[Cryptography] Proof of Work is the worst way to do a BlockChain

Sun Feb 18 00:35:10 EST 2018

On Tue, Feb 13, 2018 at 9:51 AM, Richard Clayton <richard at highwayman.com>
wrote:

> In message <CAB7TAMkfvODT+qjUhOo3CoiEb-+bTdNxW44_T+2V3GeM2v0h5Q at mail.gma
> il.com>, Allen <allenpmd at gmail.com> writes
>
> >>>> I ran into Dwork at a conference
> >>>> some years later and she agreed that it's too easy to circumvent.
> >>>
> >>>Are you referring to the idea of hackers remotely compromising a bunch
> >>>of computers and using them to compute PoW?
> >>
> >> That's one way to circumvent it.  Didn't you read the paper I
> >> referenced in the message you were responding to?
> >
> >yes, I read the 9 page paper by Laurie and Clayton that you
> >referenced, and the only attack I could see to circumvent PoW
> >discussed in that paper was to remotely compromise computers and use
> >them to compute PoW.
>
> you misunderstood the point of the paper if you think that this was a
> "circumvention"...
>
> > But you said Laurie and Clayton "hammered stakes
> >through it" (stakes plural, not just one stake), plus their paper came
> >much later than the comment by Dwork, so if Dwork had the same idea,
> >I'm not sure why you credited Laurie and Clayton for "hammered stakes
> >through it" when Dwork acknowledged an attack much earlier.
>
> .. what Ben and I pointed out was that if you think that you can use
> proof-of-work to determine who are good people who should be allowed to
> send email and who are bad people who send spam then you are mistaken.
>
> If you set the necessary amount of work low enough that the good guys
> can afford to do it -- then it is so low that you have not made much of
> a dent on the bad guys' ability to spam.
>
> Basically the bad guys have more computers than the good guys ! (some of
> which they have stolen, but spam is lucrative enough that they can
> afford to buy them anyway -- so all you will ever do is to freeze out
> low profit-margin spam).
>
> BTW: Camp & Liu argued that you can make Proof-of-Work function by not
> making the proofs end-point independent (ie the email carries around the
> proof) but by having end points demand proofs from strangers whilst
> allowing a free pass to friends. No-one has ever implemented this
> because it lacks the simplicity of the proof-carrying email idea.
>
> >So I'm
> >trying to understand if I missed something, not in terms of who should
> >get credit for the attacks, but if there are other attacks out there
> >that I missed.
>
> ... also, "Penny Black" is the 2003 paper, not Dwork & Naor's earlier
> 1992 work -- essentially in 2003 they are trying to even up the playing
> field by doing more memory access in their computation function and
> stopping good guys with mere computers having to compete against
> spammers with ASICs, FPGAs etc.
>
> Finally -- I will observe that when Dwork, myself (and some others)
> debated anti-spam schemes on stage at the first CEAS conference in
> summer 2004 in Mountain View ... I don't recall her being anything but
> positive about the prospects of proof-of-work (and don't forget this was
> the era when Bill Gates was claiming the spam problem would be addressed
> within months  [when Penny Black properly caught on])

As someone working closely with Microsoft's anti-spam team at the time,
including working on a joint proposal very similar to DKIM that was never
launched, I am pretty sure that proof of work never played any part in
their strategy beyond the fact that Adam Back may have been working for
them at the time.

The achilles heel of proof of work was that it would merely give the
spammers incentive to hack machines to generate proofs on. There would
never be a point where proof of work made an email less likely to be spam.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180218/8c1703ca/attachment.html>