python)
19:55:58 <sipa> ok
19:56:06 <wumpus> though in general I'd say higher performance seems preferable to the ability to re-use code
19:56:23 <sipa> in that case, some review would be welcome :)
19:56:32 <wumpus> but I haven't seen the code
19:56:42 <wumpus> yeah, hope to get around to it
19:56:59 <sipa> i can drop the asm optimized version from the first PR if wanted
19:57:06 <praxeology> Couldn't you put a delay on insert/remove from the rolling hash... say only for utxos that are 1 day of blocks old? isn't a hash for N blocks ago just about as good as the current hash?
19:57:18 <sipa> praxeology: totally irrelevant
19:57:43 <sipa> that would mean you need to keep those utxos around for processing later
19:57:59 <sipa> we have an approach that can combine them into a running hash in _microseconds_
19:58:06 <gmaxwell> All doing that does is perhaps saves you 1% of computation for blocks that are reorged out but at the expense of complexifying everything because the data is inconsistently available.
19:58:29 <praxeology> What percent of utxos are spent within a day?
19:58:37 <instagibbs> 2 minutes left
19:58:41 <instagibbs> if anyone has microtopic
19:58:43 <wumpus> that seems irrelevant to this discussion
19:58:54 <wumpus> (although it's interesting to know in its own right)
19:59:07 <praxeology> Sounds like you guys are concerned about performance on the rolling hash
19:59:24 <wumpus> #endmeeting