On Thu, Jan 09, 2014 at 06:19:04PM +0100, Jorge Timón wrote: > On 1/6/14, Peter Todd wrote: > > On Sat, Jan 04, 2014 at 01:27:42AM +0100, Jorge Timón wrote: > > It's not meant to prove anything - the proof-of-sacrificed-bitcoins > > mentioned(*) in it is secure only if Bitcoin itself is secure and > > functional. I referred you to it because understanding the system will > > help you understand my thinking behind merge-mining. > > > > *) It also mentions proof-of-sacrificed-zerocoins which *is* distinct > > because you're sacrificing the thing that the chain is about. Now that > > has some proof-of-stake tinges to it for sure - I myself am not > > convinced it is or isn't a viable scheme. > > I'm not sure I understand all the differences between > proof-of-sacrificed-bitcoins and proof-of-sacrificed-newcoins, but I'm > still convinced this doesn't have anything to do with MM PoW vs PoW. Proof-of-sacrified-bitcoins is always a true sacrifice - provided Bitcoin itself maintains consensus the proof is a guarantee that something of value was given up. Proof-of-sacrificed-"newcoins" means that within some consensus system I created a signed statement that *within the system* means I lose something of value. However that sacrifice is only valid if the consensus of the system includes that sacrifice within the consensus, and if the mechanism by which that consensus is maintained has anything to do with those sacrifices you quickly find yourself on pretty shakey ground. > > You know, something that I haven't made clear in this discussion is that > > while I think merge-mining is insecure, in the sense of "should my new > > fancy alt-coin protocol widget use it?", I *also* don't think regular > > mining is much better. In some cases it will be worse due to social > > factors. (e.g. a bunch of big pools are going to merge-mine my scheme on > > launch day because it makes puppies cuter and kids smile) > > Fair enough. > Do you see any case where an independently pow validated altcoin is > more secure than a merged mined one? Situations where decentralized consensus systems are competing for market share in some domain certainely apply. For instance if I were to create a competitor to Namecoin, perhaps because I thought the existing allocation of names was unfair, and/or I had technical improvements like SPV, it's easy to imagine Namecoin miners deciding to attack my competitor to preserve the value of their namecoins and domain names registered in Namecoin. The problem here is that my new system has a substantial *negative* value to those existing Namecoin holders - if it catches on the value of their Namecoin investment in the form of coins and domain names may go down. Thus for them doing nothing has a negative return, attacking my coin has a positive return minus costs, and with merge-mining the costs are zero. Without merge mining if the value to the participants in the new system is greater than the harm done to the participants in the old system the total work on the new system's chain will still be positive and it has a chance of surviving. Of course, this is what Luke-Jr was getting at when he was talking about scam-coins and merge mining: if you're alt-currency is a currency, and it catches on, then it dilutes the value of your existing coins and people who own those coins have an incentive to attack the competitor. That's why merge-mined alt-coins that are currencies get often get attacked very quickly. -- 'peter'[:-1]@petertodd.org 00000000000000028a5c9edabc9697fe96405f667be1d6d558d1db21d49b8857