Return-Path: <eric@voskuil.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 24F4288A
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Thu, 30 Jun 2016 11:56:49 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pf0-f175.google.com (mail-pf0-f175.google.com
	[209.85.192.175])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 735EA179
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Thu, 30 Jun 2016 11:56:48 +0000 (UTC)
Received: by mail-pf0-f175.google.com with SMTP id t190so28921010pfb.3
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Thu, 30 Jun 2016 04:56:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=voskuil-org.20150623.gappssmtp.com; s=20150623;
	h=mime-version:subject:from:in-reply-to:date:cc
	:content-transfer-encoding:message-id:references:to;
	bh=G2NSRMUyl4Q73fC+ezEy76PT2JVYcOfIEs+d0vvjIw8=;
	b=lPrBpMLtarA/J0ZFhcbgdZzUGBAi8MPi+kxLSbAfkQwOROOslXeHa/gyVkRaLGVLHQ
	eZbTLlxovt5RNzvVVw/eu6Qga4EedbjECfFr94dgKxU7AQtaDhT1rPP/InYJpQyX6c42
	AMTgSvsjNfN6m395pNNvbGPCjRpGQRBIRrZmcZpB+sl0khJxrRKRQx1yMDmkukgI4qBy
	UANvqIatOLwsyoZInQorFXDoknfy1XmQdsJ1owJ8vlBMjGDLJod5ZFoz0JwTesn6WLVE
	3XuLbeT9387BlR/HmCzL2I57T8a9Cqnujk4lMKsYYvm5qYk5qT16mGDkJ4nnq8oPjcs4
	pkVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
	:content-transfer-encoding:message-id:references:to;
	bh=G2NSRMUyl4Q73fC+ezEy76PT2JVYcOfIEs+d0vvjIw8=;
	b=jfHWjntR2njwO4ZLL6N8X7meDRNYClq/TdjLzuccU+guQcMV0cCzJ4Aj/Lm4AjOx9e
	DQ7sLed/j8IA5YSvPtNekBo9i6bn1gY/OsxR0d0D3lzqfmJt6K7aGf8LC7ldmLEdiLC1
	LVnNoZ593bSz0TEl0bRjlUScyK4z6ywt1bUToMzpPXmJT51bgCEGVx/PSgs/f0ro1PnL
	/fZWIl2Wh0uL2J7BbgQFv2sfPQ6D1Y0briTHoA+3IVAatS57C5orP4DRmGxIA+h1dWa1
	WmxjsS6jqxJCVHnTorgwecErIDnIGkqxwp91qHEzFudjX8fPePokBJnrIb8zVD/uEtPW
	NWug==
X-Gm-Message-State: ALyK8tIhImrQaCM3hhXbAmJRknpT24Db1Wi00ayuPYKjAhHja9nLB1g+rFvWV+Tg+NeBXQ==
X-Received: by 10.98.9.141 with SMTP id 13mr20584577pfj.130.1467287808035;
	Thu, 30 Jun 2016 04:56:48 -0700 (PDT)
Received: from [10.171.23.222] ([166.170.43.16])
	by smtp.gmail.com with ESMTPSA id
	by5sm5313208pad.36.2016.06.30.04.56.46
	(version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Thu, 30 Jun 2016 04:56:47 -0700 (PDT)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (1.0)
From: Eric Voskuil <eric@voskuil.org>
X-Mailer: iPhone Mail (13F69)
In-Reply-To: <20160629111728.GO13338@dosf1.alfie.wtf>
Date: Thu, 30 Jun 2016 13:56:42 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <2981A919-4550-4807-8ED9-F8C51B2DC061@voskuil.org>
References: <87h9cecad5.fsf@rustcorp.com.au>
	<1E86A00F-0609-4DBC-9543-94AE04CC13C9@voskuil.org>
	<577234A4.3030808@jonasschnelli.ch>
	<360EF9B8-A174-41CA-AFDD-2BC2C0B4DECB@voskuil.org>
	<20160629111728.GO13338@dosf1.alfie.wtf>
To: Alfie John <alfie@alfie.wtf>
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, MIME_QP_LONG_LINE,
	RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] BIP 151
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2016 11:56:49 -0000

Hi Alfie,

Yes, this is exactly what I meant. The complexity of the proposed constructi=
on is comparable to that of Bitcoin itself. This is not itself prohibitive, b=
ut it is clearly worthy of consideration.

A question we should ask is whether decentralized anonymous credentials is a=
pplicable to the authentication problem posed by BIP151. I propose that it i=
s not.

The core problem posed by BIP151 is a MITM attack. The implied solution (BIP=
151 + authentication) requires that a peer trusts that another is not an att=
acker.=20

Authentication of an anonymous peer cannot achieve this objective, since the=
 peer may be anyone and an attack on privacy can be undetectable. The identi=
ty of a peer must be known to the relying peer, either directly or transitiv=
ely.

DAC is applicable in cases where identity is never required.  The prime exam=
ple in the paper is that of first-come-first-served name registration. No id=
entity is required in that scenario, just proof that a party in question is t=
he original registrant. All participants are presumed to be "good".

I believe that a distributed anonymous system is fundamentally at odds with i=
solation of "good" vs. "bad" participants who comply with protocol rules (Do=
S considerations aside), and that any attempt to resolve this conflict will r=
esult in the system no longer allowing anonymous participation.

I may be mistaken, but I haven't found a way out of this realization.

e

> On Jun 29, 2016, at 1:17 PM, Alfie John <alfie@alfie.wtf> wrote:
>=20
> On Tue, Jun 28, 2016 at 06:45:58PM +0200, Eric Voskuil via bitcoin-dev wro=
te:
>>> then we should definitively use a form of end-to-end encryption between
>>> nodes. Built into the network layer.
>>=20
>> Widespread application of this model is potentially problematic. It is a
>> non-trivial problem to design a distributed system that requires authenti=
cation
>> but without identity and without central control. In fact this may be mor=
e
>> challenging than Bitcoin itself. Trust on first use (TOFU) does not solve=
 this
>> problem.
>=20
> Maybe the following paper can feed into this discussion:
>=20
> "Decentralized Anonymous Credentials" by Christina Garman, Matthew Green, I=
an Miers
>   https://eprint.iacr.org/2013/622.pdf
>=20
> Alfie
>=20
> --=20
> Alfie John
> https://www.alfie.wtf