[148477] in cryptography@c2.net mail archive
Re: [Cryptography] DNSNMC deprecates Certificate Authorities and
daemon@ATHENA.MIT.EDU (Greg)
Mon Dec 16 18:58:13 2013
X-Original-To: cryptography@metzdowd.com
From: Greg <greg@kinostudios.com>
In-Reply-To: <CAG5KPzyjMu3Fi7CYeP9Hk-PwWqsugDeAmKp9Xp7kTNcXycw8cQ@mail.gmail.com>
Date: Mon, 16 Dec 2013 16:33:06 -0500
To: Ben Laurie <ben@links.org>
Cc: Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============7455736078275086970==
Content-Type: multipart/signed; boundary="Apple-Mail=_B7B4C03A-A56A-44E6-8814-660AD27C3D9C"; protocol="application/pgp-signature"; micalg=pgp-sha512
--Apple-Mail=_B7B4C03A-A56A-44E6-8814-660AD27C3D9C
Content-Type: multipart/alternative;
boundary="Apple-Mail=_88A2EEE1-70A6-4195-BD2D-0A639FCDF413"
--Apple-Mail=_88A2EEE1-70A6-4195-BD2D-0A639FCDF413
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=windows-1252
Hey Ben,
On Dec 15, 2013, at 6:21 AM, Ben Laurie <ben@links.org> wrote:
> As I pointed out elsewhere, Bitcoin (and hence Namecoin) is not
> decentralised: =
http://www.links.org/files/decentralised-currencies.pdf.
Thank you for the link to this paper.
I needed to find the time to actually read this and get back to you. =
I've now done this.
You've posted this reply to a number of lists that we're both subscribed =
to, so I'm going to send this reply to each one:
My reply can be summarized (mostly) by Vladimir's response to your paper =
here:
https://bitcointalk.org/index.php?topic=3D25760.msg372591#msg372591
For the list's sake, here are the salient points Sir Vladimir makes:
Than, first of all, he is trying to solve a non-problem and fails to see =
that issue he is trying to solve is not a bug but a feature.
This is in reference to your criticism of proof-of-work. Here's the rest =
of his comment on that particular point:
There is no problem with energy consumption, it is a very low price to
pay for getting rid of all the middlemen leaching a few percent from
every money transfer. Moreover, energy spent by miners on securing the
bloc chain is rather negligible in comparison to energy spent on other
ways to do money, when you consider, for example energy, required to
haul all the cash and gold in armoured trucks, smelting gold bullions,
coining coins, smelting metal for the bank vaults and so on...
Second criticism of your paper is as follows (again, I'll just copy =
Vlad's comments here):
Second of all, his "efficient solution" is very weak. Essentially, he
is proposing to replace voting weighted by pure computational power
(surely not very energy efficient way) to voting weighted by a number
of clients plugged into the network, without proposing any viable way
(since it is impossible) to ensure that this number of clients is not
faked. Therefore, he is effectively shifting proof-of-work concept
from doing lots of sha-256 calculations to opening lots of ports on
lots of IP's simultaneously. This could solve a problem of quick
propagations and wide distribution of information, but surely not a
problem of "double spending". Total epic fail!
Somehow, you seem to have completely missed the point of Bitcoin's =
proof-of-work. It's right there in the original paper:
The proof-of-work also solves the problem of determining representation =
in majority decision making. If the majority were based on =
one-IP-address-one-vote, it could be subverted by anyone able to =
allocate many IPs. Proof-of-work is essentially one-CPU-one-vote.
Vladimir made one final comment (not too important though, but I'll =
include it anyway):
He also has completely missed economic part of the system where
initial bitcoin inflation serves the purpose of subsidy to enable
quick growth of the network and making it secure from 50% attacks.
However, all of these points made by Vladimir do not destroy the point =
your paper makes entirely. They just badly bruise it.
IMO, the only legitimate criticism of Bitcoin contained in your paper is =
the following:
If, for example, 1% of the total power available7 is used to produce =
Bitcoins at present (in fact, the amount is far less than that), then at =
any point someone could come along with a further 1.1% of the total =
power and use this to define their own consensus8 , thus invalidating =
all the work, and all the money, of the initial group, and instead take =
possession of the entire currency for themselves.
This is referring to (or at least should be referring to) the idea of an =
attacker making their own "fake fork" that they control through =
superior-CPU power.
The strength of your argument (IMO) rests on this one issue: Whether or =
not there exists an attacker with the computational power necessary to =
take over the network.
This is a legitimate question, and combined with the observations made =
by Vladimir, it implies two takeaway points:
1. Your suggestion for an "efficient alternative" to Bitcoin appears to =
be inferior to Bitcoin because it appears to be based on one-IP-one-vote =
(rejected in the original paper).
2. Bitcoin's legitimacy and trustworthiness depends on whether or not =
there exists (or can exist) an entity with more horsepower than all more =
than 50% of the nodes on the network. This is old news.
The Bitcoin community has been discussing the 51% attack for a while and =
appears to be working on addressing the issue:
https://en.bitcoin.it/wiki/Proof_of_blockchain_fair_sharing
In case it's of interest to someone, here are two sites about known =
attacks on Bitcoin:
http://codinginmysleep.com/bitcoin-attacks-in-plain-english/
https://en.bitcoin.it/wiki/Double-spending
Cheers,
Greg
--
Please do not email me anything that you are not comfortable also =
sharing with the NSA.
--Apple-Mail=_88A2EEE1-70A6-4195-BD2D-0A639FCDF413
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=windows-1252
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dwindows-1252"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hey =
Ben,<div><br></div><div><div>On Dec 15, 2013, at 6:21 AM, Ben Laurie =
<<a href=3D"mailto:ben@links.org">ben@links.org</a>> =
wrote:</div><br><blockquote type=3D"cite">As I pointed out elsewhere, =
Bitcoin (and hence Namecoin) is not<br>decentralised: <a =
href=3D"http://www.links.org/files/decentralised-currencies.pdf">http://ww=
w.links.org/files/decentralised-currencies.pdf</a>.</blockquote></div><div=
><br></div><div><div>Thank you for the link to this =
paper.</div><div><br></div><div>I needed to find the time to actually =
read this and get back to you. I've now done =
this.</div><div><br></div><div>You've posted this reply to a number of =
lists that we're both subscribed to, so I'm going to send this reply to =
each one:</div><div><br></div><div>My reply can be summarized (mostly) =
by Vladimir's response to your paper here:</div><div><br></div><div><a =
href=3D"https://bitcointalk.org/index.php?topic=3D25760.msg372591#msg37259=
1">https://bitcointalk.org/index.php?topic=3D25760.msg372591#msg372591</a>=
</div><div><br></div><div>For the list's sake, here are the salient =
points Sir Vladimir makes:</div><div><br></div></div><blockquote =
style=3D"margin: 0px 0px 0px 40px; border: none; padding: 0px;"><i>Than, =
first of all, he is trying to solve a non-problem and fails to see that =
issue he is trying to solve is not a bug but a =
feature.</i></blockquote><div><div><br></div><div>This is in reference =
to your criticism of proof-of-work. Here's the rest of his comment on =
that particular point:</div><div><br></div></div><blockquote =
style=3D"margin: 0px 0px 0px 40px; border: none; padding: 0px;"><i>There =
is no problem with energy consumption, it is a very low price to<br>pay =
for getting rid of all the middlemen leaching a few percent =
from<br>every money transfer. Moreover, energy spent by miners on =
securing the<br>bloc chain is rather negligible in comparison to energy =
spent on other<br>ways to do money, when you consider, for example =
energy, required to<br>haul all the cash and gold in armoured trucks, =
smelting gold bullions,<br>coining coins, smelting metal for the bank =
vaults and so on...</i></blockquote><div><div><br =
class=3D"webkit-block-placeholder"></div><div>Second criticism of your =
paper is as follows (again, I'll just copy Vlad's comments =
here):</div><div><br></div></div><blockquote style=3D"margin: 0px 0px =
0px 40px; border: none; padding: 0px;"><i>Second of all, his "efficient =
solution" is very weak. Essentially, he<br>is proposing to replace =
voting weighted by pure computational power<br>(surely not very energy =
efficient way) to voting weighted by a number<br>of clients plugged into =
the network, without proposing any viable way<br>(since it is =
impossible) to ensure that this number of clients is not<br>faked. =
Therefore, he is effectively shifting proof-of-work concept<br>from =
doing lots of sha-256 calculations to opening lots of ports on<br>lots =
of IP's simultaneously. This could solve a problem of =
quick<br>propagations and wide distribution of information, but surely =
not a<br>problem of "double spending". Total epic =
fail!</i></blockquote><div><div><br =
class=3D"webkit-block-placeholder"></div><div>Somehow, you seem to have =
completely missed the point of Bitcoin's proof-of-work. It's right there =
in the original paper:</div><div><br></div></div><blockquote =
style=3D"margin: 0px 0px 0px 40px; border: none; padding: 0px;"><i>The =
proof-of-work also solves the problem of determining representation in =
majority decision making. If the majority were based on =
one-IP-address-one-vote, it could be subverted by anyone able =
to allocate many IPs. Proof-of-work is essentially =
one-CPU-one-vote.</i></blockquote><div><div><br =
class=3D"webkit-block-placeholder"></div><div>Vladimir made one final =
comment (not too important though, but I'll include it =
anyway):</div><div><br></div></div><blockquote style=3D"margin: 0px 0px =
0px 40px; border: none; padding: 0px;"><i>He also has completely missed =
economic part of the system where<br>initial bitcoin inflation serves =
the purpose of subsidy to enable<br>quick growth of the network and =
making it secure from 50% attacks.</i></blockquote><div><div><br =
class=3D"webkit-block-placeholder"></div><div>However, all of these =
points made by Vladimir do not destroy the point your paper makes =
entirely. They just badly bruise it.</div><div><br></div><div>IMO, the =
only legitimate criticism of Bitcoin contained in your paper is the =
following:</div><div><br></div></div><blockquote style=3D"margin: 0px =
0px 0px 40px; border: none; padding: 0px;"><i>If, for example, 1% of the =
total power available7 is used to produce Bitcoins at present =
(in fact, the amount is far less than that), then at any point =
someone could come along with a further 1.1% of the total =
power and use this to define their own consensus8 , thus =
invalidating all the work, and all the money, of the initial =
group, and instead take possession of the entire currency for =
themselves.</i></blockquote><div><div><br =
class=3D"webkit-block-placeholder"></div><div>This is referring to (or =
at least should be referring to) the idea of an attacker making their =
own "fake fork" that they control through superior-CPU =
power.</div><div><br></div><div>The strength of your argument (IMO) =
rests on this one issue: Whether or not there exists an attacker with =
the computational power necessary to take over the =
network.</div><div><br></div><div>This is a legitimate question, and =
combined with the observations made by Vladimir, it implies two takeaway =
points:</div><div><br></div><div>1. Your suggestion for an "efficient =
alternative" to Bitcoin appears to be inferior to Bitcoin because it =
appears to be based on one-IP-one-vote (rejected in the original =
paper).</div><div><br></div><div>2. Bitcoin's legitimacy and =
trustworthiness depends on whether or not there exists (or can exist) an =
entity with more horsepower than all more than 50% of the nodes on the =
network. This is old news.</div><div><br></div><div>The Bitcoin =
community has been discussing the 51% attack for a while and appears to =
be working on addressing the issue:</div><div><br></div><div><a =
href=3D"https://en.bitcoin.it/wiki/Proof_of_blockchain_fair_sharing">https=
://en.bitcoin.it/wiki/Proof_of_blockchain_fair_sharing</a></div><div><br><=
/div><div>In case it's of interest to someone, here are two sites about =
known attacks on Bitcoin:</div><div><br></div><div><a =
href=3D"http://codinginmysleep.com/bitcoin-attacks-in-plain-english/">http=
://codinginmysleep.com/bitcoin-attacks-in-plain-english/</a></div><div><a =
href=3D"https://en.bitcoin.it/wiki/Double-spending">https://en.bitcoin.it/=
wiki/Double-spending</a></div><div><br></div><div>Cheers,</div><div>Greg</=
div></div><div><br></div><div apple-content-edited=3D"true">
<br>--<br>Please do not email me anything that you are =
not comfortable also sharing with the NSA.</div></body></html>=
--Apple-Mail=_88A2EEE1-70A6-4195-BD2D-0A639FCDF413--
--Apple-Mail=_B7B4C03A-A56A-44E6-8814-660AD27C3D9C
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQEcBAEBCgAGBQJSr3GVAAoJEKFrDougX6FkM3wIALyjmBjjbhqnEmvzF3XIkJgP
svuIjyM78HAgdjK2LD0cNrIRstwZ1az4DThCVg/+PGPsrEjuBLZgarDAT8x4FGlO
HtFmwv4X/TQB3cBKCzyfTjhZ0mSEpGK4k00nNoKQf2l8tPX9qE9kI9Uaz6YeNGaw
9uoJ2ExrXWrrcFTPOWQJBPRFD0/ZpeW0UNlHv6COaQQwhyGR8OThkUOAX0t4rM/t
UvkBe4u7QZcb46+SRlsrluIrR8h9sqX75L5wX+jNsPqYwL68INBDhn2/Gwmr3Pmb
WHkc4jlTpLIPwlSFUXXigJkGm3j1UYfzp9HSNDr62Lnuo3lU7cNBHrKxTcRekO8=
=yiLt
-----END PGP SIGNATURE-----
--Apple-Mail=_B7B4C03A-A56A-44E6-8814-660AD27C3D9C--
--===============7455736078275086970==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============7455736078275086970==--
