Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1W1a09-0001fi-53 for bitcoin-development@lists.sourceforge.net; Fri, 10 Jan 2014 11:11:45 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of petertodd.org designates 62.13.148.102 as permitted sender) client-ip=62.13.148.102; envelope-from=pete@petertodd.org; helo=outmail148102.authsmtp.net; Received: from outmail148102.authsmtp.net ([62.13.148.102]) by sog-mx-2.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1W1a07-0000qp-Vg for bitcoin-development@lists.sourceforge.net; Fri, 10 Jan 2014 11:11:45 +0000 Received: from mail-c235.authsmtp.com (mail-c235.authsmtp.com [62.13.128.235]) by punt14.authsmtp.com (8.14.2/8.14.2) with ESMTP id s0ABBZ6i063475; Fri, 10 Jan 2014 11:11:35 GMT Received: from savin (76-10-178-109.dsl.teksavvy.com [76.10.178.109]) (authenticated bits=128) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s0ABBSnr001889 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 10 Jan 2014 11:11:30 GMT Date: Fri, 10 Jan 2014 06:11:28 -0500 From: Peter Todd To: Jorge =?iso-8859-1?Q?Tim=F3n?= Message-ID: <20140110111128.GC25749@savin> References: <20131230232225.GA10594@tilt> <201312310114.05600.luke@dashjr.org> <20140101045342.GA7103@tilt> <20140103210139.GB30273@savin> <20140106154456.GA18449@savin> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3siQDZowHQqNOShm" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Server-Quench: f59d7679-79e7-11e3-b802-002590a15da7 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR aQdMdwIUElQaAgsB AmIbWlVeUVx7WmI7 bAxPbAVDY01GQQRq WVdMSlVNFUsrAW1z dH1AEBlydg1OcTBy Z0JqVj4NWU0uckB6 S1NTHDgBeGZhPWMC AkhYdR5UcAFPdx8U a1UrBXRDAzANdhES HhM4ODE3eDlSNilR RRkIIFQOdA43HjN0 RhYZED4yB0wZVm00 IVQjJ0QTEQMUM0Mz N1RJ X-Authentic-SMTP: 61633532353630.1023:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 76.10.178.109/587 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1W1a07-0000qp-Vg Cc: bitcoin-development@lists.sourceforge.net Subject: Re: [Bitcoin-development] The insecurity of merge-mining X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jan 2014 11:11:45 -0000 --3siQDZowHQqNOShm Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 09, 2014 at 06:19:04PM +0100, Jorge Tim=F3n wrote: > On 1/6/14, Peter Todd wrote: > > On Sat, Jan 04, 2014 at 01:27:42AM +0100, Jorge Tim=F3n wrote: > > It's not meant to prove anything - the proof-of-sacrificed-bitcoins > > mentioned(*) in it is secure only if Bitcoin itself is secure and > > functional. I referred you to it because understanding the system will > > help you understand my thinking behind merge-mining. > > > > *) It also mentions proof-of-sacrificed-zerocoins which *is* distinct > > because you're sacrificing the thing that the chain is about. Now that > > has some proof-of-stake tinges to it for sure - I myself am not > > convinced it is or isn't a viable scheme. >=20 > I'm not sure I understand all the differences between > proof-of-sacrificed-bitcoins and proof-of-sacrificed-newcoins, but I'm > still convinced this doesn't have anything to do with MM PoW vs PoW. Proof-of-sacrified-bitcoins is always a true sacrifice - provided Bitcoin itself maintains consensus the proof is a guarantee that something of value was given up. Proof-of-sacrificed-"newcoins" means that within some consensus system I created a signed statement that *within the system* means I lose something of value. However that sacrifice is only valid if the consensus of the system includes that sacrifice within the consensus, and if the mechanism by which that consensus is maintained has anything to do with those sacrifices you quickly find yourself on pretty shakey ground. > > You know, something that I haven't made clear in this discussion is that > > while I think merge-mining is insecure, in the sense of "should my new > > fancy alt-coin protocol widget use it?", I *also* don't think regular > > mining is much better. In some cases it will be worse due to social > > factors. (e.g. a bunch of big pools are going to merge-mine my scheme on > > launch day because it makes puppies cuter and kids smile) >=20 > Fair enough. > Do you see any case where an independently pow validated altcoin is > more secure than a merged mined one? Situations where decentralized consensus systems are competing for market share in some domain certainely apply. For instance if I were to create a competitor to Namecoin, perhaps because I thought the existing allocation of names was unfair, and/or I had technical improvements like SPV, it's easy to imagine Namecoin miners deciding to attack my competitor to preserve the value of their namecoins and domain names registered in Namecoin. The problem here is that my new system has a substantial *negative* value to those existing Namecoin holders - if it catches on the value of their Namecoin investment in the form of coins and domain names may go down. Thus for them doing nothing has a negative return, attacking my coin has a positive return minus costs, and with merge-mining the costs are zero. Without merge mining if the value to the participants in the new system is greater than the harm done to the participants in the old system the total work on the new system's chain will still be positive and it has a chance of surviving. Of course, this is what Luke-Jr was getting at when he was talking about scam-coins and merge mining: if you're alt-currency is a currency, and it catches on, then it dilutes the value of your existing coins and people who own those coins have an incentive to attack the competitor. That's why merge-mined alt-coins that are currencies get often get attacked very quickly. --=20 'peter'[:-1]@petertodd.org 00000000000000028a5c9edabc9697fe96405f667be1d6d558d1db21d49b8857 --3siQDZowHQqNOShm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQGrBAEBCACVBQJSz9VfXhSAAAAAABUAQGJsb2NraGFzaEBiaXRjb2luLm9yZzAw MDAwMDAwMDAwMDAwMDI4YTVjOWVkYWJjOTY5N2ZlOTY0MDVmNjY3YmUxZDZkNTU4 ZDFkYjIxZDQ5Yjg4NTcvFIAAAAAAFQARcGthLWFkZHJlc3NAZ251cGcub3JncGV0 ZUBwZXRlcnRvZC5vcmcACgkQJIFAPaXwkfuoSAf/XdUjwBqxp8YETm/+27H3gscJ 7FIA0BqSFJ6lOk3NUjGH34nSczTO6g4LZozm/GeSpehDMmd/UE9vnq3dAavfaM7j +BMjSu7U+OzJB9gt3hBrlzRQrG5bjo8Sh242FwhTY37jpYjcI6nUXjy71gcZRTJP 8Un8zEQhj7xXjR2o2IwE8fOg7R8FYqZdFlhK9vSnm7lTKQO855sSBpRoplzrwq8m kTxbxpIy/GizsNyj++W+YTaICEOLNmNCCp/LNd8c0HV5WBlPjM8NyDM4W6Y8zhPA zo/Uf/kGICM8nH4fGxhtLWZYPyHBF4akdMH2ADNqXF0vYVV7Tj5EvPzAVfcIbw== =P6fo -----END PGP SIGNATURE----- --3siQDZowHQqNOShm--