<div dir="ltr"><div class="gmail_extra">

<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">On Mon, Feb 12, 2018 at 9:27 PM, John Levine<span> </span></span><span dir="ltr" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><<a href="mailto:johnl@iecc.com" target="_blank" style="color:rgb(17,85,204)">johnl@iecc.com</a>></span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span> </span>wrote:</span><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><blockquote class="gmail_quote" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">In article <CACMCW-PHGXRjqck3mzvs7EsBYxZ=<a href="mailto:VT_p29xSPMdBE5hRSHq45w@mail.gmail.com" style="color:rgb(17,85,204)"><wbr>VT_p29xSPMdBE5hRSHq45w@mail.<wbr>gmail.com</a>> you write:<br>>1. PoW can be good to fight against SPAM/DOS attacks where you distribute<br></span>>the load to the endpoint/user rather than concentrate it on the system. ...<br><br>This is a WKBI.  The original proof of work idea to deter spam was<br>Dwork and Naor's Pennyblack in 1992.  While it was certainly clever,<br>it didn't work and doesn't work.  I ran into Dwork at a conference<br>some years later and she agreed that it's too easy to circumvent.<br><br>Ben Laurie and Richard Clayton hammered stakes through it<br>in 2004, but nothing of importance has changed since then.<br><br><a href="https://www.cl.cam.ac.uk/~rnc1/proofwork.pdf" rel="noreferrer" target="_blank" style="color:rgb(17,85,204)">https://www.cl.cam.ac.uk/~<wbr>rnc1/proofwork.pdf</a><br><br></blockquote><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Thanks for the paper. However, the paper just justifies my point, if you read the whole paragraph. Let me present a train of thought as an example:</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Assumptions:</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">1. The Establishment (Gov+FED+Banks+Corproteuracy) is under the threat of disruption by Bitcoin.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">2. It fights back for survival when this threat becomes serious.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">3. It has enough power (money) to get more than 50% hash power.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">The attack scenario:</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">1. The attacker (the Establishment) gains the majority hash-power to rule the longest chain. Deciding what transactions to select from the mempool, deciding the next block. </div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">2. The attacker forms sybil agents. This is trivial.<span> </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Thanks to permisionlessness:)</span><span> </span>Bitcoin indeed recommends everyone to create sybil agents for each transaction (key pairs/addresses).</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">3. The attacker fuels its sybil agents with a constant (not much) amount of bitcoins.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">4. Sybil agents flood the system with valid transaction requests with transaction fees<span> </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">varying<span> </span></span>slightly above the average.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">5. Sybil miners select these valid sybil transactions filling the entire block space and denying most if not all of the honest transactions.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">6. Sybil miners send the transaction fees back to the sybil agents through atomic swap, zero knowledge, etc. pathways escaping tracking. Thanks to privacy:) </div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">7. The feedback loop provides the vicious cycle which helps the attacker sustain an infinite loop attack with a constant amount of money. We all know that no one (not even Bitcoin) survives an infinite loop.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Since Bitcoin is censor-proof, your coin equals mine, all valid transactions are equal, it is legitimate that transaction fees can determine the choice from the mempool and that the system is based on dont-trust-the-miners game theoretical approach. There is no solution to the above attack scenario. Actually, it would be non-trivial to understand the system is under attack. I could not find a solution in Bitcoin. I shared it with top technical guys this weekend at the Bitcoin Ethereum Superconference in Dallas. And none provided an answer. Some said it is mathematically impossible to find a solution and admitted that it is a serious problem. One very famous, legendary developer said that this is not a problem because such an attack will not happen. He was drunk and I did not take him seriously apart from the observation that people can become very religious on scientific topics. I forwarded this observation as a warning to myself.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">The above scenario owes its success to the feedback loop from the miners back to the sybil agents. Otherwise, we would not bother the cost of 51% hash-power. Just send valid transaction requests involving higher transaction fees to flood the system. As long as you do not control the blockchain you may keep spending transaction fees irreversibly and cannot guarantee to block the entire chain. Miners (pool managers) aware of the attack may collaborate to deny your transactions not to lose their business in the long term. <span> </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">That feedback loop is possible because POW is based on a scheme based on a fair race against the adversary. This makes it easy for the attacker to acquire the authoritative power on the system. Amazing design insisted with the assumption that the powerful target to disrupt will not attack back for survival! </span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">There are other less costly, more effective super-rational attack scenarios involving speculative approaches and it can easily be shown that the superrational attacker can get the entire cryptocurrency space down easily through the vicious-cycle scheme described above together with helper methods. The attacker can use its Exchange in a collision with its sybil miners to allow rushes from Bitcoin towards the target currency (say USD). In this scenario, everybody would run to save their precious money not giving a damn to Bitcoin.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Long story short: PoW is a bad idea to be used on the processor side. It is an extremely inefficient way to secure the system. If use PoW (I don't recommend at all) use only when you can provide any degree of an unfair race against the attacker. Even then it has its own issues.</div><div class="gmail_extra"><br></div>POS and DPOS are also vulnerable to the above attack because the super-rational attacker can get the majority of the stake and as we learned from our democracy practice money gets the votes. At DPOS people vote for candidates they do not know in person. They vote based on incentives, lotteries advertised in campaigns. The super-rational attacker with more money (and gain) would propose more, campaign better to attract more votes. Secret services (like CIA) have such professional spies and entities that it will be impossible for us to identify their real identities. They span the entire space of people from selling hotdog on the street to presidents of countries. It would be naive to guarantee that DPOS will never allow money to get majority stake. Indeed, this weekend, I challenged Stan Larimer (the godfather of Bitshares) face to face in a friendly manner among his fans with the above attack scenario and he could not provide a solution and said "let's forward this to Dan" giving me his email.</div><div class="gmail_extra"><br></div><div class="gmail_extra">This is what I call the anchor to iceberg problem. POW, DPOS, DPOS all anchor to things that are convertible to money. This allows the super-rational attacker to gain control of the system provided that it has enough money to spare. This combined with the game-theoretical, permisionless, censor-proof, privacy-seeking system dictates the fact that any crypto-currency system immune to super-rational attack must anchor to something that gives the hard promise like the sun rising every morning from the east and going down every evening on the west. A very simple promise. But a hard one to break. A hard promise that you cannot break with money.<br class="gmail-Apple-interchange-newline">

<br></div></div>