[Cryptography] DAG vs Blockchain

Alfie John alfie at alfie.wtf
Mon Jan 29 22:08:55 EST 2018


On Mon, Jan 29, 2018 at 05:20:51PM +0100, Natanael wrote:
> In terms of a blockchain you can prove no doublespending by referencing the
> UTXO set (unspent transaction outputs), which can include either showing
> all later transactions (as you described), or fancier math like a
> combination of the relevant UTXO ID, the latest block hash and an
> Zero-knowledge proof (ZKP) that there exists no transaction spending that
> UTXO in the blockchain which has this block hash as the latest hash.
> As new blocks arrive its easy in the short term to prove there's no
> doublespend as the full dataset is a few MB at most, while in the long term
> you create a more fresh ZKP when requested.
>
> In terms of acyclic graphs, there exists no way to completely prove
> non-knowledge. You can only prove non-existence of conflicts within
> branches which you admit to knowing about, but since you can't be expected
> to know all branches it is likewise impossible to produce meaningful proofs
> of knowing there's no conflicting doublespend transaction.
> There's no well known / well defined domain / space of what dataset in
> which you would show non-existence.

This.

Looking for alternatives to Proof of Work, I bumped into Byteball and Stellar.
Reading both their whitepapers, I still didn't see how doulbespend was solved
as PoNK* wasn't addressed.

* Proof of Non-Knowledge is a great Litmus Test for future proposed solutions.

> At best you can have a challenge-response protocol where both parties show
> what branches they admit to knowing, and then a ZKP would be generated
> which cover those branches. This is only a complete proof if the given
> combined sets of branches is complete.

I like where this is going.

Alfie

--
Alfie John
https://www.alfie.wtf


More information about the cryptography mailing list