[Cryptography] blockchain and trustworthy computing

ianG iang at iang.org
Fri Oct 9 10:52:55 EDT 2015 

On 9/10/2015 02:57 am, Peter Todd wrote:
> On Mon, Oct 05, 2015 at 12:16:23PM -0400, ianG wrote:
>>> I really strongly disagree about the direction of what you're talking
>>> about.
>>
>>
>> I'm not pushing for a BIP to upturn mainnet, rather I'm thinking
>> about the world of private blockchains run for local or specific
>> purposes. I.e., the invention of the blockchain, not the one that
>> runs BTC.
>>
>> Is that still disagreeable?
>
> Yes! Again, I think we need to distinguish math - verification - from
> trust - non-verification.


Ahhh... I get the distinction.  Of course, ... how slow am I.


>>> I'd define trustworthy computing as being able to trust that a
>>> computation was done correctly without you checking it yourself. This
>>> implies that SPV clients are taking advantage of trustworthy computing
>>> because they trust miners; full nodes are not doing that because they
>>> verify the blockchain themselves.
>>
>>
>> Right, something like that.  To extend my (somewhat challenged)
>> analogy of the VW problem, a blockchain can be a private
>> permissioned one that is running inside the car, on all the
>> distributed brain chips.  EPA is one of the signatories that can
>> access, so it dials in and loads up a program (e.g., smart contract)
>> and does some computations.
>>
>> In this sense, the EPA is an SPV client user.  It's relying that the
>> car has a proper private blockchain on it, but once past that
>> hurdle, it's free to run trustworthy programs on there.
>
> So what do you mean by "proper privat blockchain" - what specifically
> does that blockchain do to achieve trust?


I'm hypothetically envisaging a car with many CPUs in IoT form, each 
interfacing with their particular device (brakes, carburretion, 
entertainment, locks, etc) but also running a blockchain to handle 
computation.

(Maybe this is what 21c are trying to do, maybe not.  IBM are also 
toying in this IoT direction, as are others.)

Any signatory can put programs (smart contracts) into the car's 
blockchain to get run.  By 'proper' I mean it is certified by EPA or 
other agency, according to some procedure / requirements they design, 
like NIST or CC approvals.


> How does the EPA know the computations were done accurately?

In the same way that the SPV knows that things were done accurately - it 
sends in its transactions, gets them back, is happy.  As to what is 
happening under the hood, for that it relies on various institutional 
defences (auto-manufacturer honesty, annual vehicle checks).  In this 
sense, trust.

Alternatively, the rules could say that each agency that is interested 
must also put its own full node into the chain.  Now it gets to verify 
directly.  This node would build on the tradition of the odometer.


>>> In the Bitcoin world I think it's fair to say that most experts are very
>>> concerned about the high, and increasing, % of users who use SPV clients
>>> rather than run full nodes. While it's hard to predict exactly when this
>>> threshold is reached, at some point too few people will be actually
>>> verifying the blockchain to sufficiently strongly incentivise miners to
>>> follow the rules. For instance, at some point miners can great bitcoins
>>> out of thin air to increase their profits.
>>
>>
>> Yep - big problem with mainnet.  Fundamental problem here is that
>> energy enjoys economies of scale.  If all you are doing is
>> converting energy into zeroes, then next door to a Chinese
>> powerplant is the best deal going.  If anyone's read the novel
>> Accelerando, there are better alternatives coming, for now we're
>> stuck with China.
>
> The experience of China is the opposite to the idea that energy enjoys
> unlimited economies of scale - the Chinese mining community is
> relatively decentralized across China operating farms in a whole variety
> of locations. There's a limit to how much cheap/free energy you can get
> in one place and how much waste heat you can easily get rid of.


Indeed - note however that I didn't say "unlimited" as there are no such 
things as unlimited economies of scale, just a mix of economies and 
diseconomies to scale, which kick in at different points.

So, obviously, the hard limit to mining currently would appear to be the 
max output of the power station that one is sited next to.  The soft 
limit would be how much of that 100% the miner could ease across to 
mining, depending on the various business and economic factors.

(This reminds me of what we wrote in that hated article of 2011 on 
Gresham's Law and Bitcoin, "Building on the scenario of misallocated 
power costs by hobbyists or other users, what possibility is there for a 
simple power cost of zero?")

What you're saying is that the soft limit at any power station is well 
below the total mining needs, so decentralisation is still present.  Is 
there any research or investigation on the numbers on this new China 
Syndrome?


>>> Instead there has been work done on going the other direction: using
>>> better math to make verifying the blockchain cheaper and more practical.
>>> But again, this isn't an example of trustworthy computing! It's standard
>>> trustless computing, made more efficient by clever math.
>>
>>
>> What is the difference between trustless computing and trustworthy
>> computing?
>
> I define trustless computing simply to mean I prove to you I did some
> computation accurately with undeniable math. The easiest way to do that
> is for you to repeat the computation yourself - the way Bitcoin works.
>
> If we're going to make a meaningful distinction between that idea - what
> cryptography does all the time - and "trustworthy computing" the only
> concept that comes to mind is schemes that try to use non-cryptographic
> techniques to get trust out of systems. (remember the definition of a
> trusted component being something that can screw you over) TPM hardware
> is one such example; the economic incentives in Bitcoin another
> (possible) example. (albeit one apparently undermined by a lack of
> verification!)


Right, I see the distinction.  But the needs that both are trying to 
fulfill are more or less the same, albeit through different approaches. 
  Trustless or verifiable computing dominates trustworthy computing, in 
that it has at least one less component to trust.

So maybe my claim is more that Blockchain has eliminated the need for 
trustworthy computing by moving to verifiable computing?



iang



ps; this is all to skip aside from the criticism that the term 
'trustless' suggests a perfect result, which we know as inadequate, even 
a dangerous assumption.

More information about the cryptography mailing list