From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XlGUs-0004TB-5d for bitcoin-development@lists.sourceforge.net; Mon, 03 Nov 2014 12:12:34 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.212.177 as permitted sender) client-ip=209.85.212.177; envelope-from=alex.mizrahi@gmail.com; helo=mail-wi0-f177.google.com; Received: from mail-wi0-f177.google.com ([209.85.212.177]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1XlGUq-0000VP-Nt for bitcoin-development@lists.sourceforge.net; Mon, 03 Nov 2014 12:12:34 +0000 Received: by mail-wi0-f177.google.com with SMTP id ex7so6176821wid.16 for ; Mon, 03 Nov 2014 04:12:26 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.194.187.164 with SMTP id ft4mr46905960wjc.76.1415016746520; Mon, 03 Nov 2014 04:12:26 -0800 (PST) Received: by 10.27.203.138 with HTTP; Mon, 3 Nov 2014 04:12:26 -0800 (PST) In-Reply-To: References: Date: Mon, 3 Nov 2014 14:12:26 +0200 Message-ID: From: Alex Mizrahi To: Bitcoin-Dev Content-Type: multipart/alternative; boundary=047d7b874b268715540506f34259 X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (alex.mizrahi[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1XlGUq-0000VP-Nt Subject: Re: [Bitcoin-development] side-chains & 2-way pegging (Re: is there a way to do bitcoin-staging?) X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 12:12:34 -0000 --047d7b874b268715540506f34259 Content-Type: text/plain; charset=UTF-8 > For those following this thread, we have now written a paper > describing the side-chains, 2-way pegs and compact SPV proofs. > (With additional authors Andrew Poelstra & Andrew Miller). > > http://blockstream.com/sidechains.pdf Haven't seen any material discussion of this paper in this mailing list, so I'll start. (Otherwise, I've seen Peter Todd's reaction on reddit.) This paper fails to demonstrate that sidechains are anything more than a wishful thinking. It can be distilled down to this: "We want such and such features, hence we'll use DMMS, the same thing Bitcoin uses, thus it will be secure!" Um, no. Alt-coins also use DMMS, but aren't as secure as Bitcoin. So DMMS does not work by itself, it is a mechanism to secure a blockchain using economic incentives. The sidechains paper does not mention this, as far as I can tell. In my opinion, this is not acceptable. If you're making a proposal, you need to describe what conditions are required for it to work. Authors are clearly aware of the problem and mention it in section 6 "Future directions" 6.1. "Hashpower attack resistance". The problem is they do not make it clear that the proposal just makes no sense until this is solved. In the discussions on reddit I've noticed that pretty much everybody believes that release of sidechains paper implies that the proposal is complete and now we are just waiting the implementation. It doesn't help that the paper itself tries to sweep the problem under the rug and has misleading statements. Particularly, I'm talking about section "4.2. Fraudulent transfers": "Reorganisations of arbitrary depth are in principle possible, which could allow an attacker to completely transfer coins between sidechains before causing a reorganisation longer than the contest period on the sending chain to undo its half of the transfer. ... If the attacker is allowed to return the transferred coins to the original chain, he would increase the number of coins in his possession at the expense of other users of the sidechain. Before discussing how to handle this, we observe that this risk can be made arbitrarily small by simply increasing the contest period for transfers." Wow, really? Is this risk stochastic? The first sentence implies that attacker is able to cause a reorganization of an arbitrary depth, but the rest of the section implies that reorganizations are a naturally occurring phenomenon. All in all, I find this paper really disappointing. It's going to be influential (9 co-authors, many of which are regarded as Bitcoin core developers, must be good!) and hyped, and thus might focus research on an area which is fundamentally flawed. --047d7b874b268715540506f34259 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

=
For those following this thread, we have now written a pap= er
describing the side-chains, 2-way pegs and compact SPV proofs.
(With additional authors Andrew Poelstra & Andrew Miller).

http://= blockstream.com/sidechains.pdf

Haven= 9;t seen any material discussion of this paper in this mailing list, so I&#= 39;ll start.=C2=A0
(Otherwise, I've seen Peter Todd's rea= ction on reddit.)

This paper fails to demonstrate = that sidechains are anything more than a wishful thinking.
It can= be distilled down to this:
"We want such and such features,= hence we'll use DMMS, the same thing Bitcoin uses, thus it will be sec= ure!"
Um, no.=C2=A0
Alt-coins also use DMMS, but a= ren't as secure as Bitcoin.

So DMMS does not w= ork by itself, it is a mechanism to secure a blockchain using economic ince= ntives.
The sidechains paper does not mention this, as far as I c= an tell.

In my opinion, this is not acceptable. If= you're making a proposal, you need to describe what conditions are req= uired for it to work.

Authors are clearly aware of= the problem and mention it in section 6 "Future directions" 6.1.= "Hashpower attack resistance".
The problem is they do = not make it clear that the proposal just makes no sense until this is solve= d.

In the discussions on reddit I've noticed t= hat pretty much everybody believes that release of sidechains paper implies= that the proposal is complete and now we are just waiting the implementati= on.

It doesn't help that the paper itself trie= s to sweep the problem under the rug and has misleading statements.
Particularly, I'm talking about section "4.2. Fraudulent transf= ers":

"Reorganisations of arbitrary dept= h are in principle possible, which could allow an attacker to
com= pletely transfer coins between sidechains before causing a reorganisation l= onger than the contest
period on the sending chain to undo its ha= lf of the transfer. ...=C2=A0If the attacker is allowed to return the trans= ferred coins to =C2=A0the original
chain, he would increase the n= umber of coins in his possession at the expense of other users of the sidec= hain.
Before discussing how to handle this, we observe that this = risk can be made arbitrarily small by
simply increasing the conte= st period for transfers."

Wow, really? Is thi= s risk stochastic?

The first sentence implies that= attacker is able to cause a reorganization of an arbitrary depth, but the = rest of the section implies that reorganizations are a naturally occurring = phenomenon.

All in all, I find this paper really d= isappointing. It's going to be influential (9 co-authors, many of which= are regarded as Bitcoin core developers, must be good!) and hyped, and thu= s might focus research on an area which is fundamentally flawed.
=

--047d7b874b268715540506f34259--