[Cryptography] Robust Linked Timestamps without Proof of Work.

Jameson Lopp jameson.lopp at gmail.com
Fri Aug 19 22:44:59 EDT 2016


On Fri, Aug 19, 2016 at 8:55 PM, Phillip Hallam-Baker <phill at hallambaker.com
> wrote:

>
>
> On Fri, Aug 19, 2016 at 6:07 PM, Jameson Lopp <jameson.lopp at gmail.com>
> wrote:
>
>>
>>
>> On Fri, Aug 19, 2016 at 12:05 PM, Phillip Hallam-Baker <
>> phill at hallambaker.com> wrote:
>>
>>>
>>> ​Let us say for the sake of argument that in the near future there will
>>> be 100 OpenPGP KeyServers that operate in a manner similar to today's
>>> servers based on Brian LaMachias' MIT server ​with two changes:
>>>
>>> 1) Every key server maintains a link timestamp of all data submitted
>>> (keys, signatures, etc.)
>>>
>>> 2) Every hour, each server cross-timestamps their current timestamp
>>> value with at least ten other servers chosen at random
>>>
>>> Let us further assume that I can establish a userbase of a million
>>> users. Which I think is actually quite plausible if I can persuade the
>>> S/MIME folk to use the infrastructure as well as the OpenPGP folk.
>>>
>>> To verify a timestamp value, a verifier checks the timestamp chain of
>>> five or so randomly chosen servers.
>>>
>>
>> Sure; let's say for the sake of argument that I decide to run 10,000
>> OpenPGP KeyServers and sybil attack your network. It sounds like I'd be
>> able to falsify data with a high rate of success. The numbers you choose
>> are likely irrelevant; I suspect that any such system would inevitably turn
>> into a form of "proof of work" as described by Paul Sztorc:
>> http://www.truthcoin.info/blog/pow-cheapest/
>>
>
> ​Explain the attack more fully. Assume that each server is signing each
> output value and has a trust relationship with the parties it exchanges
> values with.​
>
> The key servers are not anonymous entries or random bloggers.
>
> OK, so you're describing a semi-trusted permissioned system as opposed to
a trustless permissionless system. There's really not much point comparing
apples to oranges.

>
>
>>
>>
>>>
>>> ​The ​metric I use for evaluating the security of a PKI is a time based
>>> work factor priced in dollars. Obtaining bogus Domain Validated
>>> certificates in quantity in the WebPKI has a certain cost, lets say $500,
>>> an EV certificate has a much higher cost, about $5000. The cost values here
>>> are not just the price of acquiring the cert, they are also the cost of
>>> covering their tracks. The out of pocket cost of obtaining a single bogus
>>> cert is much lower because it is very unlikely that is going to be
>>> detected. But obtaining large numbers without establishing a pattern is
>>> hard.
>>>
>>> So how does BitCoin fare? well the cost of mining 24 hours of bitcoins
>>> is large but its less than a million dollars.
>>>
>>
>> From one perspective, I suppose, though on the other hand you can't just
>> take a million dollars and buy a day's worth of hashing power - most of the
>> existing hashpower isn't for sale. To purchase enough new hashing power
>> to own 50% of the Bitcoin network (1,487,398 TH/S) would cost
>> approximately 114,415 Antminer S9 (13 TH/S) units at $2,500, or *$286m** in
>> hardware costs *and 1.4 KW * 114,415 * $0.08 KW/H, or *$12,815** an hour
>> in electricity costs*. Except for the small fact that there aren't that
>> many S9 units available for purchase either...
>>
>
> You think Bitcoin miners are incorruptible? I rather doubt it.
>
>
> No, I'm saying that you can't merely bribe miners with their current
operational costs in order to take over the network. The big players have
invested tens to hundreds of millions of dollars into their infrastructure
and are making a long term speculative play - they aren't going to throw it
all away for a relative pittance.

>
>
> It's unclear if you're talking about a permissionless network where anyone
>> can run a validator or a permissioned network with a predetermined trusted
>> federation of validators. If it's the latter then we're talking about a
>> completely different security model than Bitcoin.
>>
>
> ​I regard BiTcOiN as a religion rather than a technical infrastructure.​
>
> That explains a lot.

> ​>​
>  Any attack against Bitcoin's PoW is useless unless it can be sustained.
> ​>​
>  If you compromised a mining pool, you wouldn't own it for very long if
> you
> ​>​
> tried to use it to your advantage. People would notice and either the
> ​>​
> hashpower would be pointed to a different pool or the pool operator would
> ​>​
> shut down the pool until they could re-secure it.
>
> ​Which is exactly the point I made at the start.​ The security of the
> blockchain is not secured through the proof of work mechanism at all. That
> is just an unnecessary distraction.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160819/9814ef9c/attachment.html>


More information about the cryptography mailing list