[Cryptography] Preventing co-op notary defection

Ben Laurie ben at links.org
Mon Jul 7 05:11:03 EDT 2014 

On 7 July 2014 03:15, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
>
>
>
> On Sun, Jul 6, 2014 at 3:40 PM, Ben Laurie <ben at links.org> wrote:
>>
>> On 1 July 2014 16:19, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
>> > So here is my alternative, a co-op notary which operates under rules
>> > that
>> > are designed to make it coercion proof after some time t which is
>> > sufficiently close to the current time (i.e. no more than one to 24
>> > hours
>> > behind depending on taste).
>>
>> Isn't this essentially what I proposed here:
>> http://www.links.org/files/distributed-currency.pdf?
>
>
> Somewhat, and that is similar to a scheme I have proposed in non-bitcoin
> contexts before. The difference is the level of detail.
>
> The change over my previous iterations is that I originally assumed that the
> members of the association would have to be very carefully selected and
> agree to operate the service essentially forever. A bit like being a DNS
> root. The only way out is to pass the responsibility on to someone else.
>
> I now think that the co-op can be a lot looser and essentially
> self-governing.
>
> In particular a concern I had before was that a notary could defect by
> refusing to notarize an input and required a super-nortary to decide what
> was going to be signed. Closer analysis suggests this possibility can be
> controlled if the members of the co-op monitor each other and vote for the
> next hash to be signed.

This I agree with, and is what I said in the paper.

> So yes, your mintettes are voting in a similar way but as part of a "central
> authority". I think the voting scheme brings sufficiently effective controls
> as to dispense with the need for a central authority. I think it is possible
> for it to become a genuine peer scheme with loose binding.

Bottom line: don't believe it. How do I, as a relying party, determine
when agreement has been reached? How do members of this "loose
binding" determine it? Once more you are back to establishing
consensus in an unknown group.

This seems like the core problem with Ripple, too, BTW.

> Maybe not such a big step technically but I think it would make a huge
> difference to how certain parties would accept the scheme.

By pretending you can do the impossible? Always a hit, in my experience.

More information about the cryptography mailing list