[Cryptography] blockchain and trustworthy computing

Natanael natanael.l at gmail.com
Thu Oct 1 03:08:16 EDT 2015 

Den 1 okt 2015 05:38 skrev "ianG" <iang at iang.org>:
>
> Thought experiment.
>
> The blockchain [0] provides a way to do verifiable computing [1].
>
> Popularly under the tag of "smart contracts" these little scripts can be
executed on every node, and the ability of the nodes to come together and
find consensus on the state or results provides a way to not only compute,
but also know that we have verifiably computed.

[...]

> If we have verifiable computing finally in the blockchain - a thesis -
does this mean we now have a trustworthy computing platform?

[...]

> In practical terms, if I run a personal blockchain on my laptop, home
computer, TV, android tablet, iPhone, and xWatch, have I created a
trustworthy computing platform?  In the process, has the
hardware-I-Don't-Trust conundrum been solved?
>
> Or, for a more hypothetical example, if I have an EPA-tester running on
the blockchain calculating in turn over the various cars that are providing
the nodes, does this solve the VW problem?

Yes and no.

It does nothing useful in the VW case. Their problem was insufficient data
from testing, no amount of trustworthiness in the processing can fix that.
You need trustworthy measurements in the right places.

The blockchain can provide some assurances that some chain of computations
were done correctly. But with what limits?

First of all, Bitcoin is essentially a shared fully public state machine
with version control - you're free to rewind it at will locally and try
again. It is *your* brain in a jar. The primary purpose of the construction
is to approximate a global concensus well enough to be practically useful
(majority proof-of-work chain wins). It isn't made for keeping secrets or
as an impenetrable C&C platform (for malware OR for your home), or for
providing guarantees about the trustworthiness of input data.

It was made to let the public collectively track the ownership history of
digital tokens, through using game theory to ensure there's a strong
incentive for a majority to cooperate. Essentially it is a big Access
Control List for digital money, and works because your digital signature
proves you are you, because it has a practical distribution method (mining
rewards) and because users are assumed to ensure they're connected to the
majority network, and therefore likely won't be fooled by acting on false
assignments of tokens.

Maybe you've seen the Enigma blockchain is using homomorphic encryption and
threshold key sharing to enable keeping secrets? But that's really just a
clever way of letting strangers perform Multiparty Computation for you,
with what that entails - if any majority of them is hacked or infiltrated
or collude, all secrets can be recovered. But maybe you happen to trust it
won't be compromised while you still need the inputs to remain secret?

There are Zero-knowledge proofs and homomorphic encryption with proofs of
correctness (see Zerocoin, Monero and others). Their limitation is that
they only proves the rules were followed ONCE, not that nobody ever
performed other computations as well on the inputs. It doesn't reveal
bruteforce attempts. If all you need to show is that the output was
computed correctly, that's fine. But if you're protecting a game with the
protocol, you can't stop the other player from evaluating the results of
other moves.

If you have a set of networked devices that trust each other internally,
you have a number of options.

You can move from proof-of-work to a notary network with you as a
gatekeeper (the Ripple model).

Then, first of all, your devices can log all their actions and decisions,
sign it together with the last block hash, and checkpoint it in a shared
blockchain (git?). All devices would only trust a chain signed by the other
trusted devices. This can be used to send commands, send alerts and to
provide a degree of verifiability of past actions. It can also be used for
other kinds of coordination.

If you make the blockchain be THE real world that matters for your own
devices, forced to iterate forwards without forks because all your devices
enforce that collectively, then you can extend the range of verifiable
actions. Just like how the Bitcoin blockchain (with majority proof-of-work)
is THE definition of who has control of what Bitcoins, your blockchain
would be the system that control all of your network's access controls and
capabilities. Make every action that matters be verified collectively. But
the caveats above still apply - hacked devices can test multiple choices
internally to see what outcome is more desirable.

(More comments will come later. Gonna look up some other sources on what
kind guarantees these constructions could provide.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151001/d731b767/attachment.html>

More information about the cryptography mailing list