On Sat, Dec 20, 2014 at 09:48:01AM -0500, Peter Todd wrote: Andrew Miller asked me to publish the following to the mailing list on his behalf: (https://twitter.com/socrates1024/status/546819355565391872) One of the main points in this note is that you can use a "proof-of-publication" system to implement an "anti-replay" system. However this isn't true - at least not given the description of proof-of-(non)-publication in 2) and the definition of "anti-replay" given here. In 2), proof-of-*non*-publication allows you to prove that *some specific message* has never been published. You can imagine having a function ProveNotPublished(m), which proves "message m was not published." However, the anti-replay mechanism is about proving that *no* message satisfying some property has been published. Hence VerifyAntiReplaySig(m, p, s) checks that "for all possible messages m' (distinct from m), AntiReplaySign(m', p) has not been called." This isn't *just* splitting hairs, this distinction is actually relevant for analyzing several cryptocurrency designs. You can imagine extending the definition of proof-of-(non)-publication to take in some predicate P, so that you can prove "no message m such that P(m) holds has ever been published." However, to do this efficiently requires anticipating some classes of P and building some appropriate indices. - As a baseline, as long as you have the whole blockchain available, you can scan through the entire blockchain and evaluate P for every transaction, but this is pretty inefficient. - Other tradeoffs are available if you are willing to trust some (quora of) servers to maintain indices for you - Bitcoin's UTXO set effectively supports a predicate for each txout, where P(x) = "x is a valid tranasction that spends " - Ethereum contracts, in a sense, allow for general purpose contracts to 'build-your-own" index. On the other hand its key-value store doesn't support range queries, so it's not necessarily "universal" or as expressive as SQL, for example. But the point isn't to argue about design choices and tradeoffs in this thread. The main point I want to make is: *Indexes and Validation Matter!* The classic "proof-of-publication" system is to embed opaque data (as far as bitcoin miners are concerned) in transactions using OP_RETURN. A significance of establishing "proof-of-publication" as a universal underlying primitive is that this OP_RETURN trick is then sufficient for anything you might want. But part of what Bitcoin provides is indexing and validation/exclusion, and this is important for supporting efficient anti-replay proofs. Proof-of-(non)-publication alone isn't sufficient for this. -- 'peter'[:-1]@petertodd.org 00000000000000000a7b40becd0babbd64ec49b8b34823fb4f4b081c95188b66