[Cryptography] Proof of Work is the worst way to do a BlockChain

[Ersin Taskin]

 On Mon, Feb 12, 2018 at 9:27 PM, John Levine <johnl at iecc.com> wrote:

> In article <CACMCW-PHGXRjqck3mzvs7EsBYxZ=VT_p29xSPMdBE5hRSHq45w at mail.
> gmail.com> you write:
> >1. PoW can be good to fight against SPAM/DOS attacks where you distribute
> >the load to the endpoint/user rather than concentrate it on the system.
> ...
>
> This is a WKBI.  The original proof of work idea to deter spam was
> Dwork and Naor's Pennyblack in 1992.  While it was certainly clever,
> it didn't work and doesn't work.  I ran into Dwork at a conference
> some years later and she agreed that it's too easy to circumvent.
>
> Ben Laurie and Richard Clayton hammered stakes through it
> in 2004, but nothing of importance has changed since then.
>
> https://www.cl.cam.ac.uk/~rnc1/proofwork.pdf
>
>
Thanks for the paper. However, the paper just justifies my point, if you
read the whole paragraph. Let me present a train of thought as an example:

Assumptions:
1. The Establishment (Gov+FED+Banks+Corproteuracy) is under the threat of
disruption by Bitcoin.
2. It fights back for survival when this threat becomes serious.
3. It has enough power (money) to get more than 50% hash power.

The attack scenario:
1. The attacker (the Establishment) gains the majority hash-power to rule
the longest chain. Deciding what transactions to select from the mempool,
deciding the next block.
2. The attacker forms sybil agents. This is trivial. Thanks to
permisionlessness:) Bitcoin indeed recommends everyone to create sybil
agents for each transaction (key pairs/addresses).
3. The attacker fuels its sybil agents with a constant (not much) amount of
bitcoins.
4. Sybil agents flood the system with valid transaction requests with
transaction fees varying slightly above the average.
5. Sybil miners select these valid sybil transactions filling the entire
block space and denying most if not all of the honest transactions.
6. Sybil miners send the transaction fees back to the sybil agents through
atomic swap, zero knowledge, etc. pathways escaping tracking. Thanks to
privacy:)
7. The feedback loop provides the vicious cycle which helps the attacker
sustain an infinite loop attack with a constant amount of money. We all
know that no one (not even Bitcoin) survives an infinite loop.

Since Bitcoin is censor-proof, your coin equals mine, all valid
transactions are equal, it is legitimate that transaction fees can
determine the choice from the mempool and that the system is based on
dont-trust-the-miners game theoretical approach. There is no solution to
the above attack scenario. Actually, it would be non-trivial to understand
the system is under attack. I could not find a solution in Bitcoin. I
shared it with top technical guys this weekend at the Bitcoin Ethereum
Superconference in Dallas. And none provided an answer. Some said it is
mathematically impossible to find a solution and admitted that it is a
serious problem. One very famous, legendary developer said that this is not
a problem because such an attack will not happen. He was drunk and I did
not take him seriously apart from the observation that people can become
very religious on scientific topics. I forwarded this observation as a
warning to myself.

The above scenario owes its success to the feedback loop from the miners
back to the sybil agents. Otherwise, we would not bother the cost of 51%
hash-power. Just send valid transaction requests involving higher
transaction fees to flood the system. As long as you do not control the
blockchain you may keep spending transaction fees irreversibly and cannot
guarantee to block the entire chain. Miners (pool managers) aware of the
attack may collaborate to deny your transactions not to lose their business
in the long term.  That feedback loop is possible because POW is based on a
scheme based on a fair race against the adversary. This makes it easy for
the attacker to acquire the authoritative power on the system. Amazing
design insisted with the assumption that the powerful target to disrupt
will not attack back for survival!

There are other less costly, more effective super-rational attack scenarios
involving speculative approaches and it can easily be shown that the
superrational attacker can get the entire cryptocurrency space down easily
through the vicious-cycle scheme described above together with helper
methods. The attacker can use its Exchange in a collision with its sybil
miners to allow rushes from Bitcoin towards the target currency (say USD).
In this scenario, everybody would run to save their precious money not
giving a damn to Bitcoin.

Long story short: PoW is a bad idea to be used on the processor side. It is
an extremely inefficient way to secure the system. If use PoW (I don't
recommend at all) use only when you can provide any degree of an unfair
race against the attacker. Even then it has its own issues.

POS and DPOS are also vulnerable to the above attack because the
super-rational attacker can get the majority of the stake and as we learned
from our democracy practice money gets the votes. At DPOS people vote for
candidates they do not know in person. They vote based on incentives,
lotteries advertised in campaigns. The super-rational attacker with more
money (and gain) would propose more, campaign better to attract more votes.
Secret services (like CIA) have such professional spies and entities that
it will be impossible for us to identify their real identities. They span
the entire space of people from selling hotdog on the street to presidents
of countries. It would be naive to guarantee that DPOS will never allow
money to get majority stake. Indeed, this weekend, I challenged Stan
Larimer (the godfather of Bitshares) face to face in a friendly manner
among his fans with the above attack scenario and he could not provide a
solution and said "let's forward this to Dan" giving me his email.

This is what I call the anchor to iceberg problem. POW, DPOS, DPOS all
anchor to things that are convertible to money. This allows the
super-rational attacker to gain control of the system provided that it has
enough money to spare. This combined with the game-theoretical,
permisionless, censor-proof, privacy-seeking system dictates the fact that
any crypto-currency system immune to super-rational attack must anchor to
something that gives the hard promise like the sun rising every morning
from the east and going down every evening on the west. A very simple
promise. But a hard one to break. A hard promise that you cannot break with
money.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180222/d1e52031/attachment.html>