pull down to refresh
Satoshi Nakamoto
https://www.metzdowd.com/pipermail/cryptography/2008-November/014860.html
satoshi at vistomail.com
Sat Nov 15 13:02:00 EST 2008
Previous message: Bitcoin P2P e-cash paper
Next message: Bitcoin P2P e-cash paper
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ray Dillinger wrote:
One way to do this would be
to have the person recieving the coin generate an asymmetric
key pair, and then have half of it published with the
transaction. In order to spend the coin later, s/he must
demonstrate posession of the other half of the asymmetric
key pair, probably by using it to sign the key provided by
the new seller.
Right, it's ECC digital signatures. A new key pair is used for every
transaction.
It's not pseudonymous in the sense of nyms identifying people, but it
is at least a little pseudonymous in that the next action on a coin
can be identified as being from the owner of that coin.
Mmmm. I don't know if I'm comfortable with that. You're saying
there's no effort to identify and exclude nodes that don't
cooperate? I suspect this will lead to trouble and possible DOS
attacks.
There is no reliance on identifying anyone. As you've said, it's
futile and can be trivially defeated with sock puppets.
The credential that establishes someone as real is the ability to
supply CPU power.
Until.... until what? How does anybody know when a transaction
has become irrevocable? Is "a few" blocks three? Thirty? A
hundred? Does it depend on the number of nodes? Is it logarithmic
or linear in number of nodes?
Section 11 calculates the worst case under attack. Typically, 5 or
10 blocks is enough for that. If you're selling something that
doesn't merit a network-scale attack to steal it, in practice you
could cut it closer.
But in the absence of identity, there's no downside to them
if spends become invalid, if they've already received the
goods they double-spent for (access to website, download,
whatever). The merchants are left holding the bag with
"invalid" coins, unless they wait that magical "few blocks"
(and how can they know how many?) before treating the spender
as having paid.
The consumers won't do this if they spend their coin and it takes
an hour to clear before they can do what they spent their coin on.
The merchants won't do it if there's no way to charge back a
customer when they find the that their coin is invalid because
the customer has doublespent.
This is a version 2 problem that I believe can be solved fairly
satisfactorily for most applications.
The race is to spread your transaction on the network first. Think 6
degrees of freedom -- it spreads exponentially. It would only take
something like 2 minutes for a transaction to spread widely enough
that a competitor starting late would have little chance of grabbing
very many nodes before the first one is overtaking the whole network.
During those 2 minutes, the merchant's nodes can be watching for a
double-spent transaction. The double-spender would not be able to
blast his alternate transaction out to the world without the merchant
getting it, so he has to wait before starting.
If the real transaction reaches 90% and the double-spent tx reaches
10%, the double-spender only gets a 10% chance of not paying, and 90%
chance his money gets spent. For almost any type of goods, that's
not going to be worth it for the scammer.
Information based goods like access to website or downloads are
non-fencible. Nobody is going to be able to make a living off
stealing access to websites or downloads. They can go to the file
sharing networks to steal that. Most instant-access products aren't
going to have a huge incentive to steal.
If a merchant actually has a problem with theft, they can make the
customer wait 2 minutes, or wait for something in e-mail, which many
already do. If they really want to optimize, and it's a large
download, they could cancel the download in the middle if the
transaction comes back double-spent. If it's website access,
typically it wouldn't be a big deal to let the customer have access
for 5 minutes and then cut off access if it's rejected. Many such
sites have a free trial anyway.
Satoshi Nakamoto
Nicolas Williams
https://www.metzdowd.com/pipermail/cryptography/2008-November/014864.html
Nicolas.Williams at sun.com
Mon Nov 17 16:54:28 EST 2008
Previous message: Bitcoin P2P e-cash paper
Next message: Bitcoin P2P e-cash paper
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Nov 14, 2008 at 11:04:21PM -0800, Ray Dillinger wrote:
On Sat, 2008-11-15 at 12:43 +0800, Satoshi Nakamoto wrote:If someone double spends, then the transaction record
can be unblinded revealing the identity of the cheater.
Identities are not used, and there's no reliance on recourse. It's all prevention.
Okay, that's surprising. If you're not using buyer/seller
identities, then you are not checking that a spend is being made
by someone who actually is the owner of (on record as having
recieved) the coin being spent.
How do identities help? It's supposed to be anonymous cash, right? And
say you identify a double spender after the fact, then what? Perhaps
you're looking at a disposable ID. Or perhaps you can't chase them
down.
Double spend detection needs to be real-time or near real-time.
Nico
James A. Donald
https://www.metzdowd.com/pipermail/cryptography/2008-November/014866.html
jamesd at echeque.com
Mon Nov 17 20:26:31 EST 2008
Previous message: Bitcoin P2P e-cash paper
Next message: ADMIN: end of bitcoin discussion for now
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Nicolas Williams wrote:
How do identities help? It's supposed to be anonymous
cash, right?
Actually no. It is however supposed to be pseudonymous,
so dinging someone's reputation still does not help
much.
And say you identify a double spender after the fact,
then what? Perhaps you're looking at a disposable ID.
Or perhaps you can't chase them down.
Double spend detection needs to be real-time or near
real-time.
Near real time means we have to use UDP or equivalent,
rather than TCP or equivalent, and we have to establish
an approximate consensus, not necessarily the final
consensus, not necessarily exact agreement, but close to
it, in a reasonably small number of round trips.
Ray Dillinger
https://www.metzdowd.com/pipermail/cryptography/2008-November/014859.html
bear at sonic.net
Sat Nov 15 02:04:21 EST 2008
Previous message: Bitcoin P2P e-cash paper
Next message: Bitcoin P2P e-cash paper
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sat, 2008-11-15 at 12:43 +0800, Satoshi Nakamoto wrote:
Okay, that's surprising. If you're not using buyer/seller
identities, then you are not checking that a spend is being made
by someone who actually is the owner of (on record as having
recieved) the coin being spent.
There are three categories of identity that are useful to
think about. Category one: public. Real-world identities
are a matter of record and attached to every transaction.
Category two: Pseudonymous. There are persistent "identities"
within the system and people can see if something was done by
the same nym that did something else, but there's not necessarily
any way of linking the nyms with real-world identities. Category
three: unlinkably anonymous. There is no concept of identity,
persistent or otherwise. No one can say or prove whether the
agents involved in any transaction are the same agents as involved
in any other transaction.
Are you claiming category 3 as you seem to be, or category 2?
Lots of people don't distinguish between anonymous and
pseudonymous protocols, so it's worth asking exactly what
you mean here.
Anyway: I'll proceed on the assumption that you meant very
nearly (as nearly as I can imagine, anyway) what you said,
unlinkably anonymous. That means that instead of an "identity",
a spender has to demonstrate knowledge of a secret known only
to the real owner of the coin. One way to do this would be
to have the person recieving the coin generate an asymmetric
key pair, and then have half of it published with the
transaction. In order to spend the coin later, s/he must
demonstrate posession of the other half of the asymmetric
key pair, probably by using it to sign the key provided by
the new seller. So we cannot prove anything about "identity",
but we can prove that the spender of the coin is someone who
knows a secret that the person who recieved the coin knows.
And what you say next seems to confirm this:
Note, even though this doesn't involve identity per se, it still
makes the agent doing the spend linkable to the agent who
earlier recieved the coin, so these transactions are linkable.
In order to counteract this, the owner of the coin needs to
make a transaction, indistinguishable to others from any
normal transaction, in which he creates a new key pair and
transfers the coin to its posessor (ie, has one sock puppet
"spend" it to another). No change in real-world identity of
the owner, but the transaction "linkable" to the agent who spent
the coin is unlinked. For category-three unlinkability, this
has to be done a random number of times - maybe one to six
times?
BTW, could you please learn to use carriage returns?? Your
lines are scrolling stupidly off to the right and I have to
scroll to see what the heck you're saying, then edit to add
carriage returns before I respond.
Mmmm. I don't know if I'm comfortable with that. You're saying
there's no effort to identify and exclude nodes that don't
cooperate? I suspect this will lead to trouble and possible DOS
attacks.
Okay, when you say "same" transaction, and you're talking about
transactions that are obviously different, you mean a double
spend, right? Two transactions signed with the same key?
Until.... until what? How does anybody know when a transaction
has become irrevocable? Is "a few" blocks three? Thirty? A
hundred? Does it depend on the number of nodes? Is it logarithmic
or linear in number of nodes?
But in the absence of identity, there's no downside to them
if spends become invalid, if they've already recieved the
goods they double-spent for (access to website, download,
whatever). The merchants are left holding the bag with
"invalid" coins, unless they wait that magical "few blocks"
(and how can they know how many?) before treating the spender
as having paid.
The consumers won't do this if they spend their coin and it takes
an hour to clear before they can do what they spent their coin on.
The merchants won't do it if there's no way to charge back a
customer when they find the that their coin is invalid because
the customer has doublespent.
So there's a possibility of an early catch when the broadcasts of
the initial simultaneous spends interfere with each other. I assume
here that the broadcasts are done by the sellers, since the buyer
has a possible disincentive to broadly disseminate spends.
Okay, that's a big difference between a proof of work that takes
a huge set number of CPU cycles and a proof of work that takes a
tiny number of CPU cycles but has a tiny chance of success. You
can change the data set while working, and it doesn't mean you
need to start over. This is good in this case, as it means nobody
has to hold recently recieved transactions out of the link they're
working on.
Right. That was the misconception I was working with. Again, the
difference between a proof taking a huge set number of CPU cycles
and a proof that takes a tiny number of CPU cycles but has a tiny
chance of success.
It's like a random variation in the work factor; in this way it works
in your favor.
I don't understand how "transaction fees" would work, and how the money
would find its way from the agents doing transactions to those running
the network. But the economic effect is the same (albeit somewhat
randomized) if adding a link to the chain allows the node to create
a coin, so I would stick with that.
Also, be aware that the compute power of different nodes can be
expected to vary by two orders of magnitude at any given moment in
history.
Bear