[Cryptography] Robust Linked Timestamps without Proof of Work.

Phillip Hallam-Baker phill at hallambaker.com
Fri Aug 19 20:55:10 EDT 2016


On Fri, Aug 19, 2016 at 6:07 PM, Jameson Lopp <jameson.lopp at gmail.com>
wrote:

>
>
> On Fri, Aug 19, 2016 at 12:05 PM, Phillip Hallam-Baker <
> phill at hallambaker.com> wrote:
>
>>
>> ​Let us say for the sake of argument that in the near future there will
>> be 100 OpenPGP KeyServers that operate in a manner similar to today's
>> servers based on Brian LaMachias' MIT server ​with two changes:
>>
>> 1) Every key server maintains a link timestamp of all data submitted
>> (keys, signatures, etc.)
>>
>> 2) Every hour, each server cross-timestamps their current timestamp value
>> with at least ten other servers chosen at random
>>
>> Let us further assume that I can establish a userbase of a million users.
>> Which I think is actually quite plausible if I can persuade the S/MIME folk
>> to use the infrastructure as well as the OpenPGP folk.
>>
>> To verify a timestamp value, a verifier checks the timestamp chain of
>> five or so randomly chosen servers.
>>
>
> Sure; let's say for the sake of argument that I decide to run 10,000
> OpenPGP KeyServers and sybil attack your network. It sounds like I'd be
> able to falsify data with a high rate of success. The numbers you choose
> are likely irrelevant; I suspect that any such system would inevitably turn
> into a form of "proof of work" as described by Paul Sztorc:
> http://www.truthcoin.info/blog/pow-cheapest/
>

​Explain the attack more fully. Assume that each server is signing each
output value and has a trust relationship with the parties it exchanges
values with.​

The key servers are not anonymous entries or random bloggers.



>
>
>>
>> ​The ​metric I use for evaluating the security of a PKI is a time based
>> work factor priced in dollars. Obtaining bogus Domain Validated
>> certificates in quantity in the WebPKI has a certain cost, lets say $500,
>> an EV certificate has a much higher cost, about $5000. The cost values here
>> are not just the price of acquiring the cert, they are also the cost of
>> covering their tracks. The out of pocket cost of obtaining a single bogus
>> cert is much lower because it is very unlikely that is going to be
>> detected. But obtaining large numbers without establishing a pattern is
>> hard.
>>
>> So how does BitCoin fare? well the cost of mining 24 hours of bitcoins is
>> large but its less than a million dollars.
>>
>
> From one perspective, I suppose, though on the other hand you can't just
> take a million dollars and buy a day's worth of hashing power - most of the
> existing hashpower isn't for sale. To purchase enough new hashing power
> to own 50% of the Bitcoin network (1,487,398 TH/S) would cost
> approximately 114,415 Antminer S9 (13 TH/S) units at $2,500, or *$286m** in
> hardware costs *and 1.4 KW * 114,415 * $0.08 KW/H, or *$12,815** an hour
> in electricity costs*. Except for the small fact that there aren't that
> many S9 units available for purchase either...
>

You think Bitcoin miners are incorruptible? I rather doubt it.




It's unclear if you're talking about a permissionless network where anyone
> can run a validator or a permissioned network with a predetermined trusted
> federation of validators. If it's the latter then we're talking about a
> completely different security model than Bitcoin.
>

​I regard BiTcOiN as a religion rather than a technical infrastructure.​

​>​
 Any attack against Bitcoin's PoW is useless unless it can be sustained.
​>​
 If you compromised a mining pool, you wouldn't own it for very long if you
​>​
tried to use it to your advantage. People would notice and either the
​>​
hashpower would be pointed to a different pool or the pool operator would
​>​
shut down the pool until they could re-secure it.

​Which is exactly the point I made at the start.​ The security of the
blockchain is not secured through the proof of work mechanism at all. That
is just an unnecessary distraction.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160819/bda83267/attachment.html>


More information about the cryptography mailing list