Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VzACa-0006fe-E4 for bitcoin-development@lists.sourceforge.net; Fri, 03 Jan 2014 19:14:36 +0000 Received: from mail-la0-f54.google.com ([209.85.215.54]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1VzACW-00046m-SR for bitcoin-development@lists.sourceforge.net; Fri, 03 Jan 2014 19:14:36 +0000 Received: by mail-la0-f54.google.com with SMTP id b8so8502967lan.27 for ; Fri, 03 Jan 2014 11:14:26 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ZRJgvJjKK+bIz+3i7gf1+82CRsmTQuLDc06aDarAx6o=; b=GDTCCIjzOpLrUbaei+u9+/jilwh3f5pP0KIFjnzuMYsn8QNnueXsi8qJNZnj3so7jZ uUGLBvzH+/IMykbbVbEWyPR2l5639IyzUUNGL/EA5j9KtEE8+ny6/QJyCJlsD6i8h3L+ itKtBRGzvonIscNPHUdDJMhOVktqmrbXnSmRfFQQ1d7ecxLVmQcEFQ6fOnarnlKx+kMz 64cXww39VA8VFDoEUKFTkX5uJeMyMX2RIEMtVB5D8ZLuOSrtb2Q0DvrFjupD/WjM329k l1yotdjJH/tfx4o1l5+FwERBNiurF8EzQ4hZqom3VSWHIduPbCvYNtV7wPPRdre3i7Ah WU6w== X-Gm-Message-State: ALoCoQnABWN8tjf9L2NMFaiutm0Hg1yTuBBtUN3fbYD3HqyK8rN6ag1WPeZwTGw/UWOCeB7Gl2r1 MIME-Version: 1.0 X-Received: by 10.112.167.228 with SMTP id zr4mr1832388lbb.56.1388776465923; Fri, 03 Jan 2014 11:14:25 -0800 (PST) Received: by 10.112.74.71 with HTTP; Fri, 3 Jan 2014 11:14:25 -0800 (PST) X-Originating-IP: [85.53.148.187] In-Reply-To: <20140101045342.GA7103@tilt> References: <20131230232225.GA10594@tilt> <201312310114.05600.luke@dashjr.org> <20140101045342.GA7103@tilt> Date: Fri, 3 Jan 2014 20:14:25 +0100 Message-ID: From: =?ISO-8859-1?Q?Jorge_Tim=F3n?= To: Peter Todd Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. X-Headers-End: 1VzACW-00046m-SR Cc: bitcoin-development@lists.sourceforge.net Subject: Re: [Bitcoin-development] The insecurity of merge-mining X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jan 2014 19:14:36 -0000 On 1/1/14, Peter Todd wrote: > On Tue, Dec 31, 2013 at 01:14:05AM +0000, Luke-Jr wrote: >> On Monday, December 30, 2013 11:22:25 PM Peter Todd wrote: >> > that you are using merge-mining is a red-flag because without majority, >> > or >> > at least near-majority, hashing power an attacker can 51% attack your >> > altcoin at negligible cost by re-using existing hashing power. >> >> I strongly disagree on this isolated point. Using the same logic, Bitcoin >> is >> vulnerable to an attacker at negligible cost by re-using existing hashing >> >> power from mining Namecoin. Any non-scam altcoin is pretty safe using >> merged >> mining, since any would-be attacker is going to have it in their interests >> to >> invest in the altcoin instead of attacking it. It's only the scam ones >> that >> want to pump & dump with no improvements, that are really at risk here. >> >> The rational decision for a non-scam altcoin, is to take advantage of >> merged >> mining to get as much security as possible. There are also some possible >> tricks to get the full security of the bitcoin miners even when not all >> participate in your altcoin (but this area probably needs some studying to >> get >> right). > > You assume the value of a crypto-currency is equal to all miners, it's > not. They should be able to sell the reward at similar prices in the market. Attackers are losing the opportunity cost of mining the currency by attacking it, just like with Bitcoin. > Suppose I create a merge-mined Zerocoin implementation with a 1:1 > BTC/ZTC exchange rate enforced by the software. You can't argue this is > a scamcoin; no-one is getting rich. There's a 1:1 exchange rate so the > only thing you can do with the coin is get some privacy. The idea of sacrificing something external and make bitcoins appear still sounds crazy to me. I don't see how this pegging contributes in anything to a technical argument against merged mining, just looks like a moral argument against altcoin in general. But anyway, if you're going to make bitcoin's validation dependent on some external chain, it surprises me even more that you prefer that external dependency to be non-merge mineable. > But inevitably > some miners won't agree that enabling better privacy is a good thing, or > their local governments won't. Either way, they can attack the Zerocoin > merge-mined chain with a marginal cost of nearly zero. Ok, so either we assume that the external-pegging hardfork wasn't a consensus or we just forget about the pegging and go back to talk about merged mining in general. Your argument is still "for some reason some miners don't like the MM altcoin and prefer to attack it than to be profitable miners". If I mine BTC + NMC and you only mine BTC, it will be harder for you to compete against me: I can afford higher costs than you for the same BTC reward, since I'm also getting NMC. What you're saying is that Litecoin is more secure than Namecoin because while Litecoin can only be attacked by external attackers and current miners of other scrypt coins, Namecoin can also be attacked the Bitcoin miners that aren't currently mining Namecoin. This doesn't sound very reasonable to me. I think Namecoin is more secure than Litecoin and new coins should be created with SHA256 and merged mining in mind. At least merged mine with Litecoin if the still believe scrypt is so "anti-ASIC" and "centralization-resistant" (in fact Litecoin is more centralized than bitcoin with their shorter block intervals since better connections are favored, but that's another story). Merged mining is not only about not competing for proof of work like Satoshi defended. It is also about wasting resources: the more mining subsidies to different chains, the more wasted resources. By criticizing merged mining you're also indirectly legitimizing the same scamcoin madness you criticize. If you don't plan to merge mine, having SHA256 doesn't make sense because that makes you more fragile to potential bitcoin miners attacks and chainhopers. I don't think we would have this many alts living right now if all proof of work was SHA256. So if the "anti-asic PoW" myth and the absurd emerging morals of "GPU-mining as an universal right" weren't enough, you want to add an equally false "merged mining is insecure" to the collection of arguments supporting the search of the more absurd possible PoW holy grail. Please try to prove that MM is insecure and I'll try to prove your wrong. But we don't need zerocoin or an artificial pegging to discuss about this. I think Namecoin has a lower reward for miners than litecoin and still has much better security. I haven't run the numbers but, will you deny it? How many amazon VMs do you need to attack each one of them?