public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Adam Back <adam@cypherspace.org>
To: Gregory Maxwell <gmaxwell@gmail.com>
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Discovery/addr packets (was: Service bits for pruned nodes)
Date: Mon, 6 May 2013 20:32:22 +0200	[thread overview]
Message-ID: <20130506183222.GB3797@netbook.cypherspace.org> (raw)
In-Reply-To: <CAAS2fgQWnZ_yPA7G4LNwk655CxTD9WZf0f-cb5xd3TFzpBB2_g@mail.gmail.com>

btw with nodes for transport security you might use self-certifying keys. 
Referring to Zooko's triangle, then the key is the node identity.  Similar
to a bitcion address.  So then just another ECDSA key and use emphemeral
ECDH for transport authenticated with the nodes key.

Maybe there can be some value to reputation to a node - eg it can charge a
higher micropayment for its p2p network services, a node with a good
reptuation could charge a higher micropayment for relaying (though bitcoin
itself probably doesnt like micropayments as bloating the transaction log).

Another ZKS era idea I had was to have a gossip protocol for users to find
out what other people think about the trustworthiness and reliability of
nodes.  If that info is distributed via gossip over multiple channels and
network connections over time, and kept in something like a gnutella host
cache (just a cache of random info with some eg random replacement policy)
it becomes very hard for a dishonest node to censor evidence of its low
reputation.

It is best as Gregory said to be able to directly prove, and punish by
block-chain validation, because that is more smart-contract like.  Bisbehave
and nodes wont connect to you or lose somehow.

But what exactly could you prove about a node?  You dont really know if a
node is an originator for a double spend, it could be relay.  And for
privacy and security you cant expect the node to use its coin address
private key.

Hmm: maybe one could use a Brands private credential with offline double
spend detection, with the reputation but not coin address of the node
disclosed, and the nodes coin address embedded in the proof.  Each node
could be is own CA, providing a ZKP.  If the node ever double spends a coin,
it loses its reputation as the coin address is revealed.

btw another old idea was to require proof of the existance of the private
key of a high value coin in the double-spend revealed information.  Then
basically to get a higher good-behaviour bond, the node ties up more coins,
and if a node cheats, the first person to discover this collects the
forfeited good behaviour bond.

Adam

ps I have an opensource openSSL based Brands (& Chaum) credential library at
http://www.cypherspace.org/credlb/ I didnt actually implement the ECDL
version, just the DL version, but that is not so hard, and its on my todo
list.  (There is also a strong RSA assumption version, also not
implemented).

On Mon, May 06, 2013 at 11:01:22AM -0700, Gregory Maxwell wrote:
>> 1) Non-repudiation is only useful with fraud proofs, and they will have
>> to be thought out for everything the node might claim.
>
>That isn't so. If a node is reliably rogue I can go manually gather
>evidence and people can manually take action against it.  Consider the
>DNSseeds, right now fraud proofs really wouldn't matter— the limited
>amount of trust put in those things is based not on "oh no, nodes will
>ignore you in the future if you're bad", it's based on the ability of
>misconduct to sully the operator's reputation.
>
>But without non-repudiation the ability to tie reputation to good
>behavior is fairly limited especially if they perform targeted
>attacks. "Wasn't me"
>
>Instead— I'd argue that non-repudiation is always useful when there is
>trust. It's things like fidelity bonds— a trust generator that depend
>on automatic enforcement— that are only useful with fraud proofs.
>
>> Anyway, the concept of a per-node identity keypair is the first step
>> towards non-repudiation, and implementing SSL transport.
>
>Yea, indeed, per-node keys are useful for a bunch of things. Care is
>needed to avoid problems like deanonymizing use over tor with them.
>
>------------------------------------------------------------------------------
>Learn Graph Databases - Download FREE O'Reilly Book
>"Graph Databases" is the definitive new guide to graph databases and
>their applications. This 200-page book is written by three acclaimed
>leaders in the field. The early access version is available now.
>Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>_______________________________________________
>Bitcoin-development mailing list
>Bitcoin-development@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/bitcoin-development



  parent reply	other threads:[~2013-05-06 18:32 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-05-06 14:58 [Bitcoin-development] Discovery/addr packets (was: Service bits for pruned nodes) Mike Hearn
2013-05-06 16:12 ` Peter Todd
2013-05-06 16:20   ` Jeff Garzik
2013-05-06 16:34     ` Mike Hearn
2013-05-06 16:37     ` Peter Todd
2013-05-06 16:47       ` Mike Hearn
2013-05-06 17:19         ` Peter Todd
2013-05-06 17:25           ` Jeff Garzik
2013-05-06 17:42           ` Gregory Maxwell
2013-05-06 17:53             ` Peter Todd
2013-05-06 18:01               ` Gregory Maxwell
2013-05-06 18:19                 ` Peter Todd
2013-05-06 18:32                 ` Adam Back [this message]
2013-05-06 19:08                   ` Peter Todd
2013-05-06 19:50                     ` Adam Back
2013-05-06 20:43                       ` Peter Todd
2013-05-06 23:44                         ` Peter Todd
2013-05-07  9:00           ` Mike Hearn
2013-05-09  0:57             ` John Dillon
2013-05-06 18:04         ` Adam Back
2013-05-06 18:25           ` Gregory Maxwell
2013-05-06 22:51             ` [Bitcoin-development] limits of network hacking/netsplits (was: Discovery/addr packets) Adam Back
2013-05-06 23:13               ` Gregory Maxwell
2013-05-07  4:48                 ` Petr Praus
2013-05-07 21:07                   ` Matt Corallo
2013-05-07  9:17                 ` Mike Hearn
2013-05-07 11:07                   ` Adam Back
2013-05-07 12:04                     ` Mike Hearn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130506183222.GB3797@netbook.cypherspace.org \
    --to=adam@cypherspace.org \
    --cc=bitcoin-development@lists.sourceforge.net \
    --cc=gmaxwell@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox