On Wed, Jan 01, 2014 at 05:09:27AM +0000, Luke-Jr wrote:
> > You assume the value of a crypto-currency is equal to all miners, it's
> > not.
> > 
> > Suppose I create a merge-mined Zerocoin implementation with a 1:1
> > BTC/ZTC exchange rate enforced by the software. You can't argue this is
> > a scamcoin; no-one is getting rich. There's a 1:1 exchange rate so the
> > only thing you can do with the coin is get some privacy. But inevitably
> > some miners won't agree that enabling better privacy is a good thing, or
> > their local governments won't. Either way, they can attack the Zerocoin
> > merge-mined chain with a marginal cost of nearly zero.
> 
> Not necessarily. If Zerocoin was tied directly to Bitcoin proof-of-work, the 
> worst they could do is not-participate by mining empty blocks.

Nope. Tying the alt-coin difficulty to the Bitcoin difficulty isn't some
magic way to avoid a 51% attack - you still need a majority of
consensus. The attackers can still mine a conflicting chain and there's
still no reasonable way to choose between the two chains other than
proof-of-something. Even worse, then can do a data-hiding attack by
mining a conflicting chain without publishing the blockchain data, then
revealing it some time in the future, or just sowing FUD by making it
clear that the mining is happening. Like it or not crypto-coins solve
double-spending with proof-of-publication, and that can't be done
without some kind of mathematically verifiable majority aligned with the
interests of the crypto-coin users.

Recall that my zookeyv(1) and zerocoin alt(2) proposals from last summer
was specifically designed to take that situation into account, and of
course could at best only make it clear that it was happening and how
many Bitcoins needed to be sacrificed to make the chain secure.


1) #bitcoin-wizards, 2013-05-31
2) http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02472.html

-- 
'peter'[:-1]@petertodd.org
000000000000000f9102d27cfd61ea9e8bb324593593ca3ce6ba53153ff251b3