From: Paul Sztorc <truthcoin@gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Two Drivechain BIPs
Date: Tue, 5 Dec 2017 13:05:39 -0500 [thread overview]
Message-ID: <c898cc1c-d71c-de5c-aede-a2a4235656e0@gmail.com> (raw)
In-Reply-To: <CAB+qUq4wNv=-ZSibUvVCwYSE7Qw8xe8EH91KG6znUp1d7X=mdA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 5960 bytes --]
Hello Chris,
1. Marginal Cost
There actually is a very small cost to casting a malicious vote,
relative to an honest vote. This is because the software (when run
as-is), will automatically vote correctly. But to vote fraudulently you
must decide on what to do instead, and configure that! This might not be
as easy as it seems (see collective action part, below).
It is true that there is no *marginal* cost to creating a bad vote, in
the fraudulent withdrawal case. But then again there is no marginal cost
to creating a good vote either -- in fact there is no cost at all. In
fact, there is no marginal cost to creating a bad block either, in the
51% hashrate reorganization case. Epistemologically, the protocol has no
way of differentiating a "bad" block/vote from a good one. So one cannot
"cost" more than the other, in a narrow sense.
I suppose in the reorganization case there is the risk of lost mining
effort on a chain that actually does *not* have 51% and therefore won't
catch up. But this only encourages conformity to the longest chain,
including fraudulent chains. For example, imagine that the
reorganization is done via secretly mining a longer chain -- once that
chain is published, it will be the longest. Then, according to your
framework, there will be a "marginal cost" to doing the *right* thing
(trying to preserve the honest, transparent chain). So I'm afraid I
don't understand what you mean.
2. Repercussions
As for there being no repercussions, that is incorrect. The miner's
choice to engage in a fraudulent withdraw is one that has several
negative consequences. They take a variety of forms and likelihoods, but
they definitely exist and are very relevant.
The first repercussion is the loss of victim-sidechain future tx-fees. A
second is the loss of all future tx fees on all sidechains. A third is
that the Bitcoin super-network is changed from being a "sidechain
enabled" network to a "sidechain disabled" network.
The impact of these repercussions is still unclear and open to
interpretation. On one hand, the impact may be small and therefore not
very persuasive (as in the case where a sidechain has few tx-fees, few
sidechains are used, few are expected to be created/used, and so little
is lost by attacking). On the other hand, a single fraudulent withdrawal
might motivate the creation of a new spinoff network that is exactly the
same as the old network, but with merely two changes: the fraudulent
withdrawal surgically removed (as if it were never attempted) AND a new
proof of work algorithm. Since the withdrawals are so slow, there would
be plenty of time to organize such an option (and people who already
want a pow-change would jump at this glaring opportunity). Will the
repercussions be small or large? Even if there is only a *risk* of large
repercussions, it can be very persuasive. (Just as the IRS is very
persuasive to tax-paying Americans, even though only a tiny proportion
of tax returns are audited.)
0. Useless Sidechain Fallacy
Finally, you are joining the long list of people who are committing the
"useless sidechain fallacy". You are saying that because you believe the
sidechain is useless, therefore everyone must believe as you do, and
therefore the option to use a sidechain must be one that has zero value.
However, in the real world people are heterogeneous. They may decide
that your interpretation contains errors, or else their circumstances
might incline them towards a different risk-reward tradeoff. Finally,
this fallacy obfuscates the main benefit of sidechains, which is that
they are optional -- the sidechain-designer must convince users to
deposit funds there.
3. Collective Action Problem
There actually is a collective action problem inherent to fraudulent
withdrawals.
If miners wish to fraudulently withdraw from the sidechain, they need to
choose the destination addresses (on mainchain Bitcoin Core) months in
advance. Then they need to upvote/downvote this destination, despite
that fact that --during this time-- new hashpower might be coming
online/offline, and/or hashers might be joining/leaving specific pools.
I bring this up to demonstrate that even the most straightforward attack
(of "a 51% hashrate group attacks a sidechain and distributes the
proceeds to the group proportional to hashpower") is actually one that
contains a difficult (and potentially interminable) negotiation. The
effort required to initiate the negotiation is the source of the
collective action problem here.
I think that this collective action problem is actually more burdensome
than Bitcoin's -- for mainchain Bitcoin miners merely need to decide
which block height they intend to reorganize from.
You may wish to read Drivechain's security model to learn more:
http://www.truthcoin.info/blog/drivechain/#drivechains-security
In this case, I don't see a way to measure "security" cardinally or
ordinally. Instead, I am only able to see it as either "secure enough"
or "not secure enough". But perhaps someone can enlighten me as to the
math they are using to produce these cardinal/ordinal rankings.
--Paul
On 12/4/2017 2:36 PM, Chris Pacia wrote:
>
> I think you are missing a few things.
>
> First of all, I think the security model for sidechains is the same as
> that of every blockchain
>
> People will say things, like "but with sidechains 51% hashrate can
> steal
> your coins!", but as I have repeated many times, this is also true of
> mainchain btc-tx. is something else?
>
>
> There are substantial opportunity costs as well as a collective action
> problem when it comes to re-writing the mainchain.
>
> Is there anything similar for drivechains? As far as I can tell there
> is no opportunity cost to casting a malicious vote, no repercussions,
> and no collective action barrier that needs to be overcome.
>
> Unless I'm missing something I wouldn't liken the security of a
> drivechain to that of the mainchain.
[-- Attachment #2: Type: text/html, Size: 8032 bytes --]
next prev parent reply other threads:[~2017-12-05 18:05 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-01 18:38 [bitcoin-dev] Two Drivechain BIPs Paul Sztorc
2017-12-03 21:32 ` Matt Corallo
2017-12-04 19:05 ` Paul Sztorc
2017-12-04 19:36 ` Chris Pacia
2017-12-04 20:11 ` Chris Stewart
2017-12-05 19:55 ` Paul Sztorc
2017-12-07 7:28 ` ZmnSCPxj
2017-12-12 22:16 ` Paul Sztorc
2017-12-05 18:05 ` Paul Sztorc [this message]
2017-12-05 18:20 ` AJ West
2017-12-06 4:49 ` ZmnSCPxj
2017-12-06 20:51 ` CryptAxe
2017-12-08 15:40 ` ZmnSCPxj
2017-12-12 22:29 ` Paul Sztorc
2017-12-14 3:24 ` ZmnSCPxj
2017-12-05 7:41 ` Luke Dashjr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c898cc1c-d71c-de5c-aede-a2a4235656e0@gmail.com \
--to=truthcoin@gmail.com \
--cc=bitcoin-dev@lists.linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox