1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
|
Return-Path: <truthcoin@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 424C9CBC
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 5 Dec 2017 18:05:44 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-qt0-f169.google.com (mail-qt0-f169.google.com
[209.85.216.169])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 46E3F463
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 5 Dec 2017 18:05:42 +0000 (UTC)
Received: by mail-qt0-f169.google.com with SMTP id u42so2856030qte.7
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 05 Dec 2017 10:05:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=subject:to:references:from:message-id:date:user-agent:mime-version
:in-reply-to:content-language;
bh=nm8RUPV03kpDdmIZWzBsf4cocy/WOOjdRVTdwFJEcAE=;
b=pVdAnYiUejk/t+lVFIv3qW/JBxobANWbXOUlBDw7LVBEV99d+Zwkk0IwRHaB+E2d2Y
O6HQDpc5pRLuWzXQ4TM1pwvTYgrG8Bgyl1E2OKwCbrd3se23LErU22Z4xEw2HtxvBF43
w82ZSTR1HZhR0UhKjEiV/cC1tm0TNv/PfidLUQ9nWoQeCL89jFiCA2j+H5nGY1pgBoRt
J/NC4o9NeRu3YQsoXESJUy+rVrSa4wmMT9HlgMgN9RfF1GEwPWHXKgThv1ayUg1Ge1iv
TXErPWZcLRmizFDI02jMCKLflXOlMZj3dmK80RVGvc2DPQkymv7B1b/vo/MuEOiU2Fub
Sh0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:subject:to:references:from:message-id:date
:user-agent:mime-version:in-reply-to:content-language;
bh=nm8RUPV03kpDdmIZWzBsf4cocy/WOOjdRVTdwFJEcAE=;
b=g31fuZdD0jtzcD0DgCdAbWMnhlWWNDVvYMt0lScqPGiWGHzO631cCSp1+JzaAxI5PK
BpMatP5SKa9lxMINnPPm5U5Nrk2BbkKWpRwEcRqDBggO9OWUmYvB4Uz+Q+ruks3IvbLk
U4ztlHrWU2IT3j1EAHr+sQ6IeEZ+yi9S8BVSaIQp3+KHKlhGdmqZklEqPCLJLWivEWA8
KZh/3AAh/jPZC6jkSUncvinW/eYBCcC5mIVA3/JsgKGtnzdZJxHwW0LrPPT3BmVuZkEk
Ox9TsvGtcMuhHyjYWU5778PavRn2HzopbOzE1pMq7hrf2h3kwQLobuoveFdxpAvp2FQt
a12Q==
X-Gm-Message-State: AKGB3mJgy3DV35hCSBniHhtl+/uBnveMNbfXTTJZwe7wVDPrVSMWFfJf
FCWqVVsUjVuNRWKPBWhJVy9iJQ==
X-Google-Smtp-Source: AGs4zMYAhVAk79AHyt5I7DaMzic/MeMf/t3wFC4Hu9clz20KuzvNCQeESsfZo2ZxILpTdS965F6XSQ==
X-Received: by 10.55.127.193 with SMTP id a184mr23588005qkd.119.1512497140838;
Tue, 05 Dec 2017 10:05:40 -0800 (PST)
Received: from [192.168.1.104] (ool-45726efb.dyn.optonline.net.
[69.114.110.251]) by smtp.googlemail.com with ESMTPSA id
3sm427912qty.47.2017.12.05.10.05.38
for <bitcoin-dev@lists.linuxfoundation.org>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 05 Dec 2017 10:05:39 -0800 (PST)
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
References: <d3497397-33c3-90c1-1be8-a733736eac0b@gmail.com>
<1bb6cccd-3f6d-d62a-2825-4e6f46a4b525@mattcorallo.com>
<dd2781a6-3e10-9f0c-6ee0-a2c070b7cf67@gmail.com>
<CAB+qUq4wNv=-ZSibUvVCwYSE7Qw8xe8EH91KG6znUp1d7X=mdA@mail.gmail.com>
From: Paul Sztorc <truthcoin@gmail.com>
Message-ID: <c898cc1c-d71c-de5c-aede-a2a4235656e0@gmail.com>
Date: Tue, 5 Dec 2017 13:05:39 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <CAB+qUq4wNv=-ZSibUvVCwYSE7Qw8xe8EH91KG6znUp1d7X=mdA@mail.gmail.com>
Content-Type: multipart/alternative;
boundary="------------E43802461C5ACF90FE26027F"
Content-Language: en-US
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] Two Drivechain BIPs
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Dec 2017 18:05:44 -0000
This is a multi-part message in MIME format.
--------------E43802461C5ACF90FE26027F
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Hello Chris,
1. Marginal Cost
There actually is a very small cost to casting a malicious vote,
relative to an honest vote. This is because the software (when run
as-is), will automatically vote correctly. But to vote fraudulently you
must decide on what to do instead, and configure that! This might not be
as easy as it seems (see collective action part, below).
It is true that there is no *marginal* cost to creating a bad vote, in
the fraudulent withdrawal case. But then again there is no marginal cost
to creating a good vote either -- in fact there is no cost at all. In
fact, there is no marginal cost to creating a bad block either, in the
51% hashrate reorganization case. Epistemologically, the protocol has no
way of differentiating a "bad" block/vote from a good one. So one cannot
"cost" more than the other, in a narrow sense.
I suppose in the reorganization case there is the risk of lost mining
effort on a chain that actually does *not* have 51% and therefore won't
catch up. But this only encourages conformity to the longest chain,
including fraudulent chains. For example, imagine that the
reorganization is done via secretly mining a longer chain -- once that
chain is published, it will be the longest. Then, according to your
framework, there will be a "marginal cost" to doing the *right* thing
(trying to preserve the honest, transparent chain). So I'm afraid I
don't understand what you mean.
2. Repercussions
As for there being no repercussions, that is incorrect. The miner's
choice to engage in a fraudulent withdraw is one that has several
negative consequences. They take a variety of forms and likelihoods, but
they definitely exist and are very relevant.
The first repercussion is the loss of victim-sidechain future tx-fees. A
second is the loss of all future tx fees on all sidechains. A third is
that the Bitcoin super-network is changed from being a "sidechain
enabled" network to a "sidechain disabled" network.
The impact of these repercussions is still unclear and open to
interpretation. On one hand, the impact may be small and therefore not
very persuasive (as in the case where a sidechain has few tx-fees, few
sidechains are used, few are expected to be created/used, and so little
is lost by attacking). On the other hand, a single fraudulent withdrawal
might motivate the creation of a new spinoff network that is exactly the
same as the old network, but with merely two changes: the fraudulent
withdrawal surgically removed (as if it were never attempted) AND a new
proof of work algorithm. Since the withdrawals are so slow, there would
be plenty of time to organize such an option (and people who already
want a pow-change would jump at this glaring opportunity). Will the
repercussions be small or large? Even if there is only a *risk* of large
repercussions, it can be very persuasive. (Just as the IRS is very
persuasive to tax-paying Americans, even though only a tiny proportion
of tax returns are audited.)
0. Useless Sidechain Fallacy
Finally, you are joining the long list of people who are committing the
"useless sidechain fallacy". You are saying that because you believe the
sidechain is useless, therefore everyone must believe as you do, and
therefore the option to use a sidechain must be one that has zero value.
However, in the real world people are heterogeneous. They may decide
that your interpretation contains errors, or else their circumstances
might incline them towards a different risk-reward tradeoff. Finally,
this fallacy obfuscates the main benefit of sidechains, which is that
they are optional -- the sidechain-designer must convince users to
deposit funds there.
3. Collective Action Problem
There actually is a collective action problem inherent to fraudulent
withdrawals.
If miners wish to fraudulently withdraw from the sidechain, they need to
choose the destination addresses (on mainchain Bitcoin Core) months in
advance. Then they need to upvote/downvote this destination, despite
that fact that --during this time-- new hashpower might be coming
online/offline, and/or hashers might be joining/leaving specific pools.
I bring this up to demonstrate that even the most straightforward attack
(of "a 51% hashrate group attacks a sidechain and distributes the
proceeds to the group proportional to hashpower") is actually one that
contains a difficult (and potentially interminable) negotiation. The
effort required to initiate the negotiation is the source of the
collective action problem here.
I think that this collective action problem is actually more burdensome
than Bitcoin's -- for mainchain Bitcoin miners merely need to decide
which block height they intend to reorganize from.
You may wish to read Drivechain's security model to learn more:
http://www.truthcoin.info/blog/drivechain/#drivechains-security
In this case, I don't see a way to measure "security" cardinally or
ordinally. Instead, I am only able to see it as either "secure enough"
or "not secure enough". But perhaps someone can enlighten me as to the
math they are using to produce these cardinal/ordinal rankings.
--Paul
On 12/4/2017 2:36 PM, Chris Pacia wrote:
>
> I think you are missing a few things.
>
> First of all, I think the security model for sidechains is the same as
> that of every blockchain
>
> People will say things, like "but with sidechains 51% hashrate can
> steal
> your coins!", but as I have repeated many times, this is also true of
> mainchain btc-tx. is something else?
>
>
> There are substantial opportunity costs as well as a collective action
> problem when it comes to re-writing the mainchain.
>
> Is there anything similar for drivechains? As far as I can tell there
> is no opportunity cost to casting a malicious vote, no repercussions,
> and no collective action barrier that needs to be overcome.
>
> Unless I'm missing something I wouldn't liken the security of a
> drivechain to that of the mainchain.
--------------E43802461C5ACF90FE26027F
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hello Chris,<br>
<br>
1. Marginal Cost<br>
<br>
There actually is a very small cost to casting a malicious vote,
relative to an honest vote. This is because the software (when run
as-is), will automatically vote correctly. But to vote
fraudulently you must decide on what to do instead, and configure
that! This might not be as easy as it seems (see collective action
part, below).<br>
<br>
It is true that there is no *marginal* cost to creating a bad
vote, in the fraudulent withdrawal case. But then again there is
no marginal cost to creating a good vote either -- in fact there
is no cost at all. In fact, there is no marginal cost to creating
a bad block either, in the 51% hashrate reorganization case.
Epistemologically, the protocol has no way of differentiating a
"bad" block/vote from a good one. So one cannot "cost" more than
the other, in a narrow sense.<br>
<br>
I suppose in the reorganization case there is the risk of lost
mining effort on a chain that actually does *not* have 51% and
therefore won't catch up. But this only encourages conformity to
the longest chain, including fraudulent chains. For example,
imagine that the reorganization is done via secretly mining a
longer chain -- once that chain is published, it will be the
longest. Then, according to your framework, there will be a
"marginal cost" to doing the *right* thing (trying to preserve the
honest, transparent chain). So I'm afraid I don't understand what
you mean.<br>
<br>
2. Repercussions<br>
<br>
As for there being no repercussions, that is incorrect. The
miner's choice to engage in a fraudulent withdraw is one that has
several negative consequences. They take a variety of forms and
likelihoods, but they definitely exist and are very relevant.<br>
<br>
The first repercussion is the loss of victim-sidechain future
tx-fees. A second is the loss of all future tx fees on all
sidechains. A third is that the Bitcoin super-network is changed
from being a "sidechain enabled" network to a "sidechain disabled"
network.<br>
<br>
The impact of these repercussions is still unclear and open to
interpretation. On one hand, the impact may be small and therefore
not very persuasive (as in the case where a sidechain has few
tx-fees, few sidechains are used, few are expected to be
created/used, and so little is lost by attacking). On the other
hand, a single fraudulent withdrawal might motivate the creation
of a new spinoff network that is exactly the same as the old
network, but with merely two changes: the fraudulent withdrawal
surgically removed (as if it were never attempted) AND a new proof
of work algorithm. Since the withdrawals are so slow, there would
be plenty of time to organize such an option (and people who
already want a pow-change would jump at this glaring opportunity).
Will the repercussions be small or large? Even if there is only a
*risk* of large repercussions, it can be very persuasive. (Just as
the IRS is very persuasive to tax-paying Americans, even though
only a tiny proportion of tax returns are audited.)<br>
<br>
0. Useless Sidechain Fallacy<br>
<br>
Finally, you are joining the long list of people who are
committing the "useless sidechain fallacy". You are saying that
because you believe the sidechain is useless, therefore everyone
must believe as you do, and therefore the option to use a
sidechain must be one that has zero value. However, in the real
world people are heterogeneous. They may decide that your
interpretation contains errors, or else their circumstances might
incline them towards a different risk-reward tradeoff. Finally,
this fallacy obfuscates the main benefit of sidechains, which is
that they are optional -- the sidechain-designer must convince
users to deposit funds there.<br>
<br>
3. Collective Action Problem<br>
<br>
There actually is a collective action problem inherent to
fraudulent withdrawals.<br>
<br>
If miners wish to fraudulently withdraw from the sidechain, they
need to choose the destination addresses (on mainchain Bitcoin
Core) months in advance. Then they need to upvote/downvote this
destination, despite that fact that --during this time-- new
hashpower might be coming online/offline, and/or hashers might be
joining/leaving specific pools. I bring this up to demonstrate
that even the most straightforward attack (of "a 51% hashrate
group attacks a sidechain and distributes the proceeds to the
group proportional to hashpower") is actually one that contains a
difficult (and potentially interminable) negotiation. The effort
required to initiate the negotiation is the source of the
collective action problem here.<br>
<br>
I think that this collective action problem is actually more
burdensome than Bitcoin's -- for mainchain Bitcoin miners merely
need to decide which block height they intend to reorganize from.<br>
<br>
You may wish to read Drivechain's security model to learn more:
<a class="moz-txt-link-freetext" href="http://www.truthcoin.info/blog/drivechain/#drivechains-security">http://www.truthcoin.info/blog/drivechain/#drivechains-security</a><br>
<br>
In this case, I don't see a way to measure "security" cardinally
or ordinally. Instead, I am only able to see it as either "secure
enough" or "not secure enough". But perhaps someone can enlighten
me as to the math they are using to produce these cardinal/ordinal
rankings.<br>
<br>
--Paul<br>
<br>
On 12/4/2017 2:36 PM, Chris Pacia wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAB+qUq4wNv=-ZSibUvVCwYSE7Qw8xe8EH91KG6znUp1d7X=mdA@mail.gmail.com">
<div dir="auto">
<div><br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="quoted-text">I think you are missing a few
things.<br>
</div>
<br>
First of all, I think the security model for sidechains
is the same as<br>
that of every blockchain<br>
<br>
People will say things, like "but with sidechains 51%
hashrate can steal<br>
your coins!", but as I have repeated many times, this is
also true of<br>
mainchain btc-tx. is something else?<br>
</blockquote>
</div>
</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">There are substantial opportunity costs as well
as a collective action problem when it comes to re-writing the
mainchain. </div>
<div dir="auto"><br>
</div>
<div dir="auto">Is there anything similar for drivechains? As
far as I can tell there is no opportunity cost to casting a
malicious vote, no repercussions, and no collective action
barrier that needs to be overcome. </div>
<div dir="auto"><br>
</div>
<div dir="auto">Unless I'm missing something I wouldn't liken
the security of a drivechain to that of the mainchain.</div>
</div>
</blockquote>
<p><br>
</p>
</body>
</html>
--------------E43802461C5ACF90FE26027F--
|
