On Mon, May 06, 2013 at 08:32:22PM +0200, Adam Back wrote:
> But what exactly could you prove about a node?  You dont really know if a
> node is an originator for a double spend, it could be relay.  And for
> privacy and security you cant expect the node to use its coin address
> private key.

re: double-spends - punishing relay nodes and miners for them is a very
bad idea. Ultimately it is the blockchain by which Bitcoin comes to
consensus about what transactions belong in the blockchain - to punish
double-spends implies a second consensus mechanism. Anyway it's
unnecessary: you can hold the actual spender accountable for
double-spends and punish them directly rather than adding a lot of
complexity and dangerous assumptions about propagation to the Bitcoin
core network.


Some useful things you can hold relay nodes accountable for without a
lot of complexity:

1) Having a reasonably correct view of the best block. Make the node
sign a statement including a block hash sequence (the last 3-6 blocks)
and what it believes the current time is.

2) Accurate knowledge of the blockchain. Sign a statement claiming that
what block hash is for a given chain height. Note that due to reg-orgs
this is actually a different statement than #1 and nodes should be
careful what they are claiming.

3) Accurate knowledge of the UTXO set. Sign a statement claiming that
a given txid:vout for the current best block hash is in or not in the
UTXO set.

4) Accurate bloom filtering; same idea as #3

5) Make the node identity expensive to obtain. For instance, construct
PoW's including the node pubkey somehow, or purchase fidelity bonds for
the node's identity. Makes sybil attacks more difficult, among other
things.

5) Provide useful propagation/mining services. Sign a txid and
timestamp/blockhash-sequence, and hold the node accountable for how long
it takes the txid to make it into the blockchain. Useful especially for
miners offering the service of mining your transaction.


> Hmm: maybe one could use a Brands private credential with offline double
> spend detection, with the reputation but not coin address of the node
> disclosed, and the nodes coin address embedded in the proof.  Each node
> could be is own CA, providing a ZKP.  If the node ever double spends a coin,
> it loses its reputation as the coin address is revealed.

Be careful not to mix up the concept of a relay node with someone
posessing Bitcoins. Node's don't spend coins, people/wallets do.

> ps I have an opensource openSSL based Brands (& Chaum) credential library at
> http://www.cypherspace.org/credlb/ I didnt actually implement the ECDL
> version, just the DL version, but that is not so hard, and its on my todo
> list.  (There is also a strong RSA assumption version, also not
> implemented).

That stuff is cool, but we should focus first on simple efforts, like
SSL transport, that do not require complex cryptography to obtain an
improvement in security.

Of course, not to say long-term research is bad, but that's just not
going into the Bitcoin reference client in the near future.

-- 
'peter'[:-1]@petertodd.org
0000000000000124d42390b0db4c125f6be87835c49dc88f1bdeba527b77abc2