[Cryptography] What has Bitcoin achieved?

Bear bear at sonic.net
Tue Jun 24 19:12:56 EDT 2014 

On Tue, 2014-06-24 at 16:40 -0400, L. M. Goodman wrote:
> On 6/24/2014 at 4:06 PM, "Bear" <bear at sonic.net> wrote:

> >This means it is transactions, and not mining, that supports the 
> >security of the blockchain.   In order for transaction support to 
> >be finite (necessarily count for only one side of the fork) it is 
> >necessary for transactions to give a block hash from the blockchain
> >they support.  

<clip>

> >But this is still a partial solution.  There is still a flaw in
> >that someone making a transaction can easily make it in both 
> >sides of a fork, therefore supporting neither.  

> Another flaw in TAPOS is that the weight given by a transaction to the chain can be extremely high. Thus, an attacker can force a reorganization and successfully double spend merely by keeping a large txout handy, ready to be spent on the fork.

TAPOS?  <quick duckduckgo search> Transactions as Proof of Stake....
Okay. Cool name. Hmm, I wonder which of us thought of it first.  
Could be they got it from my first article on Bitcointalk.  

The attack you describe works if the attacker waits for a fork, 
then spends txout A for (say) 100 coins, in one branch of the fork 
and spends txout B for (say) 10000 coins in the other branch, 
which if accepted will 'unspend' his 100-coin transaction.    

If the blocks are averaging substantially less than 10K coins 
in legitimate transactions per block, the 10K spend supporting
the fork is likely to get the fork accepted.  The 100-coin 
spend, unless attached to a block prior to the fork, cannot be 
replayed into the other fork, and so the coins are 'unspent'.  

OTOH, the prospect of discounting large transactions, even a 
little bit, to attempt to correct that problem would open up 
new avenues of attack exploiting the "correction."

The alternative is to make sure that transactions turn the money 
over with high frequency, assuring very large transaction volume
per block.  One could structure proof-of-stake incentives so they
work hardest when turning the entire money supply over every 24 
hours, and in that case the attacker would have to do something 
pretty amazing to overcome the volume.  

> In general, unless the weight of each block is bounded and the average block has a weight close to that bound, you're subject to this type of attacks.

I don't buy that as a solution;  Anything that bounds the 
weight of each block or constrains its weight to be close to the 
bound invites attacks via deliberate invocation of the regulatory 
mechanisms.  As far as I can see the only practical constraint on 
block volume for maximizing security with TaPoS is "as much as
practical". 

				Bear

More information about the cryptography mailing list