[Cryptography] Proof of Work is the worst way to do a BlockChain

Richard Clayton richard at highwayman.com
Tue Feb 13 09:51:08 EST 2018 

In message <CAB7TAMkfvODT+qjUhOo3CoiEb-+bTdNxW44_T+2V3GeM2v0h5Q at mail.gma
il.com>, Allen <allenpmd at gmail.com> writes

>>>> I ran into Dwork at a conference
>>>> some years later and she agreed that it's too easy to circumvent.
>>>
>>>Are you referring to the idea of hackers remotely compromising a bunch
>>>of computers and using them to compute PoW?
>>
>> That's one way to circumvent it.  Didn't you read the paper I
>> referenced in the message you were responding to?
>
>yes, I read the 9 page paper by Laurie and Clayton that you
>referenced, and the only attack I could see to circumvent PoW
>discussed in that paper was to remotely compromise computers and use
>them to compute PoW. 

you misunderstood the point of the paper if you think that this was a
"circumvention"...

> But you said Laurie and Clayton "hammered stakes
>through it" (stakes plural, not just one stake), plus their paper came
>much later than the comment by Dwork, so if Dwork had the same idea,
>I'm not sure why you credited Laurie and Clayton for "hammered stakes
>through it" when Dwork acknowledged an attack much earlier.  

.. what Ben and I pointed out was that if you think that you can use
proof-of-work to determine who are good people who should be allowed to
send email and who are bad people who send spam then you are mistaken.

If you set the necessary amount of work low enough that the good guys
can afford to do it -- then it is so low that you have not made much of
a dent on the bad guys' ability to spam.

Basically the bad guys have more computers than the good guys ! (some of
which they have stolen, but spam is lucrative enough that they can
afford to buy them anyway -- so all you will ever do is to freeze out
low profit-margin spam).

BTW: Camp & Liu argued that you can make Proof-of-Work function by not
making the proofs end-point independent (ie the email carries around the
proof) but by having end points demand proofs from strangers whilst
allowing a free pass to friends. No-one has ever implemented this
because it lacks the simplicity of the proof-carrying email idea.

>So I'm
>trying to understand if I missed something, not in terms of who should
>get credit for the attacks, but if there are other attacks out there
>that I missed.

... also, "Penny Black" is the 2003 paper, not Dwork & Naor's earlier
1992 work -- essentially in 2003 they are trying to even up the playing
field by doing more memory access in their computation function and
stopping good guys with mere computers having to compete against
spammers with ASICs, FPGAs etc.

Finally -- I will observe that when Dwork, myself (and some others)
debated anti-spam schemes on stage at the first CEAS conference in
summer 2004 in Mountain View ... I don't recall her being anything but
positive about the prospects of proof-of-work (and don't forget this was
the era when Bill Gates was claiming the spam problem would be addressed
within months  [when Penny Black properly caught on])

-- 
richard                                                   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180213/733ddcc4/attachment.sig>

More information about the cryptography mailing list