hardware-bitcoin-wallet/hmac_sha512.c at master ...
hardware-bitcoin-wallet/hmac_sha512.c at master ...
SHA-512 – Hash Algorithm – BitcoinWiki
Cryptography: Explaining SHA-512. This is intended to give ...
hash - Why would I choose SHA-256 over SHA-512 for a SSL ...
Groestlcoin 6th Anniversary Release
Dear Groestlers, it goes without saying that 2020 has been a difficult time for millions of people worldwide. The groestlcoin team would like to take this opportunity to wish everyone our best to everyone coping with the direct and indirect effects of COVID-19. Let it bring out the best in us all and show that collectively, we can conquer anything. The centralised banks and our national governments are facing unprecedented times with interest rates worldwide dropping to record lows in places. Rest assured that this can only strengthen the fundamentals of all decentralised cryptocurrencies and the vision that was seeded with Satoshi's Bitcoin whitepaper over 10 years ago. Despite everything that has been thrown at us this year, the show must go on and the team will still progress and advance to continue the momentum that we have developed over the past 6 years. In addition to this, we'd like to remind you all that this is Groestlcoin's 6th Birthday release! In terms of price there have been some crazy highs and lows over the years (with highs of around $2.60 and lows of $0.000077!), but in terms of value– Groestlcoin just keeps getting more valuable! In these uncertain times, one thing remains clear – Groestlcoin will keep going and keep innovating regardless. On with what has been worked on and completed over the past few months.
UPDATED - Groestlcoin Core 2.18.2
This is a major release of Groestlcoin Core with many protocol level improvements and code optimizations, featuring the technical equivalent of Bitcoin v0.18.2 but with Groestlcoin-specific patches. On a general level, most of what is new is a new 'Groestlcoin-wallet' tool which is now distributed alongside Groestlcoin Core's other executables. NOTE: The 'Account' API has been removed from this version which was typically used in some tip bots. Please ensure you check the release notes from 2.17.2 for details on replacing this functionality.
Builds are now done through Gitian
Calls to getblocktemplate will fail if the segwit rule is not specified. Calling getblocktemplate without segwit specified is almost certainly a misconfiguration since doing so results in lower rewards for the miner. Failed calls will produce an error message describing how to enable the segwit rule.
A warning is printed if an unrecognized section name is used in the configuration file. Recognized sections are [test], [main], and [regtest].
Four new options are available for configuring the maximum number of messages that ZMQ will queue in memory (the "high water mark") before dropping additional messages. The default value is 1,000, the same as was used for previous releases.
The rpcallowip option can no longer be used to automatically listen on all network interfaces. Instead, the rpcbind parameter must be used to specify the IP addresses to listen on. Listening for RPC commands over a public network connection is insecure and should be disabled, so a warning is now printed if a user selects such a configuration. If you need to expose RPC in order to use a tool like Docker, ensure you only bind RPC to your localhost, e.g. docker run [...] -p 127.0.0.1:1441:1441 (this is an extra :1441 over the normal Docker port specification).
The rpcpassword option now causes a startup error if the password set in the configuration file contains a hash character (#), as it's ambiguous whether the hash character is meant for the password or as a comment.
The whitelistforcerelay option is used to relay transactions from whitelisted peers even when not accepted to the mempool. This option now defaults to being off, so that changes in policy and disconnect/ban behavior will not cause a node that is whitelisting another to be dropped by peers.
A new short about the JSON-RPC interface describes cases where the results of anRPC might contain inconsistencies between data sourced from differentsubsystems, such as wallet state and mempool state.
A new document introduces Groestlcoin Core's BIP174 interface, which is used to allow multiple programs to collaboratively work to create, sign, and broadcast new transactions. This is useful for offline (cold storage) wallets, multisig wallets, coinjoin implementations, and many other cases where two or more programs need to interact to generate a complete transaction.
The output script descriptor (https://github.com/groestlcoin/groestlcoin/blob/mastedoc/descriptors.md) documentation has been updated with information about new features in this still-developing language for describing the output scripts that a wallet or other program wants to receive notifications for, such as which addresses it wants to know received payments. The language is currently used in multiple new and updated RPCs described in these release notes and is expected to be adapted to other RPCs and to the underlying wallet structure.
A new --disable-bip70 option may be passed to ./configure to prevent Groestlcoin-Qt from being built with support for the BIP70 payment protocol or from linking libssl. As the payment protocol has exposed Groestlcoin Core to libssl vulnerabilities in the past, builders who don't need BIP70 support are encouraged to use this option to reduce their exposure to future vulnerabilities.
The minimum required version of Qt (when building the GUI) has been increased from 5.2 to 5.5.1 (the depends system provides 5.9.7)
getnodeaddresses returns peer addresses known to this node. It may be used to find nodes to connect to without using a DNS seeder.
listwalletdir returns a list of wallets in the wallet directory (either the default wallet directory or the directory configured bythe -walletdir parameter).
getrpcinfo returns runtime details of the RPC server. Currently, it returns an array of the currently active commands and how long they've been running.
deriveaddresses returns one or more addresses corresponding to an output descriptor.
getdescriptorinfo accepts a descriptor and returns information aboutit, including its computed checksum.
joinpsbts merges multiple distinct PSBTs into a single PSBT. The multiple PSBTs must have different inputs. The resulting PSBT will contain every input and output from all the PSBTs. Any signatures provided in any of the PSBTs will be dropped.
analyzepsbt examines a PSBT and provides information about what the PSBT contains and the next steps that need to be taken in order to complete the transaction. For each input of a PSBT, analyze psbt provides information about what information is missing for that input, including whether a UTXO needs to be provided, what pubkeys still need to be provided, which scripts need to be provided, and what signatures are still needed. Every input will also list which role is needed to complete that input, and analyzepsbt will also list the next role in general needed to complete the PSBT. analyzepsbt will also provide the estimated fee rate and estimated virtual size of the completed transaction if it has enough information to do so.
utxoupdatepsbt searches the set of Unspent Transaction Outputs (UTXOs) to find the outputs being spent by the partial transaction. PSBTs need to have the UTXOs being spent to be provided because the signing algorithm requires information from the UTXO being spent. For segwit inputs, only the UTXO itself is necessary. For non-segwit outputs, the entire previous transaction is needed so that signers can be sure that they are signing the correct thing. Unfortunately, because the UTXO set only contains UTXOs and not full transactions, utxoupdatepsbt will only add the UTXO for segwit inputs.
getpeerinfo now returns an additional minfeefilter field set to the peer's BIP133 fee filter. You can use this to detect that you have peers that are willing to accept transactions below the default minimum relay fee.
The mempool RPCs, such as getrawmempool with verbose=true, now return an additional "bip125-replaceable" value indicating whether thetransaction (or its unconfirmed ancestors) opts-in to asking nodes and miners to replace it with a higher-feerate transaction spending any of the same inputs.
settxfee previously silently ignored attempts to set the fee below the allowed minimums. It now prints a warning. The special value of"0" may still be used to request the minimum value.
getaddressinfo now provides an ischange field indicating whether the wallet used the address in a change output.
importmulti has been updated to support P2WSH, P2WPKH, P2SH-P2WPKH, and P2SH-P2WSH. Requests for P2WSH and P2SH-P2WSH accept an additional witnessscript parameter.
importmulti now returns an additional warnings field for each request with an array of strings explaining when fields are being ignored or are inconsistent, if there are any.
getaddressinfo now returns an additional solvable Boolean field when Groestlcoin Core knows enough about the address's scriptPubKey, optional redeemScript, and optional witnessScript for the wallet to be able to generate an unsigned input spending funds sent to that address.
The getaddressinfo, listunspent, and scantxoutset RPCs now return an additional desc field that contains an output descriptor containing all key paths and signing information for the address (except for the private key). The desc field is only returned for getaddressinfo and listunspent when the address is solvable.
importprivkey will preserve previously-set labels for addresses or public keys corresponding to the private key being imported. For example, if you imported a watch-only address with the label "coldwallet" in earlier releases of Groestlcoin Core, subsequently importing the private key would default to resetting the address's label to the default empty-string label (""). In this release, the previous label of "cold wallet" will be retained. If you optionally specify any label besides the default when calling importprivkey, the new label will be applied to the address.
getmininginfo now omits currentblockweight and currentblocktx when a block was never assembled via RPC on this node.
The getrawtransaction RPC & REST endpoints no longer check the unspent UTXO set for a transaction. The remaining behaviors are as follows:
If a blockhash is provided, check the corresponding block.
If no blockhash is provided, check the mempool.
If no blockhash is provided but txindex is enabled, also check txindex.
unloadwallet is now synchronous, meaning it will not return until the wallet is fully unloaded.
importmulti now supports importing of addresses from descriptors. A desc parameter can be provided instead of the "scriptPubKey" in are quest, as well as an optional range for ranged descriptors to specify the start and end of the range to import. Descriptors with key origin information imported through importmulti will have their key origin information stored in the wallet for use with creating PSBTs.
listunspent has been modified so that it also returns witnessScript, the witness script in the case of a P2WSH orP2SH-P2WSH output.
createwallet now has an optional blank argument that can be used to create a blank wallet. Blank wallets do not have any keys or HDseed. They cannot be opened in software older than 2.18.2. Once a blank wallet has a HD seed set (by using sethdseed) or private keys, scripts, addresses, and other watch only things have been imported, the wallet is no longer blank and can be opened in 2.17.2. Encrypting a blank wallet will also set a HD seed for it.
signrawtransaction is removed after being deprecated and hidden behind a special configuration option in version 2.17.2.
The 'account' API is removed after being deprecated in v2.17.2 The 'label' API was introduced in v2.17.2 as a replacement for accounts. See the release notes from v2.17.2 for a full description of the changes from the 'account' API to the 'label' API.
addwitnessaddress is removed after being deprecated in version 2.16.0.
generate is deprecated and will be fully removed in a subsequent major version. This RPC is only used for testing, but its implementation reached across multiple subsystems (wallet and mining), so it is being deprecated to simplify the wallet-node interface. Projects that are using generate for testing purposes should transition to using the generatetoaddress RPC, which does not require or use the wallet component. Calling generatetoaddress with an address returned by the getnewaddress RPC gives the same functionality as the old generate RPC. To continue using generate in this version, restart groestlcoind with the -deprecatedrpc=generate configuration option.
Be reminded that parts of the validateaddress command have been deprecated and moved to getaddressinfo. The following deprecated fields have moved to getaddressinfo: ismine, iswatchonly,script, hex, pubkeys, sigsrequired, pubkey, embedded,iscompressed, label, timestamp, hdkeypath, hdmasterkeyid.
The addresses field has been removed from the validateaddressand getaddressinfo RPC methods. This field was confusing since it referred to public keys using their P2PKH address. Clients should use the embedded.address field for P2SH or P2WSH wrapped addresses, and pubkeys for inspecting multisig participants.
A new /rest/blockhashbyheight/ endpoint is added for fetching the hash of the block in the current best blockchain based on its height (how many blocks it is after the Genesis Block).
A new Window menu is added alongside the existing File, Settings, and Help menus. Several items from the other menus that opened new windows have been moved to this new Window menu.
In the Send tab, the checkbox for "pay only the required fee" has been removed. Instead, the user can simply decrease the value in the Custom Fee rate field all the way down to the node's configured minimumrelay fee.
In the Overview tab, the watch-only balance will be the only balance shown if the wallet was created using the createwallet RPC and thedisable_private_keys parameter was set to true.
The launch-on-startup option is no longer available on macOS if compiled with macosx min version greater than 10.11 (useCXXFLAGS="-mmacosx-version-min=10.11" CFLAGS="-mmacosx-version-min=10.11" for setting the deployment sdkversion)
A new groestlcoin-wallet tool is now distributed alongside Groestlcoin Core's other executables. Without needing to use any RPCs, this tool can currently create a new wallet file or display some basic information about an existing wallet, such as whether the wallet is encrypted, whether it uses an HD seed, how many transactions it contains, and how many address book entries it has.
Since version 2.16.0, Groestlcoin Core's built-in wallet has defaulted to generating P2SH-wrapped segwit addresses when users want to receive payments. These addresses are backwards compatible with all widely used software. Starting with Groestlcoin Core 2.20.1 (expected about a year after 2.18.2), Groestlcoin Core will default to native segwitaddresses (bech32) that provide additional fee savings and other benefits. Currently, many wallets and services already support sending to bech32 addresses, and if the Groestlcoin Core project sees enough additional adoption, it will instead default to bech32 receiving addresses in Groestlcoin Core 2.19.1. P2SH-wrapped segwit addresses will continue to be provided if the user requests them in the GUI or by RPC, and anyone who doesn't want the update will be able to configure their default address type. (Similarly, pioneering users who want to change their default now may set the addresstype=bech32 configuration option in any Groestlcoin Core release from 2.16.0 up.)
BIP 61 reject messages are now deprecated. Reject messages have no use case on the P2P network and are only logged for debugging by most network nodes. Furthermore, they increase bandwidth and can be harmful for privacy and security. It has been possible to disable BIP 61 messages since v2.17.2 with the -enablebip61=0 option. BIP 61 messages will be disabled by default in a future version, before being removed entirely.
The submitblock RPC previously returned the reason a rejected block was invalid the first time it processed that block but returned a generic "duplicate" rejection message on subsequent occasions it processed the same block. It now always returns the fundamental reason for rejecting an invalid block and only returns "duplicate" for valid blocks it has already accepted.
A new submitheader RPC allows submitting block headers independently from their block. This is likely only useful for testing.
The signrawtransactionwithkey and signrawtransactionwithwallet RPCs have been modified so that they also optionally accept a witnessScript, the witness script in the case of a P2WSH orP2SH-P2WSH output. This is compatible with the change to listunspent.
For the walletprocesspsbt and walletcreatefundedpsbt RPCs, if thebip32derivs parameter is set to true but the key metadata for a public key has not been updated yet, then that key will have a derivation path as if it were just an independent key (i.e. no derivation path and its master fingerprint is itself).
The -usehd configuration option was removed in version 2.16.0 From that version onwards, all new wallets created are hierarchical deterministic wallets. This release makes specifying -usehd an invalid configuration option.
This release allows peers that your node automatically disconnected for misbehaviour (e.g. sending invalid data) to reconnect to your node if you have unused incoming connection slots. If your slots fill up, a misbehaving node will be disconnected to make room for nodes without a history of problems (unless the misbehaving node helps your node in some other way, such as by connecting to a part of the Internet from which you don't have many other peers). Previously, Groestlcoin Core banned the IP addresses of misbehaving peers for a period (default of 1 day); this was easily circumvented by attackers with multiple IP addresses. If you manually ban a peer, such as by using the setban RPC, all connections from that peer will still be rejected.
The key metadata will need to be upgraded the first time that the HDseed is available. For unencrypted wallets this will occur on wallet loading. For encrypted wallets this will occur the first time the wallet is unlocked.
Newly encrypted wallets will no longer require restarting the software. Instead such wallets will be completely unloaded and reloaded to achieve the same effect.
A sub-project of Bitcoin Core now provides Hardware Wallet Interaction (HWI) scripts that allow command-line users to use several popular hardware key management devices with Groestlcoin Core. See their project page for details.
This release changes the Random Number Generator (RNG) used from OpenSSL to Groestlcoin Core's own implementation, although entropy gathered by Groestlcoin Core is fed out to OpenSSL and then read back in when the program needs strong randomness. This moves Groestlcoin Core a little closer to no longer needing to depend on OpenSSL, a dependency that has caused security issues in the past. The new implementation gathers entropy from multiple sources, including from hardware supporting the rdseed CPU instruction.
On macOS, Groestlcoin Core now opts out of application CPU throttling ("app nap") during initial blockchain download, when catching up from over 100 blocks behind the current chain tip, or when reindexing chain data. This helps prevent these operations from taking an excessively long time because the operating system is attempting to conserve power.
How to Upgrade?
Windows If you are running an older version, shut it down. Wait until it has completely shut down (which might take a few minutes for older versions), then run the installer. OSX If you are running an older version, shut it down. Wait until it has completely shut down (which might take a few minutes for older versions), run the dmg and drag Groestlcoin Core to Applications. Ubuntu http://groestlcoin.org/forum/index.php?topic=441.0
ALL NEW - Groestlcoin Moonshine iOS/Android Wallet
Built with React Native, Moonshine utilizes Electrum-GRS's JSON-RPC methods to interact with the Groestlcoin network. GRS Moonshine's intended use is as a hot wallet. Meaning, your keys are only as safe as the device you install this wallet on. As with any hot wallet, please ensure that you keep only a small, responsible amount of Groestlcoin on it at any given time.
Groestlcoin Mainnet & Testnet supported
Multiple wallet support
Electrum - Support for both random and custom peers
Biometric + Pin authentication
Custom fee selection
Import mnemonic phrases via manual entry or scanning
BIP39 Passphrase functionality
Support for Segwit-compatible & legacy addresses in settings
Support individual private key sweeping
UTXO blacklisting - Accessible via the Transaction Detail view, this allows users to blacklist any utxo that they do not wish to include in their list of available utxo's when sending transactions. Blacklisting a utxo excludes its amount from the wallet's total balance.
Ability to Sign & Verify Messages
Support BitID for password-free authentication
Coin Control - This can be accessed from the Send Transaction view and basically allows users to select from a list of available UTXO's to include in their transaction.
HODL GRS connects directly to the Groestlcoin network using SPV mode and doesn't rely on servers that can be hacked or disabled. HODL GRS utilizes AES hardware encryption, app sandboxing, and the latest security features to protect users from malware, browser security holes, and even physical theft. Private keys are stored only in the secure enclave of the user's phone, inaccessible to anyone other than the user. Simplicity and ease-of-use is the core design principle of HODL GRS. A simple recovery phrase (which we call a Backup Recovery Key) is all that is needed to restore the user's wallet if they ever lose or replace their device. HODL GRS is deterministic, which means the user's balance and transaction history can be recovered just from the backup recovery key.
Simplified payment verification for fast mobile performance
Groestlcoin Seed Savior is a tool for recovering BIP39 seed phrases. This tool is meant to help users with recovering a slightly incorrect Groestlcoin mnemonic phrase (AKA backup or seed). You can enter an existing BIP39 mnemonic and get derived addresses in various formats. To find out if one of the suggested addresses is the right one, you can click on the suggested address to check the address' transaction history on a block explorer.
If a word is wrong, the tool will try to suggest the closest option.
If a word is missing or unknown, please type "?" instead and the tool will find all relevant options.
NOTE: NVidia GPU or any CPU only. AMD graphics cards will not work with this address generator. VanitySearch is a command-line Segwit-capable vanity Groestlcoin address generator. Add unique flair when you tell people to send Groestlcoin. Alternatively, VanitySearch can be used to generate random addresses offline. If you're tired of the random, cryptic addresses generated by regular groestlcoin clients, then VanitySearch is the right choice for you to create a more personalized address. VanitySearch is a groestlcoin address prefix finder. If you want to generate safe private keys, use the -s option to enter your passphrase which will be used for generating a base key as for BIP38 standard (VanitySearch.exe -s "My PassPhrase" FXPref). You can also use VanitySearch.exe -ps "My PassPhrase" which will add a crypto secure seed to your passphrase. VanitySearch may not compute a good grid size for your GPU, so try different values using -g option in order to get the best performances. If you want to use GPUs and CPUs together, you may have best performances by keeping one CPU core for handling GPU(s)/CPU exchanges (use -t option to set the number of CPU threads).
Fixed size arithmetic
Fast Modular Inversion (Delayed Right Shift 62 bits)
SecpK1 Fast modular multiplication (2 steps folding 512bits to 256bits using 64 bits digits)
Use some properties of elliptic curve to generate more keys
SSE Secure Hash Algorithm SHA256 and RIPEMD160 (CPU)
Groestlcoin EasyVanity 2020 is a windows app built from the ground-up and makes it easier than ever before to create your very own bespoke bech32 address(es) when whilst not connected to the internet. If you're tired of the random, cryptic bech32 addresses generated by regular Groestlcoin clients, then Groestlcoin EasyVanity2020 is the right choice for you to create a more personalised bech32 address. This 2020 version uses the new VanitySearch to generate not only legacy addresses (F prefix) but also Bech32 addresses (grs1 prefix).
Ability to continue finding keys after first one is found
Includes warning on start-up if connected to the internet
Ability to output keys to a text file (And shows button to open that directory)
Show and hide the private key with a simple toggle switch
Show full output of commands
Ability to choose between Processor (CPU) and Graphics Card (GPU) ( NVidia ONLY! )
Features both a Light and Dark Material Design-Style Themes
Free software - MIT. Anyone can audit the code.
Written in C# - The code is short, and easy to review.
Groestlcoin WPF is an alternative full node client with optional lightweight 'thin-client' mode based on WPF. Windows Presentation Foundation (WPF) is one of Microsoft's latest approaches to a GUI framework, used with the .NET framework. Its main advantages over the original Groestlcoin client include support for exporting blockchain.dat and including a lite wallet mode. This wallet was previously deprecated but has been brought back to life with modern standards.
Works via TOR or SOCKS5 proxy
Can use bootstrap.dat format as blockchain database
Import/Export blockchain to/from bootstrap.dat
Import wallet.dat from Groestlcoin-qt wallet
Export wallet to wallet.dat
Use both groestlcoin-wpf and groestlcoin-qt with the same addresses in parallel. When you send money from one program, the transaction will automatically be visible on the other wallet.
Rescan blockchain with a simple mouse click
Works as a full node and listens to port 1331 (listening port can be changed)
Fast Block verifying, parallel processing on multi-core CPUs
Mine Groestlcoins with your CPU by a simple mouse click
All private keys are kept encrypted on your local machine (or on a USB stick)
Lite - Has a lightweight "thin client" mode which does not require a new user to download the entire Groestlcoin chain and store it
Free and decentralised - Open Source under GNU license
Fixed Import/Export to wallet.dat
Rescan wallet option
Change wallet password option
Address type and Change type options through *.conf file
Import from bootstrap.dat - It is a flat, binary file containing Groestlcoin blockchain data, from the genesis block through a recent height. All versions automatically validate and import the file "grs.bootstrap.dat" in the GRS directory. Grs.bootstrap.dat is compatible with Qt wallet. GroestlCoin-Qt can load from it.
In Full mode file %APPDATA%\Groestlcoin-WPF\GRS\GRS.bootstrap.dat is full blockchain in standard bootstrap.dat format and can be used with other clients.
Groestlcoin Electrum Personal Server aims to make using Electrum Groestlcoin wallet more secure and more private. It makes it easy to connect your Electrum-GRS wallet to your own full node. It is an implementation of the Electrum-grs server protocol which fulfils the specific need of using the Electrum-grs wallet backed by a full node, but without the heavyweight server backend, for a single user. It allows the user to benefit from all Groestlcoin Core's resource-saving features like pruning, blocks only and disabled txindex. All Electrum-GRS's feature-richness like hardware wallet integration, multi-signature wallets, offline signing, seed recovery phrases, coin control and so on can still be used, but connected only to the user's own full node. Full node wallets are important in Groestlcoin because they are a big part of what makes the system be trust-less. No longer do people have to trust a financial institution like a bank or PayPal, they can run software on their own computers. If Groestlcoin is digital gold, then a full node wallet is your own personal goldsmith who checks for you that received payments are genuine. Full node wallets are also important for privacy. Using Electrum-GRS under default configuration requires it to send (hashes of) all your Groestlcoin addresses to some server. That server can then easily spy on your transactions. Full node wallets like Groestlcoin Electrum Personal Server would download the entire blockchain and scan it for the user's own addresses, and therefore don't reveal to anyone else which Groestlcoin addresses they are interested in. Groestlcoin Electrum Personal Server can also broadcast transactions through Tor which improves privacy by resisting traffic analysis for broadcasted transactions which can link the IP address of the user to the transaction. If enabled this would happen transparently whenever the user simply clicks "Send" on a transaction in Electrum-grs wallet. Note: Currently Groestlcoin Electrum Personal Server can only accept one connection at a time.
Use your own node
Uses less CPU and RAM than ElectrumX
Used intermittently rather than needing to be always-on
Doesn't require an index of every Groestlcoin address ever used like on ElectrumX
UPDATED – Android Wallet 7.38.1 - Main Net + Test Net
The app allows you to send and receive Groestlcoin on your device using QR codes and URI links. When using this app, please back up your wallet and email them to yourself! This will save your wallet in a password protected file. Then your coins can be retrieved even if you lose your phone.
Add confidence messages, helping users to understand the confidence state of their payments.
Handle edge case when restoring via an external app.
Count devices with a memory class of 128 MB as low ram.
Introduce dark mode on Android 10 devices.
Reduce memory usage of PIN-protected wallets.
Tapping on the app's version will reveal a checksum of the APK that was installed.
Fix issue with confirmation of transactions that empty your wallet.
Groestlcoin Sentinel is a great solution for anyone who wants the convenience and utility of a hot wallet for receiving payments directly into their cold storage (or hardware wallets). Sentinel accepts XPUB's, YPUB'S, ZPUB's and individual Groestlcoin address. Once added you will be able to view balances, view transactions, and (in the case of XPUB's, YPUB's and ZPUB's) deterministically generate addresses for that wallet. Groestlcoin Sentinel is a fork of Groestlcoin Samourai Wallet with all spending and transaction building code removed.
Private endpoints use HMAC SHA512 signatures. Use your API Secret to generate a signed query string. Signed query string should not contain a sign parameter itself. For endpoints without any parameters you should sign query: key=API_KEY×tamp=TIMESTAMP API_KEY — your public key found on the keys management page TIMESTAMP — current timestamp in milliseconds You can find full BitHash Trading API (v4) guide here: https://support.bithash.net/hc/en-us/articles/360039964551-Private-API-v4-
When was AsicVault established and how is it funded? AsicVault was established 2016. It is funded by founders and corporate investors. Please see Crunchbase. How can it be 1,000 times harder to crack compared to other BIP-39 hardware wallets? BIP-39 hardware wallets are working on very low performance microcontrollers or secure elements. They are doing only 2,048 iterations of PBKDF2 SHA-512 that is even less than old NIST recommendation of 10,000 rounds from year 2016. Performing higher number of PBKDF2 SHA-512 is standard practice for good security. iTunes does it, LastPass does it and Veracrypt as well. Even Ledger agrees that this very low number is the main problem of BIP-39. AsicVault specially designed SHA-512 accelerator inside high performance secure chip is at least 340 times faster than common microcontrollers. The number of PBKDF2 SHA-512 rounds is set to be exactly 1,000 times higher than BIP-39, hence the cost to crack AsicVault is also 1,000 times bigger. Please read in-depth teardown review and validation of AsicVault SHA-512 performance here. You can perform independent analysis according to this PDF and our device performance is shown on this video. Does it support BIP-39 passphrase? Yes, AsicVault supports all standard BIP-39 seed words and additional passphrase (so-called 25th word). You can restore your HD wallet account created by other hardware wallets (Ledger, Trezor, Keepkey) without any additional steps. AsicVault always opens standard security BIP-39 account and high security BIP-39 accounts at the same time. Why two processors? Common design practice, also followed by Ledger, is to separate secure and non-secure code. Our advantage is that these two RISC-V processors are inside a single secure chip. This way the Security CPU has full access to the Application CPU RAM. This makes it possible to do proper secure boot. Why RISC-V? Open instruction set. Possibility to have open source CPU and extensions. We have already implemented several custom instructions. Do I need a computer to initialize the device? No. You can supply power from wall adapter or battery bank. AsicVault supports true air-gapped environment. You can perform full device initialization, seed word generation and seed word backup without connection to the computer. You can also charge the device and check the status the same way. Can I use USB extender cables? Certified USB2.0 extender cables can be used. We don’t recommend extender cables while using USB3.1 features of the device. The device can detect (some) bad cables and show warning messages about them. It is not recommended to use cables/extenders longer than 2.5m. In any case, cables with lower AWG value are better, such as AWG20. How hot does the device get? During normal operation AsicVault device temperature reaches 35-37C. High speed USB3.0 operation adds additional 7C. AsicVault utilizes full Aluminum enclosure as an effective heatsink. Internal chips can tolerate up to +85C, so you never need to worry about them overheating. There are no Lithium batteries inside the device that are known for leaking and not tolerating high temperatures. How long does the active anti-tamper system work? Active anti-tamper protects your device at least 2 weeks, possibly up to 45 days, after you have fully charged the device. It takes just 15 minutes to charge the supercapacitors again. It is advisable to connect the device to a power source at least once per week. Different anti-tamper settings affect the anti-tamper aggressiveness, sensitivity and power consumption. It is also good practice to enter your passphrase weekly so that you will not forget it. How often can I charge it? Do the batteries age? You can charge it as often as you like, several times per day. Supercapacitors can be charged 50,000 – 1,000,000 times during their lifetime compared to common Lithium batteries that only allow 500-1,000 times. Therefore even 10 times per day for 10 years should be fine. At least weekly charging is recommended for best anti-tamper protection. How long are private keys safely stored inside device before the memory gets weak and they are lost? Data retention time of Flash memory inside the main chip is 20 years. Additional encryption keys stored inside FRAM can last for 40 years at temperatures below 70C. These values are higher than the expected lifetime of the device. In any case you must make paper backup(s) of your seed words. Can it store the whole Bitcoin blockchain inside the device? No. The device is not designed to store large amounts of data. Internal 128-megabyte Flash is used to store applications. There are thousands of copies of the blockchain, storing yet another copy is not meaningful or necessary. What is FIPS 140-2 highest Level 4? FIPS 140-2 is Federal Information Processing Standard. Level 4 requires that:
physical security mechanisms provide a complete envelope of protection around the cryptographic module
with the intent of detecting and responding to all unauthorized attempts at physical access
Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected, resulting in the immediate deletion of all plaintext CSPs
Security Level 4 also protects a cryptographic module against a security compromise due to environmental conditions or fluctuations outside of the module's normal operating ranges for voltage and temperature
A cryptographic module is required to include special environmental protection features designed to detect fluctuations and delete CSPs
We have used these guidelines while designing AsicVault. We meet and exceed the requirements in the following way:
AsicVault has full Aluminium/Titanium enclosure that is not designed to be opened. Passive antitamper mesh protects the electronic circuits inside the device. Main secure chip also has chip level metal layer anti-tamper mesh.
Active anti-tamper circuit monitors all intrusion attempts and performs immediate device zeroization upon detecting any such attempts.
AsicVault has temperature, voltage and many other sensors that are continuously monitored by the anti-tamper circuit. Additionally, AsicVault has internal supercapacitor-based power reserve to run Elliptic Curve calculations and other cryptographic functions. Therefore, external voltage fluctuations can’t affect our device while performing these critical operations.
Zeroization not only deletes the private keys, it also destroys internal hardware design making it impossible to perform any further analysis of the hardware.
AsicVault has not participated in formal Cryptographic Module Validation Program since we are not targeting US government users at this point. Can AsicVault device run Linux? It is not our priority to run Linux since it has too big overhead for hardware wallet. However, our RISC-V processors and Mark II hardware can run Linux for your custom projects. Where can I purchase the device? Please contact your local supplier about availability.
Using a hashing tool (e.g. Gtkhash in Debian), enter the text "596" with an HMAC of "canwestoptalkingaboutlambosnow?" and you will find the SHA512 hash matches the one in the witnessed post.
I will contact phillipsjk to arrange delivery of their lambo, and hopefully they will take some photos of it when it arrives.
Thanks everyone for participating in this, hope you had fun!
As of writing this, /Monero is only 9750 subscribers short of the big 2-0. That's a great sign for overall interest in this truly unique and important innovation to cryptocurrencies, much more important than an occasional spike in spot price.
A long running inside joke for Monero users is that the Monero will enable Bitcoin latecomers another chance to get a Lamborghini. It seemed fitting a theme for a giveaway as any, so that's what I'm going to do: give one away here on the subreddit. Since I'm not rich, we'll have to settle for a Hotwheels Lamborghini (USD $6 value!)
Since I don't want things to be too complicated but still fair, I'll just ask that participants choose a number between 0001 and 2000. That's 2,000, not 20,000!!! 20,000 would take far too long and there may not be any winner at all!
Acceptable guess range is 0001 ~ 2000
Next, check the page for an existing number by first making sure all comments in the page are showing, then searching (CTRL + F) for the string x####x, where #### is your number.
Here are some valid number formats:
x0000x x0014x x0616x x1001x
Here are some invalid number formats:
20 x014x x2001x (0001 ~ 2000!) 2001x
If for example you choose the number 412 and post it as x412x, this would not be a proper guess. You should haved posted x0412x instead. That would suck to lose on a technicality right? Couldn't agree more! Get it right!
I have already generated my secret random number from random.org (oooh, fancy!) to use as the hash string, and created a secret password for the HMAC, hashing it with SHA512. The resulting hash is:
Once we hit the 20,000 subscriber mark, the thread will close and I'll release the HMAC used for the secret hash as well as my generated number so that anyone can independently verify the hash and find the winner in the thread.
Do I have to provide you with my personal mailing address?
I am involved in Monero solely for its privacy protections. I respect people's right to privacy dearly. I would not want to ever know anyone's shipping information, and I believe it won't be necessary if ordering as a gift that someone can claim on their own. We will figure it out.
What if no one guesses the number?
Then the closest number to the right one will win. If two people are equally close (like 100 and 102 if the number was 101), then the user with the oldest timestamped guess will win.
What if two or more people win?
That's not possible, as if one participant happens to erroneously choose the same number as another participant, the participant with the oldest timestamp will have won by default.
How will anyone see this thread if it's not stickied?
Threads that are upvoted are kept near the front page. You can help keep it there if you like.
I saw you edit this post. Are you cheating?
To avoid confusion, I will edit this post regularly to update for announcements and clarifications as I see fit, but to make sure the hash stays intact I have also posted it here in this thread and will not edit that comment for later verification. I encourage others to respond to that comment with the same hash as well for added redundancy.
Wait, what if I edit my message then?
Editing your message for any reason makes your entry null and void. If you do it by accident, quickly post the same numbers agian in a new message and delete the old one after you're done. If you were too late and someone sniped your number, choose another. If you weren't aware someone sniped your number, posts with the same winning number are decided by their timestamp: the oldest one wins.
What if I make multiple posts to the thread, how would you know I wasn't cheating and covering my tracks later?
I wouldn't. Don't do it. Do not post multiple times in this thread unless it's in response to yours or someone elses' comments. This bears repeating,
Do not edit your posts after making them. It will disqualify the post!
Do not post multiple times in this thread unless responding to your own or someone elses' comment.
If you want to make a comment, respond to your own post to make it. There it will function as a mini-thread for conversation. Good luck everyone, and thanks for making this place friendly and enjoyable.
What is CtrXL? A spreadsheet to track the value of your cryptocurrencies on exchanges, cold storage and/or other locations. CtrXL can securely pull your Balances from your exchange using Read-Only APIs or by Manual entry in the sheet. Values are calculated to both BTC and Fiat and can be automatically saved, based on a time interval. The sheet comes with eye candy Dashboard elements that can be easily adjusted to your own preference. Download (copy) the sheet Documentation Use Cases: You have currencies on multiple Exchanges or multiple accounts on one exchange You manage cryptocurrency for others and want a single pane of glass You have cryptos in 'other' locations; like cold storage, offline / hardware wallets or elsewhere (example: Ledger Nano) You are looking for a sheet that is simple to understand and can be extended and/or customized Functionality:
Live Balance Collectors using Read OnlyAPI keys for the following exchanges:
TLDR; The site that has been running nice and quietly on TOR for 18 months. We thought today is a good day to make the url public outside of our group of amigos. PGP: 3DB6 FF02 6EBA 6AFF 63AF 2B6E DCE5 3FA2 EC58 63D8 Bitcoin: 18FNZPvYeWUNLmnS6bQyJSVXYPJ87cssMM TOR: http://xvultx4llltx7w2d.onion
Vultronix encrypted social network.
Introduce private mining (Senate) and public mining (House of Representative) into blockchain ecosystem
In my perception, Proof of work mining is in place to finalize the transaction. And it is the most important piece of the blockchain ecosystem. If there is a counterpart in the real word, probably it would be the US congress. Once president has an idea, need to be passed by the 51% of the congress man. Then it would be the legitimate law. It is fairly wise that let the majority of the people decide the future of the whole system. The president can only behave well. However the Father has predicted that the small states interest would be jeopardized as they have less population. Say let California and Alaska play a game according to their population. Alaska will never defeat California. That is probably the situation in the bitcoin mining field. Those giant players holding big capacity of computing resource are taking advantage of the small capacity players ‘Proof of Stake’ is invented. Somehow it is not the perfect solution, what if it is hacked and yields something evil. So ‘proof the work’ is the right path. And The Father of the United States has inspired us hundreds of years, split the congress with Senate and House The same concept in the mining domain would be, introduce private mining and public mining Private mining: is something needs to be done on specific nodes. (Senate) Public mining: is something could be done only with computing resource solely (House of the representative) The detailed steps would be: The player initiates a transaction, it would produce a proposal, then proposal is reworked on , and produce verdict, (this is the private mining step), and verdict is sent to the public mining, form the blockchain. Will demonstrate below: Step1: with the raw statement: \^jungu::821||70e94c78||1->[email protected]@b49febb3ab920878$$) jungu is the player, 821||70e94c78||1 is the noteId; 821 is the symbol, 70e94c78 is the noteId, 1 is the quantity 0x2e001 is the recipient of the note, b49febb3ab920878 is the checksum bit Step 2: Write the proposal based on the statement Will get the proposal: 950b75f77d77c9071b8c06f4768f02d2f975731e194bcf3bfaf2ed26ac7ddef568f2c4c51e1db57ff03e6e75a7a3c509837ecb95ee93fa91ce3cc8105706261bc3d5c6d8afab5dad0fb58409dafb7f4571cc372f56b31baec41a0f219d1421e91f6a610aa8b4cb8bd8c0b8c96e5b84dd2fbdfea30349094803fb5e6c4c5d476166e73e7b51fb3043f7de51571946df1fc4010d42d56c8d9178061f69bc9dcd169bbbeed84b7323fe9d15dd05b8231fc813229f05e6c198d021262ea2cf7495d2cc37bb213fc3909f6ae900f7de18e84ad4ed63990dcef29a90b884dd3d95edaa9[email protected]@3344a3ae75f0c29b1c3aec06bb54dee63b80b7b1fadf382635dc2fbb1271a45b2c638c185b9d13ce1acd707429fea3e74e3a8ea29654c43cacf5812c4858a14b88df647eb6ee9920781d7ec5075da1bcd34521fe3190e6704dea36648e494204364dcc054ff4984529ebb8d9e7ae9b4e37c14b8c33053d8991411e57503aa5bb16be1f50d3f9bdb21735760795d8377e6ec5e32e06c230f304fab533a0e41efe321e17893ec0ebafa62ba5e5502fc506e4c1290fca5c8ee5b979ace1ad914cdc3cf81779967324c3d02600d4c752de15fa0b6b993f761616835fb60fc50916c4cae4f31e4b4d07020d41a0b06bf692c39e525a212ee40fcf1cfbcdca4d0e38e8 Step3: private mining (Senate confirm the transaction) Take in the proposal in step1 and produce the verdict: (Senate confirm the transaction) 950b75f77d77c9071b8c06f4768f02d2f975731e194bcf3bfaf2ed26ac7ddef568f2c4c51e1db57ff03e6e75a7a3c509837ecb95ee93fa91ce3cc8105706261bc3d5c6d8afab5dad0fb58409dafb7f4571cc372f56b31baec41a0f219d1421e91f6a610aa8b4cb8bd8c0b8c96e5b84dd2fbdfea30349094803fb5e6c4c5d476166e73e7b51fb3043f7de51571946df1fc4010d42d56c8d9178061f69bc9dcd169bbbeed84b7323fe9d15dd05b8231fc813229f05e6c198d021262ea2cf7495d2cc37bb213fc3909f6ae900f7de18e84ad4ed63990dcef29a90b884dd3d95edaa9[email protected]@9f2da137433e87a79f37e8e6c89ab260a9734f1a31258198ad63a9cfe4cd54f2002a7ffd8dbedf8a6daf33f2212077466d268f1203cca85309030176e7d13a44ad2aecb094398c742ef4b93913ec5b8cbcd685661aee34e9aebed1fb68f86887212fd48be03bee81d6df0ab835aecd6a48e085fbda43b1b3c84e4f74f77faa3e40891cdd628a1c232a9ed2f73c7239d18a87a6bec25c814733d66ae13ca9b3db98df46c564e5205dd67363d3873bf2b31cba6100c9577cb1fcfc567fbbcbedde6aa96b6e1826f9e41c8aa6c981426f9147ac48d655ee1dda67dd5c3503b598353945ca9db555a8e0f976c2f93aedc49b7faad16b236266a6ed43ffcf21744473 Download the binary file ‘https://821.credit/verify3’ Verify the verdict with “./verify3 ‘verdict’” Will get the raw statement \^jungu::821||70e94c78||1->[email protected]@b49febb3ab920878$$) Can Senate produce a verdict without a proposal? No, it can’t What if there is an invalid proposal sent to the Senate? It will be discarded, produce no verdict Step4: public mining (House of Representative confirms the transaction) Take the raw statement, proposal, verdict, and get the sha512 signature 279155dc685121e837f54a0c906de721958980f63be6a9756986b0c93a8c14f61b262f5cef6d09805ad5cf9d642ccb5935b19051227ec2513ff03b782596b26b Append the above signature with a value that makes a sha512 signature starting with ‘3333333’ Yeah: found it. After spending 11 minutes, I find a value ‘0.07708886703295392’, that will work together with 279155dc685121e837f54a0c906de721958980f63be6a9756986b0c93a8c14f61b262f5cef6d09805ad5cf9d642ccb5935b19051227ec2513ff03b782596b26b and produce a sha512 signature 333333305a00afeeff9a09c8e56d65dc59c3e98cc99c050f3c6d3f287c4ce680fb31ff3fa369ecd520b5f538b1af40f60a35d9fcb93f0946c5cd0796a4eb25c3 Some amendments: Senate can’t be only 1 member. Senate will be divided into 3 cliques. They are ‘Clique3’, ‘Clique7’, and ‘Cliquef’. Each clique will have a bunch of members. Those cliques will have different algorithms to back the same transaction. Say Clique3 log the transaction via English, Clique7 log the transaction via Chinese, and Cliquef log the transaction via French. On an approved valid transaction, the senate should speak unanimously; every member in every clique should all agree the transaction, otherwise the system would stop to analyze the issue, possible case would be one senator is compromised; the whole senate should stop and get rid of that node, and replace or introduce new ones. For productivity sake, in public mining phase, usually a bunch of transactions is packed together, and do the mining job quite similar to the bitcoin mechanism. Somehow in the private mining phase, the single transaction is settled by itself.
EDIT: I got it running finally. I'm not exactly sure what fixed it in the end, but thank you everyone for your help! I've successfully built and ran Bitcoin XT and then Classic on my Raspberry Pi 2 in the past. I recently decided I wanted to switch to Bitcoin Unlimited but am having some problems. I've primarily followed this guide on raspnode.com for Bitcoin XT, but substituting the BU github repository. When I run "make" I get this:
[email protected]:~/bin/BitcoinUnlimited $ make Making all in src make: Entering directory '/home/pi/bin/BitcoinUnlimited/src' make: Entering directory '/home/pi/bin/BitcoinUnlimited/src' CXX crypto/libbitcoinconsensus_la-hmac_sha512.lo CXX crypto/libbitcoinconsensus_la-ripemd160.lo CXX crypto/libbitcoinconsensus_la-sha1.lo CXX crypto/libbitcoinconsensus_la-sha256.lo CXX crypto/libbitcoinconsensus_la-sha512.lo CXX primitives/libbitcoinconsensus_la-transaction.lo CXX script/libbitcoinconsensus_la-bitcoinconsensus.lo CXX script/libbitcoinconsensus_la-interpreter.lo CXX script/libbitcoinconsensus_la-script.lo CXXLD libbitcoinconsensus.la CXX libbitcoin_server_a-init.o CXX libbitcoin_server_a-merkleblock.o CXX libbitcoin_server_a-miner.o CXX libbitcoin_server_a-net.o CXX libbitcoin_server_a-noui.o CXX policy/libbitcoin_server_a-fees.o CXX policy/libbitcoin_server_a-policy.o CXX libbitcoin_server_a-pow.o CXX libbitcoin_server_a-rest.o CXX libbitcoin_server_a-rpcblockchain.o CXX libbitcoin_server_a-rpcmining.o CXX libbitcoin_server_a-rpcmisc.o CXX libbitcoin_server_a-rpcnet.o CXX libbitcoin_server_a-rpcrawtransaction.o rpcrawtransaction.cpp: In function ‘UniValue sendrawtransaction(const UniValue&, bool)’: rpcrawtransaction.cpp:837:37: error: ‘SyncWithWallets’ was not declared in this scope SyncWithWallets(tx, NULL); ^ At global scope: cc1plus: warning: unrecognized command line option "-Wno-self-assign" Makefile:4070: recipe for target 'libbitcoin_server_a-rpcrawtransaction.o' failed make: *** [libbitcoin_server_a-rpcrawtransaction.o] Error 1 make: Leaving directory '/home/pi/bin/BitcoinUnlimited/src' Makefile:7161: recipe for target 'all-recursive' failed make: *** [all-recursive] Error 1 make: Leaving directory '/home/pi/bin/BitcoinUnlimited/src' Makefile:638: recipe for target 'all-recursive' failed make: *** [all-recursive] Error 1
Can anyone here help me figure this out? I know that some people have posted binaries, but I really would rather build from source than trust some random binaries online. I would appreciate any help. Thanks in advance!
I've been thinking about the best way to safely store the seed phrase of a hardware wallet - the piece of paper (or steel) has always seemed like a bit of a weak point to me. So I'd love a convenient way to be able to split my seed phrase into fragments using a 2-of-3 scheme. So I came up with a quick-and-dirty approach. Here are the sheets I prepared for this approach: LibreOffice: https://www.dropbox.com/s/307cqbpgubsz4sb/fragmented-wallets.ods?dl=0 PDF: https://www.dropbox.com/s/bi5geew2i99e7bp/fragmented-wallets.pdf?dl=0 (The LibreOffice version is better because you can edit the wallet name on the sheet) The idea is to split a 24-word seed phrase into three groups of 8 words - and write down a different pair of two of the groups on each backup fragment. Now, it's certainly not Shamir Secret Sharing, but it's easy to carry out with little risk of error and requires no software or offline computer to carry it out. By my calculations, the effort required to crack the wallet using a single backup fragment is roughly equivalent (approximately one order of magnitude harder) than cracking the traditional Trezor recovery method: that is, even making some very generous assumptions, it would require an adversory with the resources to design and fabricate HMAC-SHA512 hashing chips of comparable speed to existing bitcoin double-SHA256 chips, and build a cluster the size of the entire bitcoin network, and it would still take years, unless the arracker is very, very lucky. So although it's not ideal, and not going to remain safe for ever.... Unless you have a lot of coins and some very powerful adversories, it's probably good enough for a good few years :-) I'd be very interested in thoughts on this - particularly on whether I've correctly calculated the security of this approach. Note, this scheme is only plausibly safe for 24-word seeds. You should not attempt something similar for shorter seeds Analysis: The best fragment to steel is the one that contains the first two portions of ENT (which is fragment #2 using my sheets). This gives you 2x88 bits of ENT and leaves 80 bits unknown - so you need to test 280 ENT values. (One of the other two fragments will give you 88+80 bits of ENT plus the 8-bit checksum. This leaves you with 288 values to test, but one in 256 will fail the checksum, so it's still 280 values to feed to PBKDF2, but with slightly more work to get there.) Now, creating a seed from the phrase requires 2048=211 rounds of HMAC-SHA512 - so completely ignoring the cost of testing the resulting seeds, we have to do 291 rounds of HMAC-SHA512 to test every value, or 290 on average. Assuming a cracking cluster that can solve HMAC-SHA512 at the same rate that the entire Bitcoin network solves double-SHA256, it would take an average of 2^90/(6600*10^15)/(31*10^6) = 6 years to crack the seed from a single fragment. Thoughts?
Rolling UTXO set hashes | Pieter Wuille | May 15 2017
Pieter Wuille on May 15 2017: Hello all, I would like to discuss a way of computing a UTXO set hash that is very efficient to update, but does not support any compact proofs of existence or non-existence. Much has been written on the topic of various data structures and derived hashes for the UTXO/TXO set before (including Alan Reiner's trust-free lite nodes , Peter Todd's TXO MMR commitments  , or Bram Cohen's TXO bitfield ). They all provide interesting extra functionality or tradeoffs, but require invasive changes to the P2P protocol or how wallets work, or force nodes to maintain their database in a normative fashion. Instead, here I focus on an efficient hash that supports nothing but comparing two UTXO sets. However, it is not incompatible with any of those other approaches, so we can gain some of the advantages of a UTXO hash without adopting something that may be incompatible with future protocol enhancements.
Computing a hash of the UTXO set is easy when it does not need efficient updates, and when we can assume a fixed serialization with a normative ordering for the data in it - just serialize the whole thing and hash it. As different software or releases may use different database models for the UTXO set, a solution that is order-independent would seem preferable. This brings us to the problem of computing a hash of unordered data. Several approaches that accomplish this through incremental hashing were suggested in , including XHASH, AdHash, and MuHash. XHASH consists of first hashing all the set elements independently, and XORing all those hashes together. This is insecure, as Gaussian elimination can easily find a subset of random hashes that XOR to a given value. AdHash/MuHash are similar, except addition/multiplication modulo a large prime are used instead of XOR. Wagner  showed that attacking XHASH or AdHash is an instance of a generalized birthday problem (called the k-sum problem in his paper, with unrestricted k), and gives a O(22*sqrt(n-1)) algorithm to attack it (for n-bit hashes). As a result, AdHash with 256-bit hashes only has 31 bits of security. Thankfully,  also shows that the k-sum problem cannot be efficiently solved in groups in which the discrete logarithm problem is hard, as an efficient k-sum solver can be used to compute discrete logarithms. As a result, MuHash modulo a sufficiently large safe prime is provably secure under the DL assumption. Common guidelines on security parameters  say that 3072-bit DL has about 128 bits of security. A final 256-bit hash can be applied to the 3072-bit result without loss of security to reduce the final size. An alternative to multiplication modulo a prime is using an elliptic curve group. Due to the ECDLP assumption, which the security of Bitcoin signatures already relies on, this also results in security against k-sum solving. This approach is used in the Elliptic Curve Multiset Hash (ECMH) in . For this to work, we must "hash onto a curve point" in a way that results in points without known discrete logarithm. The paper suggests using (controversial) binary elliptic curves to make that operation efficient. If we only consider secp256k1, one approach is just reading potential X coordinates from a PRNG until one is found that has a corresponding Y coordinate according to the curve equation. On average, 2 iterations are needed. A constant time algorithm to hash onto the curve exists as well , but it is only slightly faster and is much more complicated to implement. AdHash-like constructions with a sufficiently large intermediate hash can be made secure against Wagner's algorithm, as suggested in . 4160-bit hashes would be needed for 128 bits of security. When repetition is allowed,  gives a stronger attack against AdHash, suggesting that as much as 400000 bits are needed. While repetition is not directly an issue for our use case, it would be nice if verification software would not be required to check for duplicated entries.
Efficient addition and deletion
Interestingly, both ECMH and MuHash not only support adding set elements in any order but also deleting in any order. As a result, we can simply maintain a running sum for the UTXO set as a whole, and add/subtract when creating/spending an output in it. In the case of MuHash it is slightly more complicated, as computing an inverse is relatively expensive. This can be solved by representing the running value as a fraction, and multiplying created elements into the numerator and spent elements into the denominator. Only when the final hash is desired, a single modular inverse and multiplication is needed to combine the two. As the update operations are also associative, H(a)+H(b)+H(c)+H(d) can in fact be computed as (H(a)+H(b)) + (H(c)+H(d)). This implies that all of this is perfectly parallellizable: each thread can process an arbitrary subset of the update operations, allowing them to be efficiently combined later.
Comparison of approaches
Numbers below are based on preliminary benchmarks on a single thread of a i7-6820HQ CPU running at 3.4GHz. (1) (MuHash) Multiplying 3072-bit hashes mod 23072 - 1103717 (the largest 3072-bit safe prime).
* Needs a fast modular multiplication/inverse implementation. * Using SHA512 + ChaCha20 for generating the hashes takes 1.2us per element. * Modular multiplication using GMP takes 1.5us per element (2.5us
with a 60-line C+asm implementation).
* 768 bytes for maintaining a running sum (384 for numerator, 384
* Very common security assumption. Even if the DL assumption would
be broken (but no k-sum algorithm faster than Wagner's is found), this still maintains 110 bits of security. (2) (ECMH) Adding secp256k1 EC points
* Much more complicated than the previous approaches when
implementing from scratch, but almost no extra complexity when ECDSA secp256k1 signature validation is already implemented.
* Using SHA512 + libsecp256k1's point decompression for generating
the points takes 11us per element on average.
* Addition/subtracting of N points takes 5.25us + 0.25us*N. * 64 bytes for a running sum. * Identical security assumption as Bitcoin's signatures.
Using the numbers above, we find that:
Computing the hash from just the UTXO set takes (1) 2m15s (2) 9m20s
Processing all creations and spends in an average block takes (1)
24ms (2) 100ms
Processing precomputed per-transaction aggregates in an average
block takes (1) 3ms (2) 0.5ms Note that while (2) has higher CPU usage than (1) in general, it has lower latency when using precomputed per-transaction aggregates. Using such aggregates is also more feasible as they're only 64 bytes rather than 768. Because of simplicity, (1) has my preference. Overall, these numbers are sufficiently low (note that they can be parallellized) that it would be reasonable for full nodes and/or other software to always maintain one of them, and effectively have a rolling cryptographical checksum of the UTXO set at all times.
Replacement for Bitcoin Core's gettxoutsetinfo RPC's hash
computation. This currently requires minutes of I/O and CPU, as it serializes and hashes the entire UTXO set. A rolling set hash would make this instant, making the whole RPC much more usable for sanity checking.
Assisting in implementation of fast sync methods with known good
Database consistency checking: by remembering the UTXO set hash of
New BIP: Dealing with OP_IF and OP_NOTIF malleability in P2WSH | Johnson Lau | Aug 16 2016
Johnson Lau on Aug 16 2016: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 A new BIP is prepared to deal with OP_IF and OP_NOTIF malleability in P2WSH: https://github.com/jl2012/bips/blob/minimalif/bip-minimalif.mediawiki https://github.com/bitcoin/bitcoin/pull/8526 BIP: x Title: Dealing with OP_IF and OP_NOTIF malleability in P2WSH Author: Johnson Lau Status: Draft Type: Standards Track Created: 2016-08-17 Abstract This document specifies proposed changes to the Bitcoin script validity rules in order to make transaction malleability related to OP_IF and OP_NOTIF impossible in pay-to-witness-script-hash (P2WSH) scripts. Motivation OP_IF and OP_NOTIF are flow control codes in the Bitcoin script system. The programme flow is decided by whether the top stake value is True or False. However, this behaviour opens a source of malleability as a third party may replace a True (False) stack item with any other True (False) value without invalidating the transaction. The proposed rules apply only to pay-to-witness-script-hash (P2WSH) scripts described in BIP141, which has not been activated on the Bitcoin mainnet as of writing. To ensure OP_IF and OP_NOTIF transactions created before the introduction of this BIP will still be accepted by the network, the new rules are not applied to non-segregated witness scripts. Specification In P2WSH, the argument for OP_IF and OP_NOTIF MUST be exactly an empty vector or 0x01, or the script evaluation fails immediately. This is deployed using BIP9 after segregated witness (BIP141) is activated. Details TBD. Compatibility This is a softfork on top of BIP141. The rules are enforced as a relay policy by the reference client since the first release of BIP141 (v0.13.1). To avoid risks of fund loss, users MUST NOT create P2WSH scripts that are incompatible with this BIP. An OP_0NOTEQUAL may be used before OP_IF or OP_NOTIF to imitate the original behaviour (which may also re-enable the malleability vector depending on the exact script). Implementation https://github.com/bitcoin/bitcoin/pull/8526 Copyright This work is placed in the public domain. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQGcBAEBCgAGBQJXs1LgAAoJEO6eVSA0viTSrJQL/A/womJKgi4FuyBTL9oykCss aBMNN9+SLtmuH7SBgEUGZ8TFxa2st+6RP6Imu+Vvn4O5sXQl3DIXV+X38X93sUYk wrjdpvdpqFFYJezPDESz6p6bZ1ES0aO2QqX578/8sqr8GO6L388s66vJeIGj4n 0LWW8sdEypMuV3HUG/9FFdUNHgiVX1U0sS1rT3P4aN30JYtb7PQpd7r8KTMta7Rt L1VOZB+W3m2m2YZ9gB7IRmMfzzNm2QXRTPIZXt2x3mYDBuMkp+zEd5+ogA4sBpgP wp2+l/aos686v0w8QYiNUX2+9Qpe7+238qUpw75d2XJYmLzdotWFvmp4g1hP+awX HEfwe4BUM+El17LjrHkNeMWNJXMlhTtXb2i0XMj8tU5lZVHep4WpQ+LEahrNlsUl FdFsi3q8HeWh8JsGaNCL41Bgbg/rKb5hUXyF6hTRHa//E6llOrpXRnsloKgBLv8c QezgKTAPwwgdjcS6Ek0AqgLp7bCFRijCduYH9i9uaQ== =lLIZ -----END PGP SIGNATURE----- original: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-August/013014.html
BIP: Using Median time-past as endpoint for locktime calculations | Thomas Kerin | Aug 18 2015
Thomas Kerin on Aug 18 2015: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi all, In collaboration with Mark Friedenbach, we have drawn up a proposal for using the median time of the past 11 blocks in locktime calculations. BIP: XX Title: Median time-past as endpoint for lock-time calculations Author: Thomas Kerin <me at thomaskerin.io>
Mark Friedenbach <[mark at friedenbach.org](https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev)>
Status: Draft Type: Standards Track Created: 2015-08-10 ==Abstract== This BIP is a proposal to redefine the semantics used in determining a time-locked transaction's eligibility for inclusion in a block. The median of the last 11 blocks is used instead of the block's timestamp, ensuring that it increases monotonically with each block. ==Motivation== At present, transactions are excluded from inclusion in a block if the present time or block height is less than or equal to that specified in the locktime. Since the consensus rules do not mandate strict ordering of block timestamps, this has the unfortunate outcome of creating a perverse incentive for miners to lie about the time of their blocks in order to collect more fees by including transactions that by wall clock determination have not yet matured. This BIP proposes comparing the locktime against the median of the past 11 block's timestamps, rather than the timestamp of the block including the transaction. Existing consensus rules guarantee this value to monotonically advance, thereby removing the capability for miners to claim more transaction fees by lying about the timestamps of their block. This proposal seeks to ensure reliable behaviour in locktime calculations as required by BIP65, BIP68, and BIPXX (OP_CHECKSEQUENCEVERIFY). ==Specification== The values for transaction locktime remain unchanged. The difference is only in the calculation determining whether a transaction can be included. Instead of an unreliable timestamp, the following function is used to determine the current block time for the purpose of checking lock-time constraints:
Lock-time constraints are checked by the consensus method IsFinalTx(), or LockTime() under BIP68. These methods take the block time as one parameter. This BIP proposes that after activation calls to IsFinalTx() or LockTime() within consensus code use the return value of GetMedianTimePast(pindexPrev) instead. A reference implementation of this proposal is provided in the following git repository: https://github.com/maaku/bitcoin/tree/medianpasttimelock ==Deployment== We reuse the double-threshold switchover mechanism from BIPs 34 and 66, with the same thresholds, but for block.nVersion = 4. The new rules are in effect for every block (at height H) with nVersion = 4 and at least 750 out of 1000 blocks preceding it (with heights H-1000...H-1) also have nVersion = 4. Furthermore, when 950 out of the 1000 blocks preceding a block do have nVersion = 4, nVersion = 3 blocks become invalid, and all further blocks enforce the new rules. It is recommended that this soft-fork deployment trigger include other related proposals for improving Bitcoin's lock-time capabilities, such as BIP 65, BIP68 and CHECKSEQUENCEVERIFY. ==Acknowledgements== Mark Friedenbach for designing and authoring the reference implementation of this BIP. Thomas Kerin authored this BIP document. ==Compatibility== Transactions generated using time-based lock-time will take approximately an hour longer to confirm than would be expected under the old rules. This is not known to introduce any compatibility concerns with existing protocols. ==References== [https://github.com/bitcoin/bips/blob/mastebip-0065.mediawiki BIP65: OP_CHECKLOCKTIMEVERIFY] [https://github.com/bitcoin/bips/blob/mastebip-0068.mediawiki BIP68: Consensus-enforced transaction replacement signaled via sequence numbers] [https://github.com/bitcoin/bips/blob/mastebip-00.mediawiki BIPXX: CHECKSEQUENCEVERIFY] ==Copyright== This document is placed in the public domain. My PGP key can be found here: <https://thomaskerin.io/me.pub.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJV0oi8AAoJEAiDZR291eTl2soP/1MOjgQDncoUdMptqfeqMLfU ewENNPLQwXXje7PFn/gIVa+Ghxu+f9rrRHt6v8Udd4wsnDTqhz2gV6dKCyF0K4IS seLTH2kyTfPGm1KOp6WSwvxoyc5iWLBH4wkSm4oI9WmXkLzDq0yEYUDE8t9yNYwf 0Fgrg1KPIP4bhoxWchEa237rrH/qTh0Zdxdj/N0YCrX9u4fBy+xoTM6gnt0bFCK2 SaGXvC8PsA23gkJjjwFnWh/JU0Q5BJTElUsq1re3gmwcnLNKyB5cx0bFephk2pFd NC3rqEIIVPd7aLs+lWmD4/NXdm+VtUEQo3MmQ1YW5zwjeoJxZhfMfXwmQw3vw2f7 FSyExUXNNwh2lMoLCcWvWWEOKYaSV9iLX4TacvpbOSDQgz3rDl3iqeLmSgp3S8M3 Se1S9AzilJsT0jIe2Ob2hu/gXEXeBmI9k2kRJELSaIFgCWadUky63NwNNfRipiBq USroBIym2dpXFLygcwgwf6F/yAYYg6/5QiUKclhqvxArxVEcijw18SHGZVYpW83S Q0mzJnRVGF7yscJl84zHyAj5QMWoMFgKSqFbOLcmNDUPLoaFJxAGezGCLXNaHinA LY5Qp0t0Vg4hXi6QcCiWv2U8E1K4oN5VZNSlagUyXsAHd3c4icZTVj+TTWKJ7GLB Gmbe3i9G90rpgDbHWXFq =EQdY -----END PGP SIGNATURE----- original: http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-August/010348.html
Status: Draft Type: Standards Track Created: 2016-08-16 Abstract This document specifies proposed changes to the Bitcoin transaction validity rules to restrict signatures to using low S values. Motivation ECDSA signatures are inherently malleable as taking the negative of the number S inside (modulo the curve order) does not invalidate it. This is a nuisance malleability vector as any relay node on the network may transform the signature, with no access to the relevant private keys required. For non-segregated witness transactions, this malleability will change the txid and invalidate any unconfirmed child transactions. Although the txid of segregated witness (BIP141) transactions is not third party malleable, this malleability vector will change the wtxid and may reduce the efficiency of compact block relay (BIP152). To fix this malleability, we require that the S value inside ECDSA signatures is at most the curve order divided by 2 (essentially restricting this value to its lower half range). The value S in signatures must be between 0x1 and 0x7FFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 5D576E73 57A4501D DFE92F46 681B20A0 (inclusive). If S is too high, simply replace it by S' = 0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141 - S. Specification Every signature passed to OP_CHECKSIG, OP_CHECKSIGVERIFY, OP_CHECKMULTISIG, or OP_CHECKMULTISIGVERIFY, to which ECDSA verification is applied, MUST use a S value between 0x1 and 0x7FFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 5D576E73 57A4501D DFE92F46 681B20A0 (inclusive) with strict DER encoding (see BIP66). These operators all perform ECDSA verifications on pubkey/signature pairs, iterating from the top of the stack backwards. For each such verification, if the signature does not pass the IsLowDERSignature check, the entire script evaluates to false immediately. If the signature is valid DER with low S value, but does not pass ECDSA verification, opcode execution continues as it used to, causing opcode execution to stop and push false on the stack (but not immediately fail the script) in some cases, which potentially skips further signatures (and thus does not subject them to IsLowDERSignature). Deployment This BIP will be deployed by "version bits" BIP9 using the same parameters for BIP141 and BIP143, with the name "segwit" and using bit 1. For Bitcoin mainnet, the BIP9 starttime will be midnight TBD UTC (Epoch timestamp TBD) and BIP9 timeout will be midnight TBD UTC (Epoch timestamp TBD). For Bitcoin testnet, the BIP9 starttime will be midnight 1 May 2016 UTC (Epoch timestamp 1462060800) and BIP9 timeout will be midnight 1 May 2017 UTC (Epoch timestamp 1493596800). Compatibility The reference client has produced compatible signatures since v0.9.0, and the requirement to have low S value signatures has been enforced as a relay policy by the reference client since v0.11.1. As of August 2016, very few transactions violating the requirement are being added to the chain. In addition, every non-compliant signature can trivially be converted into a compliant one, so there is no loss of functionality by this requirement. This proposal has the added benefit of reducing transaction malleability. Implementation An implementation for the reference client is available at https://github.com/bitcoin/bitcoin/pull/8514 Acknowledgements This document is extracted from the previous BIP62 proposal which had input from various people. Copyright This document is placed in the public domain. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQGcBAEBCgAGBQJXsuZLAAoJEO6eVSA0viTSBkIL/RxdKYhfQUcXhWf3wPzJ2rSo bhxoGOoswf5Npx1ybKvvTRf51IirgO9JkEl8hYfzLr9KSbfTxCKlr2Z/S+snFGDi Q0bvVPcg8uoK1iBMrFmIqCi/0pW3/lnnpgqt+O5Jup+DfK4S1QbSVNff8uP7ZK9x NcgXekAbad57JfZ7gki9aERRj4THliTFBlaKkWo4CP+AwCgtKP6BwWvJxnfGpCc5 Esb/7aFvB0OwTWC7bPdS/XSCChxEdK9n5U3LaUH5o1oMQQhaGVHqeR76Wuf2oDvY YsXX0b1gttpSJhz00ifOhMf7PhFzQuNyI6gM6ee7kMXwHMlrmyvROQh009cUzKeZ 5m7QKiondMsCoyz0zYXncF/MlwoyI7y1M5pQEqF/CHI5yZGu2K3EeDQebEHDzIrd RyI6j5BbjLQ4w+geswaxzRSJfkoaKTHdh8g49HL7Q7FUj551jExKA8ZM50SbfeRi T4fAN8BTXWVpfHkeDYdM2fesaqmFuN9wg18/xwTWJA== =GgxI -----END PGP SIGNATURE----- original: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-August/013006.html
Damian Gomez on May 08 2015: Well zombie txns aside, I expect this to be resolved w/ a client side implementation using a Merkle-Winternitz OTS in order to prevent the loss of fee structure theougth the implementation of a this security hash that eill alloow for a one-wya transaction to conitnue, according to the TESLA protocol. We can then tally what is needed to compute tteh number of bit desginated for teh completion og the client-side signature if discussin the construcitons of a a DH key (instead of the BIP X509 protocol) On Fri, May 8, 2015 at 2:08 PM, < bitcoin-development-request at lists.sourceforge.net> wrote:
---------- Forwarded message ---------- From: Mark Friedenbach <mark at friedenbach.org> To: Raystonn <raystonn at hotmail.com> Cc: Bitcoin Development <bitcoin-development at lists.sourceforge.net> Date: Fri, 8 May 2015 13:55:30 -0700 Subject: Re: [Bitcoin-development] Block Size Increase The problems with that are larger than time being unreliable. It is no longer reorg-safe as transactions can expire in the course of a reorg and any transaction built on the now expired transaction is invalidated. On Fri, May 8, 2015 at 1:51 PM, Raystonn <raystonn at hotmail.com> wrote:
Replace by fee is what I was referencing. End-users interpret the old transaction as expired. Hence the nomenclature. An alternative is a new feature that operates in the reverse of time lock, expiring a transaction after a specific time. But time is a bit unreliable in the blockchain
---------- Forwarded message ---------- From: Douglas Roark <doug at bitcoinarmory.com> To: Bitcoin Dev <bitcoin-development at lists.sourceforge.net> Cc: Date: Fri, 8 May 2015 15:27:26 -0400 Subject: [Bitcoin-development] Softfork signaling improvements -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello. I've seen Greg make a couple of posts online (https://bitcointalk.org/index.php?topic=1033396.msg11155302#msg11155302 is one such example) where he has mentioned that Pieter has a new proposal for allowing multiple softforks to be deployed at the same time. As discussed in the thread I linked, the idea seems simple enough. Still, I'm curious if the actual proposal has been posted anywhere. I spent a few minutes searching the usual suspects (this mailing list, Reddit, Bitcointalk, IRC logs, BIPs) and can't find anything. Thanks. Douglas Roark Senior Developer Armory Technologies, Inc. doug at bitcoinarmory.com PGP key ID: 92ADC0D7 -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVTQ4eAAoJEGybVGGSrcDX8eMQAOQiDA7an+qZBqDfVIwEzY2C SxOVxswwxAyTtZNM/Nm+8MTq77hF8+3j/C3bUbDW6wCu4QxBYA/uiCGTf44dj6WX 7aiXg1o9C4LfPcuUngcMI0H5ixOUxnbqUdmpNdoIvy4did2dVs9fAmOPEoSVUm72 6dMLGrtlPN0jcLX6pJd12Dy3laKxd0AP72wi6SivH6i8v8rLb940EuBS3hIkuZG0 vnR5MXMIEd0rkWesr8hn6oTs/k8t4zgts7cgIrA7rU3wJq0qaHBa8uASUxwHKDjD KmDwaigvOGN6XqitqokCUlqjoxvwpimCjb3Uv5Pkxn8+dwue9F/IggRXUSuifJRn UEZT2F8fwhiluldz3sRaNtLOpCoKfPC+YYv7kvGySgqagtNJFHoFhbeQM0S3yjRn Ceh1xK9sOjrxw/my0jwpjJkqlhvQtVG15OsNWDzZ+eWa56kghnSgLkFO+T4G6IxB EUOcAYjJkLbg5ssjgyhvDOvGqft+2e4MNlB01e1ZQr4whQH4TdRkd66A4WDNB+0g LBqVhAc2C8L3g046mhZmC33SuOSxxm8shlxZvYLHU2HrnUFg9NkkXi1Ub7agMSck TTkLbMx17AvOXkKH0v1L20kWoWAp9LfRGdD+qnY8svJkaUuVtgDurpcwEk40WwEZ caYBw+8bdLpKZwqbA1DL =ayhE -----END PGP SIGNATURE----- ---------- Forwarded message ---------- From: Mark Friedenbach <mark at friedenbach.org> To: "Raystonn ." <raystonn at hotmail.com> Cc: Bitcoin Development <bitcoin-development at lists.sourceforge.net> Date: Fri, 8 May 2015 13:40:50 -0700 Subject: Re: [Bitcoin-development] Block Size Increase Transactions don't expire. But if the wallet is online, it can periodically choose to release an already created transaction with a higher fee. This requires replace-by-fee to be sufficiently deployed, however. On Fri, May 8, 2015 at 1:38 PM, Raystonn . <raystonn at hotmail.com> wrote:
I have a proposal for wallets such as yours. How about creating all transactions with an expiration time starting with a low fee, then replacing with new transactions that have a higher fee as time passes. Users can pick the fee curve they desire based on the transaction priority they want to advertise to the network. Users set the priority in the wallet, and the wallet software translates it to a specific fee curve used in the series of expiring transactions. In this manner, transactions are never left hanging for days, and probably not even for hours. -Raystonn On 8 May 2015 1:17 pm, Aaron Voisine <voisine at gmail.com> wrote: As the author of a popular SPV wallet, I wanted to weigh in, in support of the Gavin's 20Mb block proposal. The best argument I've heard against raising the limit is that we need fee pressure. I agree that fee pressure is the right way to economize on scarce resources. Placing hard limits on block size however is an incredibly disruptive way to go about this, and will severely negatively impact users' experience. When users pay too low a fee, they should: 1) See immediate failure as they do now with fees that fail to propagate. 2) If the fee lower than it should be but not terminal, they should see degraded performance, long delays in confirmation, but eventual success. This will encourage them to pay higher fees in future. The worst of all worlds would be to have transactions propagate, hang in limbo for days, and then fail. This is the most important scenario to avoid. Increasing the 1Mb block size limit I think is the simplest way to avoid this least desirable scenario for the immediate future. We can play around with improved transaction selection for blocks and encourage miners to adopt it to discourage low fees and create fee pressure. These could involve hybrid priority/fee selection so low fee transactions see degraded performance instead of failure. This would be the conservative low risk approach. Aaron Voisine co-founder and CEO breadwallet.com One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y Bitcoin-development mailing list Bitcoin-development at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
---------- Forwarded message ---------- From: Damian Gomez <dgomez1092 at gmail.com> To: bitcoin-development at lists.sourceforge.net Cc: Date: Fri, 8 May 2015 14:04:10 -0700 Subject: Re: [Bitcoin-development] Block Size Increase (Raystonn) Hello, I was reading some of the thread but can't say I read the entire thing. I think that it is realistic to cinsider a nlock sixe of 20MB for any block txn to occur. THis is an enormous amount of data (relatively for a netwkrk) in which the avergage rate of 10tps over 10 miniutes would allow for fewasible transformation of data at this curent point in time. Though I do not see what extra hash information would be stored in the overall ecosystem as we begin to describe what the scripts that are atacrhed tp the blockchain would carry, I'd therefore think that for the remainder of this year that it is possible to have a block chain within 200 - 300 bytes that is more charatereistic of some feasible attempts at attaching nuanced data in order to keep propliifc the blockchain but have these identifiers be integral OPSIg of the the entiore block. THe reasoning behind this has to do with encryption standards that can be added toe a chain such as th DH algoritnm keys that would allow for a higher integrity level withinin the system as it is. Cutrent;y tyh prootocl oomnly controls for the amount of transactions through if TxnOut script and the publin key coming form teh lcoation of the proof-of-work. Form this then I think that a rate of higher than then current standard of 92bytes allows for GPUS ie CUDA to perfirm its standard operations of 1216 flops in rde rto mechanize a new personal identity within the chain that also attaches an encrypted instance of a further categorical variable that we can prsribved to it. I think with the current BIP7 prootclol for transactions there is an area of vulnerability for man-in-the-middle attacks upon request of bitcin to any merchant as is. It would contraidct the security of the bitcoin if it was intereceptefd iand not allowed to reach tthe payment network or if the hash was reveresed in orfr to change the value it had. Therefore the current best fit block size today is between 200 - 300 bytws (depending on how exciteed we get) Thanks for letting me join the conversation I welcomes any vhalleneged and will reply with more research as i figure out what problems are revealed in my current formation of thoughts (sorry for the errors but i am just trying to move forward - THE DELRERT KEY LITERALLY PREVENTS IT ) _Damian ---------- Forwarded message ---------- From: Raystonn <raystonn at hotmail.com> To: Mark Friedenbach <mark at friedenbach.org> Cc: Bitcoin Development <bitcoin-development at lists.sourceforge.net> Date: Fri, 8 May 2015 14:01:28 -0700 Subject: Re: [Bitcoin-development] Block Size Increase Replace by fee is the better approach. It will ultimately replace zombie transactions (due to insufficient fee) with potentially much higher fees as the feature takes hold in wallets throughout the network, and fee competition increases. However, this does not fix the problem of low tps. In fact, as blocks fill it could make the problem worse. This feature means more transactions after all. So I would expect huge fee spikes, or a return to zombie transactions if fee caps are implemented by wallets. -Raystonn On 8 May 2015 1:55 pm, Mark Friedenbach <mark at friedenbach.org> wrote: The problems with that are larger than time being unreliable. It is no longer reorg-safe as transactions can expire in the course of a reorg and any transaction built on the now expired transaction is invalidated. On Fri, May 8, 2015 at 1:51 PM, Raystonn <raystonn at hotmail.com> wrote: Replace by fee is what I was referencing. End-users interpret the old transaction as expired. Hence the nomenclature. An alternative is a new feature that operates in the reverse of time lock, expiring a transaction after a specific time. But time is a bit unreliable in the blockchain One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y Bitcoin-development mailing list Bitcoin-development at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Bitcoin Core 0.14.1 released | Wladimir J. van der Laan | Apr 22 2017
Wladimir J. van der Laan on Apr 22 2017: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Bitcoin Core version 0.14.1 is now available from: https://bitcoin.org/bin/bitcoin-core-0.14.1/ Or, by torrent: magnet:?xt=urn:btih:0482be8fc8e1c0b02162871e3591efc3d1d34585&dn;=bitcoin-core-0.14.1&tr;=udp%3A%2F%2Fpublic.popcorn-tracker.org%3A6969%2Fannounce&tr;=http%3A%2F%2Fatrack.pow7.com%2Fannounce&tr;=http%3A%2F%2Fbt.henbt.com%3A2710%2Fannounce&tr;=http%3A%2F%2Fmgtracker.org%3A6969%2Fannounce&tr;=http%3A%2F%2Fopen.touki.ru%2Fannounce.php&tr;=http%3A%2F%2Fp4p.arenabg.ch%3A1337%2Fannounce&tr;=http%3A%2F%2Fpow7.com%3A80%2Fannounce&tr;=http%3A%2F%2Ftracker.dutchtracking.nl%3A80%2Fannounce This is a new minor version release, including various bugfixes and performance improvements, as well as updated translations. Please report bugs using the issue tracker at github: https://github.com/bitcoin/bitcoin/issues To receive security and update notifications, please subscribe to: https://bitcoincore.org/en/list/announcements/join/ Compatibility Bitcoin Core is extensively tested on multiple operating systems using the Linux kernel, macOS 10.8+, and Windows Vista and later. Microsoft ended support for Windows XP on April 8th, 2014, No attempt is made to prevent installing or running the software on Windows XP, you can still do so at your own risk but be aware that there are known instabilities and issues. Please do not report issues about Windows XP to the issue tracker. Bitcoin Core should also work on most other Unix-like systems but is not frequently tested on them. Notable changes RPC changes
The first positional argument of createrawtransaction was renamed from
transactions to inputs.
The argument of disconnectnode was renamed from node to address.
These interface changes break compatibility with 0.14.0, when the named arguments functionality, introduced in 0.14.0, is used. Client software using these calls with named arguments needs to be updated. Mining In previous versions, getblocktemplate required segwit support from downstream clients/miners once the feature activated on the network. In this version, it now supports non-segwit clients even after activation, by removing all segwit transactions from the returned block template. This allows non-segwit miners to continue functioning correctly even after segwit has activated. Due to the limitations in previous versions, getblocktemplate also recommended non-segwit clients to not signal for the segwit version-bit. Since this is no longer an issue, getblocktemplate now always recommends signalling segwit for all miners. This is safe because ability to enforce the rule is the only required criteria for safe activation, not actually producing segwit-enabled blocks. UTXO memory accounting Memory usage for the UTXO cache is being calculated more accurately, so that the configured limit (-dbcache) will be respected when memory usage peaks during cache flushes. The memory accounting in prior releases is estimated to only account for half the actual peak utilization. The default -dbcache has also been changed in this release to 450MiB. Users who currently set -dbcache to a high value (e.g. to keep the UTXO more fully cached in memory) should consider increasing this setting in order to achieve the same cache performance as prior releases. Users on low-memory systems (such as systems with 1GB or less) should consider specifying a lower value for this parameter. Additional information relating to running on low-memory systems can be found here: reducing-bitcoind-memory-usage.md. 0.14.1 Change log Detailed release notes follow. This overview includes changes that affect behavior, not code moves, refactors and string updates. For convenience in locating the code changes and accompanying discussion, both the pull request and git merge commit are mentioned.
RPC and other APIs
#10084 142fbb2 Rename first named arg of createrawtransaction (MarcoFalke)
#10139 f15268d Remove auth cookie on shutdown (practicalswift)
#10146 2fea10a Better error handling for submitblock (rawodb, gmaxwell)
Variable Block Size Proposal | Justin M. Wray | Aug 29 2015
Justin M. Wray on Aug 29 2015: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hey Bitcoiners! While I am an avid Bitcoin supporter, long-term user, and have done development work on tools and platforms surrounding Bitcoin, I have been very busy these past few weeks and haven't had a chance to fully (or closely) monitor the Block Size debate. I'm familiar with the basics, and have read abstracts about the front-running proposals (BIP 100, 101, and 102). Though I've honestly not read those in depth either. With that said, I was driving the other day and thought of a potential idea. I'll be clear, this is just an idea, and I haven't fully fleshed it out. But I thought I'd throw it out there and see what people thought. My Goal: Provide a variable block size that provides for sustainable, long-term growth, and balances the block propagation, while also being mindful of potential spam attacks. The Proposal: Every 2016 blocks (approximately every two weeks, at the same time the difficulty is adjusted), the new block size parameters are calculated. The calculation determines the average (mean) size of the past 2016 blocks. This "average" size is then doubled (200%) and used as the maximum block size for the subsequent 2016 blocks. At any point, if the new maximum size is calculated to be below 1MB, 1MB is used instead (which prevents regression from our current state). Introduce a block minimum, the minimum will be 25% of the current maximum, calculated at the same time (that is, every 2016 blocks, at the same time the maximum is calculated). All blocks must be at least this size in order to be valid, for blocks that do not have enough transactions to meet the 25%, padding will be used. This devalues the incentive to mine empty blocks in either an attempt to deflate the block size, or to obtain a propagation advantage. Miners will be incentivized to include transactions, as the block must meet the minimum. This should ensure that even miners wishing to always mine the minimum are still confirming Bitcoin transactions. At the block in which this is introduced the maximum would stay at 1MB for the subsequent 2016 blocks. With the minimum being enforced of 256KB . Example:
* Average Block Size for the last 2016 blocks: 724KB * New Maximum: 1448KB * New Minimum: 362KB
Example: (Regression Prevention)
* Average Block Size for the last 2016 blocks: 250KB * New Maximum: 1MB * New Minimum: 256KB
The Future: I believe that the 1MB regression prevention might need to be changed in the future, to prevent a large mining population from continually deflating the block size (and keeping us at the 1MB limit). For this, the hard limit could be changed in the future manually, through a process similar to the current one, though hopefully with far less urgency and hysteria. Another option is to add an additional calculation, preventing the new maximum from being lower than 75% of the current maximum. This would substantially slow down a block-size deflation attack. Example of Block-Size Deflation Attack Prevention:
Average Block Size for the last 2016 blocks: 4MB
New Maximum: 8MB
New Minimum: 2MB
Average Block Size for the last 2016 blocks: 2MB
New Maximum: 6MB (2 * 200% = 4, 4< 75% of 8, So use 8 * .75 = 6)
New Minimum: 1.5MB
This would provide a maximum growth of 200% per recalculation, but a maximum shrinkage of 75%. Request For Comments: I'd love to hear your thoughts. Why wouldn't this work? What portion is flawed? Will the miners support such a proposal? Would this even solve the block size issue? I will note that I don't find the 100% and 25% to be hard and fast in my idea. Those we're just the values that initially jumped out at me. I could easily see the minimum being anything below 50% (above 50% and the network can never adjust to smaller block sizes). I could also see the maximum being anything over 100%. Lastly, if a inflation attack is a valid concern, a hard upper limit could be set (or the historical 32MB limit could remain). I think the great part about this variable approach is that the network can adjust to address spikes in volume and readjust once those spikes dissipate. Thanks! Justin M. Wray -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJV4UXvAAoJENo/Q5Xwcn83ZWEP/iXAlNk5p9OlOPNSoHkECcxe AcartxMLrmOvAZVudU4+239TEvwPydmYX/ptmBYgrvRJfm/TWmi0ZbTioxbxTIWM IlNta1Y8IOHOEgBCtSW01j1PFHIzkBHQGIuqrKHhjcNVGbegXlPm3Da0gjNuTBIe IV58gf1OfYK2XjuCMQMvo3VyXUKhqbOvBNnZXr+Qo2sAtanmxHQ+TU/gjA02L9LO bb8WqQDj/veGnMexGh/X58tfQ5KCfLO401F7KnConDaFdKVDikp32zaSXZ7JWf/K OeseHW1OHHVdYpHvh5VG5GLtYYB5rnq8g7B0/kyx5n4ldB6GkLxzH9CPB0vxpMnZ dVCS/+EUe/wkHrpRVNhMwP8XfG+8gv9upKg6H/u39XmpL2H2G4cKeot5xRiWRNqY oJclAeIhDTL1bx/9e/VqvM91ESWpBLs+O8Mh9OzgfbN3gKR6BuoWHNwM9jSMDAT1 YzwdneSvAEFzgELMlae2QIzAUHno9qkHMkDVbdY3bBtSM9Xz4ditGgnq1D40ZZ+J zx5WVY7HCebgbk7T35xgKzSKQSEG9zFNW5Dvq66Se3Zpc5vCPw7Q2xwjjPz3zdXQ Lub0ohVWTzKr05tN1e/nu6keiY5cXRZ0w2MtHb19jtdWyoHEWWHanfOZjgbVSsuA saFCydA7O4E4BFxgtNze =JthX -----END PGP SIGNATURE----- original: http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-August/010708.html
Bitcoin Core 0.12.1 released | Wladimir J. van der Laan | Apr 15 2016
Wladimir J. van der Laan on Apr 15 2016: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Bitcoin Core version 0.12.1 is now available from: https://bitcoin.org/bin/bitcoin-core-0.12.1/ Or through bittorrent: magnet:?xt=urn:btih:25c4df2a822e840e972a50a31095632d87efadab&dn;=bitcoin-core-0.12.1&tr;=udp%3A%2F%2Ftracker.openbittorrent.com%3A80%2Fannounce&tr;=udp%3A%2F%2Ftracker.publicbt.com%3A80%2Fannounce&tr;=udp%3A%2F%2Ftracker.ccc.de%3A80%2Fannounce&tr;=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr;=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969&ws;=https%3A%2F%2Fbitcoin.org%2Fbin%2F This is a new minor version release, including the BIP9, BIP68 and BIP112 softfork, various bugfixes and updated translations. Please report bugs using the issue tracker at github: https://github.com/bitcoin/bitcoin/issues To receive security and update notifications, please subscribe to https://bitcoincore.org/en/list/announcements/join/. Upgrading and downgrading How to Upgrade If you are running an older version, shut it down. Wait until it has completely shut down (which might take a few minutes for older versions), then run the installer (on Windows) or just copy over /Applications/Bitcoin-Qt (on Mac) or bitcoind/bitcoin-qt (on Linux). Downgrade warning
Downgrade to a version < 0.12.0
Because release 0.12.0 and later will obfuscate the chainstate on every fresh sync or reindex, the chainstate is not backwards-compatible with pre-0.12 versions of Bitcoin Core or other software. If you want to downgrade after you have done a reindex with 0.12.0 or later, you will need to reindex when you first start Bitcoin Core version 0.11 or earlier. Notable changes First version bits BIP9 softfork deployment This release includes a soft fork deployment to enforce BIP68, BIP112 and BIP113 using the BIP9 deployment mechanism. The deployment sets the block version number to 0x20000001 between midnight 1st May 2016 and midnight 1st May 2017 to signal readiness for deployment. The version number consists of 0x20000000 to indicate version bits together with setting bit 0 to indicate support for this combined deployment, shown as "csv" in the getblockchaininfo RPC call. For more information about the soft forking change, please see https://github.com/bitcoin/bitcoin/pull/7648 This specific backport pull-request can be viewed at https://github.com/bitcoin/bitcoin/pull/7543 BIP68 soft fork to enforce sequence locks for relative locktime BIP68 introduces relative lock-time consensus-enforced semantics of the sequence number field to enable a signed transaction input to remain invalid for a defined period of time after confirmation of its corresponding outpoint. For more information about the implementation, see https://github.com/bitcoin/bitcoin/pull/7184 BIP112 soft fork to enforce OP_CHECKSEQUENCEVERIFY BIP112 redefines the existing OP_NOP3 as OP_CHECKSEQUENCEVERIFY (CSV) for a new opcode in the Bitcoin scripting system that in combination with BIP68 allows execution pathways of a script to be restricted based on the age of the output being spent. For more information about the implementation, see https://github.com/bitcoin/bitcoin/pull/7524 BIP113 locktime enforcement soft fork Bitcoin Core 0.11.2 previously introduced mempool-only locktime enforcement using GetMedianTimePast(). This release seeks to consensus enforce the rule. Bitcoin transactions currently may specify a locktime indicating when they may be added to a valid block. Current consensus rules require that blocks have a block header time greater than the locktime specified in any transaction in that block. Miners get to choose what time they use for their header time, with the consensus rule being that no node will accept a block whose time is more than two hours in the future. This creates a incentive for miners to set their header times to future values in order to include locktimed transactions which weren't supposed to be included for up to two more hours. The consensus rules also specify that valid blocks may have a header time greater than that of the median of the 11 previous blocks. This GetMedianTimePast() time has a key feature we generally associate with time: it can't go backwards. BIP113 specifies a soft fork enforced in this release that weakens this perverse incentive for individual miners to use a future time by requiring that valid blocks have a computed GetMedianTimePast() greater than the locktime specified in any transaction in that block. Mempool inclusion rules currently require transactions to be valid for immediate inclusion in a block in order to be accepted into the mempool. This release begins applying the BIP113 rule to received transactions, so transaction whose time is greater than the GetMedianTimePast() will no longer be accepted into the mempool. Implication for miners: you will begin rejecting transactions that would not be valid under BIP113, which will prevent you from producing invalid blocks when BIP113 is enforced on the network. Any transactions which are valid under the current rules but not yet valid under the BIP113 rules will either be mined by other miners or delayed until they are valid under BIP113. Note, however, that time-based locktime transactions are more or less unseen on the network currently. Implication for users: GetMedianTimePast() always trails behind the current time, so a transaction locktime set to the present time will be rejected by nodes running this release until the median time moves forward. To compensate, subtract one hour (3,600 seconds) from your locktimes to allow those transactions to be included in mempools at approximately the expected time. For more information about the implementation, see https://github.com/bitcoin/bitcoin/pull/6566 Miscellaneous The p2p alert system is off by default. To turn on, use -alert with startup configuration. 0.12.1 Change log Detailed release notes follow. This overview includes changes that affect behavior, not code moves, refactors and string updates. For convenience in locating the code changes and accompanying discussion, both the pull request and git merge commit are mentioned.
RPC and other APIs
- #7739 7ffc2bd Add abandoned status to listtransactions (jonasschnelli)
Block and transaction handling
- #7543 834aaef Backport BIP9, BIP68 and BIP112 with softfork (btcdrak)
P2P protocol and network code
#7804 90f1d24 Track block download times per individual block (sipa)
#7832 4c3a00d Reduce block timeout to 10 minutes (laanwj)
#7821 4226aac init: allow shutdown during 'Activating best chain...' (laanwj)
#7835 46898e7 Version 2 transactions remain non-standard until CSV activates (sdaftuar)
#7487 00d57b4 Workaround Travis-side CI issues (luke-jr)
#7606 a10da9a No need to set -L and --location for curl (MarcoFalke)
#7614 ca8f160 Add curl to packages (now needed for depends) (luke-jr)
#7776 a784675 Remove unnecessary executables from gitian release (laanwj)
- #7715 19866c1 Fix calculation of balances and available coins. (morcos)
#7617 f04f4fd Fix markdown syntax and line terminate LogPrint (MarcoFalke)
#7747 4d035bc added depends cross compile info (accraze)
#7741 a0cea89 Mark p2p alert system as deprecated (btcdrak)
#7780 c5f94f6 Disable bad-chain alert (btcdrak)
Credits Thanks to everyone who directly contributed to this release:
Wladimir J. van der Laan
As well as everyone that helped translating on Transifex. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCgAGBQJXELrMAAoJEHSBCwEjRsmm75EH/0iyqFxXuJDbfzMmBbMTkXD2 /CXEeyMvs62F2ZeODE0SSqo9sXo4foiT9WI5Dq7BwAiF6jh/XE4QwBvc91BbPyGZ 1nOGEab+oe37xEOkn8MyGbHfCutsUldyKltVQjA3y685MxlSgTjl/nX6Pbpbxped vZRog3KHRrpWAMrHdi6p/xgqX0ajxE6K1P16JMOx4W/gE9QgOPyy7+l/4WT6SyBj k/pOLqJc+yQIOa9szS4pjLUqaSOirhsjXfro9FYjHqiTWQwAdvuK4xXgo1GrGIW1 PWs419uLmGl4bhg9jdY6v+PyPz4iUilRzoixVi8op1Rt9/AoNN1ViJ/LT15Hagw= =h4Wp -----END PGP SIGNATURE----- original: http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-April/012607.html
(Try the command openssl speed sha256 sha512 on your computer.) SHA-512/256 sits right in between the two functions—the output size and security level of SHA-256 with the performance of SHA-512—but almost no systems use it so far. share improve this answer follow answered Jul 19 '17 at 20:45. Luis Casillas Luis Casillas. 9,360 2 2 gold badges 22 22 silver badges 37 37 bronze badges ... These are examples of commonly used hashing algorithms. In the cryptocurrency world, SHA-256 is generally used the most. Facebook and Bitcoin use SHA-256 as their algorithm. The number means how ... Change initial hash value of SHA512/t. Ask Question Asked 4 years, 2 months ago. Active 4 years, 2 months ago. Viewed 683 times 3. 1 $\begingroup$ Fips 180-4 defines under 5.3.6 how to calculate initial hash values for SHA512/t for a given value t. Can someone explain me how the t actually affects the outcome of the procedure (which, as far as I understand, just calculates the eight 64-bit ... If you are using Node: > crypto.createHash('sha512').update('my string for hashing').digest('hex ... SHA-512 is a function of cryptographic algorithm SHA-2, which is an evolution of famous SHA-1.. SHA-512 is very close to Sha-256 except that it used 1024 bits "blocks", and accept as input a 2^128 bits maximum length string. SHA-512 also has others algorithmic modifications in comparison with Sha-256.
How Bylls uses PGP to generate secure Bitcoin payment invoices (alternative to Bitpay's BIP70)
Hash values generation in block chain in Tamil (4) ... What is a Bitcoin hash and SHA-256 - Duration: 1:54. Ofir Beigel 63,450 views. 1:54. How to check the SHA 256 Checksum - Duration: 2:10 ... HASH CODE OF A CD-ROM ! JUHAX technology. Digital Foresics : The hash process is normally used during acquisition of the evidence, during verification of the... Hash: SHA512 The following is a demo of Bylls.com - a Bitcoin payments and exchange applicaiton which lets canadians pay bills and send money to anyone in Canada with Bitcoin. To find out more ... How can companies store passwords safely and keep them away from hackers? Well let's find out! With all the data breaches lately, it's likely that the passwo... How to quickly verify MD5, SHA1 and SHA2 (SHA256, SHA384, SHA512) Checksums in Windows 8 and Windows 10 using Command Prompt Monetize your Clicks and Downloa...