[Cryptography] Electronic currency revived after 20-year hiatus
Peter Todd
pete at petertodd.org
Thu Aug 18 20:49:12 EDT 2016
On Thu, Aug 18, 2016 at 06:56:12PM -0400, Allen wrote:
> >
> > That's the thing with proof-of-work: you get that guarantee even if miners
> > aren't honest.
>
>
> Actually, with PoW, there is no guarantee--there is just a probabilistic
> property subject to certain assumptions about computing resources and how
> they are expended. In fact, even if the miners are honest at the time,
> later miners can go back and rewrite the blockchain at any time by creating
> a higher cumulative PoW. Conversely, with block signing and key rotation,
Of course they can do that. My point is creating a higher cumulative PoW is
provably expensive, and because mining is profitable in general, you get
reasonably good probabilities on how much real world cost that action incurs;
those attackers are _forced_ to incur a large expense regardless of the honesty
or dishonesty of miners.
Also, complaining that this is only a "probabalistic" guarantee is silly: real
systems are always probabalistic. Even in your "guaranteed deletion" system, in
a real system there's a non-zero probability that the key deletion will fail,
and rollback will become possible.
> you do get a guarantee--if a majority of the miners are honest at the time
> and overwrite their private signing key after each block, that does
> guarantee the block is permanent and can never be revised. Note that
> neither system (and I believe no system) is going to work if a majority of
> miners are dishonest, so I don't think that assumption places a higher
> burden on either system.
Bitcoin works just fine if the majority of miners are dishonest, so long as
they are economically rational within the context of the Bitcoin protocol (e.g.
they're not getting out-of-band payments from state actors larger than the
mining reward). If Bitcoin required miners to behave "honestly" it'd be a much
less secure system.
And like I said before, you're free to combine both PoW security and
key-deletion security additively - something I'd recommend system designers to
consider doing given that Bitcoin exists already.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160818/036e0caf/attachment.sig>
More information about the cryptography
mailing list