Peter Todd [ARCHIVE] on Nostr: 📅 Original date posted:2014-04-23 📝 Original message:On Wed, Apr 23, 2014 at ...
📅 Original date posted:2014-04-23
📝 Original message:On Wed, Apr 23, 2014 at 06:04:00PM +0300, Alex Mizrahi wrote:
> This is outright ridiculous.
>
> Zero-confirmation double-spending is a small problem, and possible
> solutions are known. (E.g. trusted third party + multi-sig addresses for
> small-value transactions.)
Also replace-by-fee scorched earth.
> On the other hand, protocol changes like described above might have
> game-theoretical implications which are non-trivial and hard to understand.
To put it mildly. :) Beyond the obvious issues with adding mechanisms
for miners to vote on what blacklists they wish to apply, it's
interesting to consider how trying to make zeroconf transactions secure
directly is quite close to changing the block interval. Like the
blocksize that's a fundemental economic parameter of the system - how
low-latency and well connected you must be to be allowed to mine. Even
in a scheme where the punishment for allowing a double-spend was somehow
applied perfectly fairly, you'd still be favoring large well-connected
miners in a very similar way to reducing the block interval.
> The above approach works as long as the majority of hashpower is honest,
> > defined to mean, working to stop double spending. This is the same security
> > property as described in the white paper, thus this introduces no new
> > security assumptions.
> >
>
> No. Bitcoin should work if miners are merely individually rational, i.e.
> they try to maximize their pay-offs without colluding with others.
It's worth noting that the academic efforts studying Bitcoin are
spending quite a bit of effort focused on the incentive compatibility of
various mechanisms in the protocol: https://github.com/citp/bitcoin-sok/issues/5
There's solid consensus in the academic community that Bitcoin can't
just depend on notions of "honesty" to work.
> I guess word "honest" might have different meanings, that can be a source
> of confusing.
> 1. Honest -- not trying to destroy bitcoin
> 2. Honest -- following rules which are not required by the protocol
What exactly those rules are is up for debate too. Right now if, say,
just 5% of Bitcoin miners were willing to accept Colored Coin
transactions you could still use Colored Coins. The other 95% may want
to block said transactions, but there's huge practical difficulties in
organizing a reorg and ensuring that everyone co-operates; miners have
strong incentives to defect if the consensus isn't assured as any miners
attempting to reorg are wasting their hashing power if it doesn't
succeed.
OTOH with a voting scheme the cost to propose that a specific block or a
transaction be blacklisted is much lower. In Mike's proposed scheme to
not just blacklist, but actually take coinbases it's downright
profitable. Rather than being a last resort option, it'll be easy for
miners to propose various things be blacklisted, if the vote goes
through, great, if it doesn't, no harm done. Obviously that makes
blacklists into a much more useful tool and greatly changes the
political landscape around them.
Remember, if you're operating a publicly known pool, and there's a
voting mechanism available to you to blacklist specific blocks, how are
you going to resist pressure from your local authorities to do just when
there's no cost to you to do so?
--
'peter'[:-1]@petertodd.org
0000000000000000278031f86c71265f6eaf1fe9ce6cc831dc4f956676a7a7f7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 685 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140423/50cd1cfa/attachment.sig>
📝 Original message:On Wed, Apr 23, 2014 at 06:04:00PM +0300, Alex Mizrahi wrote:
> This is outright ridiculous.
>
> Zero-confirmation double-spending is a small problem, and possible
> solutions are known. (E.g. trusted third party + multi-sig addresses for
> small-value transactions.)
Also replace-by-fee scorched earth.
> On the other hand, protocol changes like described above might have
> game-theoretical implications which are non-trivial and hard to understand.
To put it mildly. :) Beyond the obvious issues with adding mechanisms
for miners to vote on what blacklists they wish to apply, it's
interesting to consider how trying to make zeroconf transactions secure
directly is quite close to changing the block interval. Like the
blocksize that's a fundemental economic parameter of the system - how
low-latency and well connected you must be to be allowed to mine. Even
in a scheme where the punishment for allowing a double-spend was somehow
applied perfectly fairly, you'd still be favoring large well-connected
miners in a very similar way to reducing the block interval.
> The above approach works as long as the majority of hashpower is honest,
> > defined to mean, working to stop double spending. This is the same security
> > property as described in the white paper, thus this introduces no new
> > security assumptions.
> >
>
> No. Bitcoin should work if miners are merely individually rational, i.e.
> they try to maximize their pay-offs without colluding with others.
It's worth noting that the academic efforts studying Bitcoin are
spending quite a bit of effort focused on the incentive compatibility of
various mechanisms in the protocol: https://github.com/citp/bitcoin-sok/issues/5
There's solid consensus in the academic community that Bitcoin can't
just depend on notions of "honesty" to work.
> I guess word "honest" might have different meanings, that can be a source
> of confusing.
> 1. Honest -- not trying to destroy bitcoin
> 2. Honest -- following rules which are not required by the protocol
What exactly those rules are is up for debate too. Right now if, say,
just 5% of Bitcoin miners were willing to accept Colored Coin
transactions you could still use Colored Coins. The other 95% may want
to block said transactions, but there's huge practical difficulties in
organizing a reorg and ensuring that everyone co-operates; miners have
strong incentives to defect if the consensus isn't assured as any miners
attempting to reorg are wasting their hashing power if it doesn't
succeed.
OTOH with a voting scheme the cost to propose that a specific block or a
transaction be blacklisted is much lower. In Mike's proposed scheme to
not just blacklist, but actually take coinbases it's downright
profitable. Rather than being a last resort option, it'll be easy for
miners to propose various things be blacklisted, if the vote goes
through, great, if it doesn't, no harm done. Obviously that makes
blacklists into a much more useful tool and greatly changes the
political landscape around them.
Remember, if you're operating a publicly known pool, and there's a
voting mechanism available to you to blacklist specific blocks, how are
you going to resist pressure from your local authorities to do just when
there's no cost to you to do so?
--
'peter'[:-1]@petertodd.org
0000000000000000278031f86c71265f6eaf1fe9ce6cc831dc4f956676a7a7f7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 685 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140423/50cd1cfa/attachment.sig>