Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 424C9CBC for ; Tue, 5 Dec 2017 18:05:44 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-qt0-f169.google.com (mail-qt0-f169.google.com [209.85.216.169]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 46E3F463 for ; Tue, 5 Dec 2017 18:05:42 +0000 (UTC) Received: by mail-qt0-f169.google.com with SMTP id u42so2856030qte.7 for ; Tue, 05 Dec 2017 10:05:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=nm8RUPV03kpDdmIZWzBsf4cocy/WOOjdRVTdwFJEcAE=; b=pVdAnYiUejk/t+lVFIv3qW/JBxobANWbXOUlBDw7LVBEV99d+Zwkk0IwRHaB+E2d2Y O6HQDpc5pRLuWzXQ4TM1pwvTYgrG8Bgyl1E2OKwCbrd3se23LErU22Z4xEw2HtxvBF43 w82ZSTR1HZhR0UhKjEiV/cC1tm0TNv/PfidLUQ9nWoQeCL89jFiCA2j+H5nGY1pgBoRt J/NC4o9NeRu3YQsoXESJUy+rVrSa4wmMT9HlgMgN9RfF1GEwPWHXKgThv1ayUg1Ge1iv TXErPWZcLRmizFDI02jMCKLflXOlMZj3dmK80RVGvc2DPQkymv7B1b/vo/MuEOiU2Fub Sh0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=nm8RUPV03kpDdmIZWzBsf4cocy/WOOjdRVTdwFJEcAE=; b=g31fuZdD0jtzcD0DgCdAbWMnhlWWNDVvYMt0lScqPGiWGHzO631cCSp1+JzaAxI5PK BpMatP5SKa9lxMINnPPm5U5Nrk2BbkKWpRwEcRqDBggO9OWUmYvB4Uz+Q+ruks3IvbLk U4ztlHrWU2IT3j1EAHr+sQ6IeEZ+yi9S8BVSaIQp3+KHKlhGdmqZklEqPCLJLWivEWA8 KZh/3AAh/jPZC6jkSUncvinW/eYBCcC5mIVA3/JsgKGtnzdZJxHwW0LrPPT3BmVuZkEk Ox9TsvGtcMuhHyjYWU5778PavRn2HzopbOzE1pMq7hrf2h3kwQLobuoveFdxpAvp2FQt a12Q== X-Gm-Message-State: AKGB3mJgy3DV35hCSBniHhtl+/uBnveMNbfXTTJZwe7wVDPrVSMWFfJf FCWqVVsUjVuNRWKPBWhJVy9iJQ== X-Google-Smtp-Source: AGs4zMYAhVAk79AHyt5I7DaMzic/MeMf/t3wFC4Hu9clz20KuzvNCQeESsfZo2ZxILpTdS965F6XSQ== X-Received: by 10.55.127.193 with SMTP id a184mr23588005qkd.119.1512497140838; Tue, 05 Dec 2017 10:05:40 -0800 (PST) Received: from [192.168.1.104] (ool-45726efb.dyn.optonline.net. [69.114.110.251]) by smtp.googlemail.com with ESMTPSA id 3sm427912qty.47.2017.12.05.10.05.38 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Dec 2017 10:05:39 -0800 (PST) To: Bitcoin Protocol Discussion References: <1bb6cccd-3f6d-d62a-2825-4e6f46a4b525@mattcorallo.com> From: Paul Sztorc Message-ID: Date: Tue, 5 Dec 2017 13:05:39 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------E43802461C5ACF90FE26027F" Content-Language: en-US X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Two Drivechain BIPs X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 18:05:44 -0000 This is a multi-part message in MIME format. --------------E43802461C5ACF90FE26027F Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Hello Chris, 1. Marginal Cost There actually is a very small cost to casting a malicious vote, relative to an honest vote. This is because the software (when run as-is), will automatically vote correctly. But to vote fraudulently you must decide on what to do instead, and configure that! This might not be as easy as it seems (see collective action part, below). It is true that there is no *marginal* cost to creating a bad vote, in the fraudulent withdrawal case. But then again there is no marginal cost to creating a good vote either -- in fact there is no cost at all. In fact, there is no marginal cost to creating a bad block either, in the 51% hashrate reorganization case. Epistemologically, the protocol has no way of differentiating a "bad" block/vote from a good one. So one cannot "cost" more than the other, in a narrow sense. I suppose in the reorganization case there is the risk of lost mining effort on a chain that actually does *not* have 51% and therefore won't catch up. But this only encourages conformity to the longest chain, including fraudulent chains. For example, imagine that the reorganization is done via secretly mining a longer chain -- once that chain is published, it will be the longest. Then, according to your framework, there will be a "marginal cost" to doing the *right* thing (trying to preserve the honest, transparent chain). So I'm afraid I don't understand what you mean. 2. Repercussions As for there being no repercussions, that is incorrect. The miner's choice to engage in a fraudulent withdraw is one that has several negative consequences. They take a variety of forms and likelihoods, but they definitely exist and are very relevant. The first repercussion is the loss of victim-sidechain future tx-fees. A second is the loss of all future tx fees on all sidechains. A third is that the Bitcoin super-network is changed from being a "sidechain enabled" network to a "sidechain disabled" network. The impact of these repercussions is still unclear and open to interpretation. On one hand, the impact may be small and therefore not very persuasive (as in the case where a sidechain has few tx-fees, few sidechains are used, few are expected to be created/used, and so little is lost by attacking). On the other hand, a single fraudulent withdrawal might motivate the creation of a new spinoff network that is exactly the same as the old network, but with merely two changes: the fraudulent withdrawal surgically removed (as if it were never attempted) AND a new proof of work algorithm. Since the withdrawals are so slow, there would be plenty of time to organize such an option (and people who already want a pow-change would jump at this glaring opportunity). Will the repercussions be small or large? Even if there is only a *risk* of large repercussions, it can be very persuasive. (Just as the IRS is very persuasive to tax-paying Americans, even though only a tiny proportion of tax returns are audited.) 0. Useless Sidechain Fallacy Finally, you are joining the long list of people who are committing the "useless sidechain fallacy". You are saying that because you believe the sidechain is useless, therefore everyone must believe as you do, and therefore the option to use a sidechain must be one that has zero value. However, in the real world people are heterogeneous. They may decide that your interpretation contains errors, or else their circumstances might incline them towards a different risk-reward tradeoff. Finally, this fallacy obfuscates the main benefit of sidechains, which is that they are optional -- the sidechain-designer must convince users to deposit funds there. 3. Collective Action Problem There actually is a collective action problem inherent to fraudulent withdrawals. If miners wish to fraudulently withdraw from the sidechain, they need to choose the destination addresses (on mainchain Bitcoin Core) months in advance. Then they need to upvote/downvote this destination, despite that fact that --during this time-- new hashpower might be coming online/offline, and/or hashers might be joining/leaving specific pools. I bring this up to demonstrate that even the most straightforward attack (of "a 51% hashrate group attacks a sidechain and distributes the proceeds to the group proportional to hashpower") is actually one that contains a difficult (and potentially interminable) negotiation. The effort required to initiate the negotiation is the source of the collective action problem here. I think that this collective action problem is actually more burdensome than Bitcoin's -- for mainchain Bitcoin miners merely need to decide which block height they intend to reorganize from. You may wish to read Drivechain's security model to learn more: http://www.truthcoin.info/blog/drivechain/#drivechains-security In this case, I don't see a way to measure "security" cardinally or ordinally. Instead, I am only able to see it as either "secure enough" or "not secure enough". But perhaps someone can enlighten me as to the math they are using to produce these cardinal/ordinal rankings. --Paul On 12/4/2017 2:36 PM, Chris Pacia wrote: > > I think you are missing a few things. > > First of all, I think the security model for sidechains is the same as > that of every blockchain > > People will say things, like "but with sidechains 51% hashrate can > steal > your coins!", but as I have repeated many times, this is also true of > mainchain btc-tx.  is something else? > > > There are substantial opportunity costs as well as a collective action > problem when it comes to re-writing the mainchain.  > > Is there anything similar for drivechains? As far as I can tell there > is no opportunity cost to casting a malicious vote, no repercussions, > and no collective action barrier that needs to be overcome.  > > Unless I'm missing something I wouldn't liken the security of a > drivechain to that of the mainchain. --------------E43802461C5ACF90FE26027F Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit
Hello Chris,

1. Marginal Cost

There actually is a very small cost to casting a malicious vote, relative to an honest vote. This is because the software (when run as-is), will automatically vote correctly. But to vote fraudulently you must decide on what to do instead, and configure that! This might not be as easy as it seems (see collective action part, below).

It is true that there is no *marginal* cost to creating a bad vote, in the fraudulent withdrawal case. But then again there is no marginal cost to creating a good vote either -- in fact there is no cost at all. In fact, there is no marginal cost to creating a bad block either, in the 51% hashrate reorganization case. Epistemologically, the protocol has no way of differentiating a "bad" block/vote from a good one. So one cannot "cost" more than the other, in a narrow sense.

I suppose in the reorganization case there is the risk of lost mining effort on a chain that actually does *not* have 51% and therefore won't catch up. But this only encourages conformity to the longest chain, including fraudulent chains. For example, imagine that the reorganization is done via secretly mining a longer chain -- once that chain is published, it will be the longest. Then, according to your framework, there will be a "marginal cost" to doing the *right* thing (trying to preserve the honest, transparent chain). So I'm afraid I don't understand what you mean.

2. Repercussions

As for there being no repercussions, that is incorrect. The miner's choice to engage in a fraudulent withdraw is one that has several negative consequences. They take a variety of forms and likelihoods, but they definitely exist and are very relevant.

The first repercussion is the loss of victim-sidechain future tx-fees. A second is the loss of all future tx fees on all sidechains. A third is that the Bitcoin super-network is changed from being a "sidechain enabled" network to a "sidechain disabled" network.

The impact of these repercussions is still unclear and open to interpretation. On one hand, the impact may be small and therefore not very persuasive (as in the case where a sidechain has few tx-fees, few sidechains are used, few are expected to be created/used, and so little is lost by attacking). On the other hand, a single fraudulent withdrawal might motivate the creation of a new spinoff network that is exactly the same as the old network, but with merely two changes: the fraudulent withdrawal surgically removed (as if it were never attempted) AND a new proof of work algorithm. Since the withdrawals are so slow, there would be plenty of time to organize such an option (and people who already want a pow-change would jump at this glaring opportunity). Will the repercussions be small or large? Even if there is only a *risk* of large repercussions, it can be very persuasive. (Just as the IRS is very persuasive to tax-paying Americans, even though only a tiny proportion of tax returns are audited.)

0. Useless Sidechain Fallacy

Finally, you are joining the long list of people who are committing the "useless sidechain fallacy". You are saying that because you believe the sidechain is useless, therefore everyone must believe as you do, and therefore the option to use a sidechain must be one that has zero value. However, in the real world people are heterogeneous. They may decide that your interpretation contains errors, or else their circumstances might incline them towards a different risk-reward tradeoff. Finally, this fallacy obfuscates the main benefit of sidechains, which is that they are optional -- the sidechain-designer must convince users to deposit funds there.

3. Collective Action Problem

There actually is a collective action problem inherent to fraudulent withdrawals.

If miners wish to fraudulently withdraw from the sidechain, they need to choose the destination addresses (on mainchain Bitcoin Core) months in advance. Then they need to upvote/downvote this destination, despite that fact that --during this time-- new hashpower might be coming online/offline, and/or hashers might be joining/leaving specific pools. I bring this up to demonstrate that even the most straightforward attack (of "a 51% hashrate group attacks a sidechain and distributes the proceeds to the group proportional to hashpower") is actually one that contains a difficult (and potentially interminable) negotiation. The effort required to initiate the negotiation is the source of the collective action problem here.

I think that this collective action problem is actually more burdensome than Bitcoin's -- for mainchain Bitcoin miners merely need to decide which block height they intend to reorganize from.

You may wish to read Drivechain's security model to learn more: http://www.truthcoin.info/blog/drivechain/#drivechains-security

In this case, I don't see a way to measure "security" cardinally or ordinally. Instead, I am only able to see it as either "secure enough" or "not secure enough". But perhaps someone can enlighten me as to the math they are using to produce these cardinal/ordinal rankings.

--Paul

On 12/4/2017 2:36 PM, Chris Pacia wrote:

I think you are missing a few things.

First of all, I think the security model for sidechains is the same as
that of every blockchain

People will say things, like "but with sidechains 51% hashrate can steal
your coins!", but as I have repeated many times, this is also true of
mainchain btc-tx.  is something else?

There are substantial opportunity costs as well as a collective action problem when it comes to re-writing the mainchain. 

Is there anything similar for drivechains? As far as I can tell there is no opportunity cost to casting a malicious vote, no repercussions, and no collective action barrier that needs to be overcome. 

Unless I'm missing something I wouldn't liken the security of a drivechain to that of the mainchain.


--------------E43802461C5ACF90FE26027F--