public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Peter Todd <pete@petertodd•org>
To: Alex Mizrahi <alex.mizrahi@gmail•com>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Building Blocks of the State Machine Approach to Consensus
Date: Fri, 24 Jun 2016 18:23:16 -0400	[thread overview]
Message-ID: <20160624222316.GA28767@fedora-21-dvm> (raw)
In-Reply-To: <CAE28kUQXLc=-8SoEsWNXz99hezMBmM0ws+Xx3+nrp4YPZkMaPQ@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3840 bytes --]

On Thu, Jun 23, 2016 at 03:58:29PM +0300, Alex Mizrahi wrote:
> >
> > The point I'm making is simply that to be useful, when you close a seal you
> > have to be able to close it over some data, in particular, another seal.
> > That's
> > the key thing that makes the idea a useful construct for smart contacts,
> > value
> > transfer/currency systems, etc.
> >
> 
> OK, your second post ("Closed Seal Sets and Truth Lists for Better Privacy
> and Censorship Resistance") seems to clarify that this data is one of
> arguments to the condition function.
> Frankly this stuff is rather hard to follow. (Or maybe I'm dumb.)
> 
> Now I don't get scability properties. Let's consider a simplest scenario
> where Alice creates some token, sends it to Bob, who sends it to Claire. So
> now Claire needs to get both a proof that Alice sent it to Bob and that Bob
> sent it to Claire, right? So Claire needs to verify 2 proofs, and for a
> chain of N transfers one would need to verify N proofs, right?

Not necessarily. In my writeup I outlined two ways that those chains can be
shortened: trusted validity oracles and the probabalistic, inflationary,
history proof concept.

Equally, even if history grows over time, that's no worse than Bitcoin.

> And how it works in general:
> 
> 1. Alice creates a token. To do that she constructs an unique expression
> which checks her signature and signs a message "This token has such and
> such meaning and its ownership originally associated with seal <hash of the
> expression>" with her PGP key.

Alice isn't _creating_ a tokne, she's _defining_ a token.

> 2. To transfer this token to Bob, she asks Bob for his auth expression and
> sends a seal oracle a message (Alice_expression (Bob_expression .
> signature)) where signatures is constructed in such a way that it evaluates
> as true. Oracle stores this in a map: Alice_expression -> (Bob_expression .
> signatures)

Nope.

In Alice's token definition, the genesis state of the token is defined to be
associated with a specific single-use seal. To transfer the token to Bob, she
asks Bob for the seal he wishes to use, and then closes the genesis seal over a
new state committing to Bob's seal.

Now Alice could construct the seal for Bob, in which case she'd just need to
know the auth expression Bob wants to use, but that's not the most fundamental
way of implementing this.

Regardless, the seal oracle doesn't need to know that any of the above is
happening; all it needs to do is spit out seal closed witnesses when the
authorization expressions are satisfied appropriately; the oracle does not and
should not know what the seals have been closed over. Whether or not the oracle
stores anything when seals are closed is an implementation decision - see my
original writeup on the unbounded vs. bounded oracle case. And of course, seals
implemented with decentralized blockchains are a different matter entirely.

> 3. Bob sends token to Claire in a same way: (Bob_expression
> (Claire_expression . signature))
> 4. Now Claire asks if Alice_expression->(Bob_expression . _) and
> Bob_expression->(Claire_expression . _) are in oracle's map. She might
> trust the oracle to verify signatures, but oracle doesn't understand token
> semantics. Thus she needs to check if these entries were added.
> If I understand correctly, Alice_expression->(Bob_expression . _) record
> can be communicated in just 3 * size_of_hash_digest bytes.
> 
> So this seems to have rather bad scalability even with trusted oracles, am
> I missing something?

Yes, as I mentioned above, there exists multiple techniques that can shorten
history proofs in a variety of ways, depending on what kinds of tradeoffs your
application needs.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

      reply	other threads:[~2016-06-24 22:23 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-20  8:56 Peter Todd
2016-06-20 13:26 ` Police Terror
2016-06-20 16:21   ` zaki
2016-06-21 22:42     ` Peter Todd
2016-06-23 11:21   ` Peter Todd
2016-06-20 22:28 ` Alex Mizrahi
2016-06-23 11:11   ` Peter Todd
2016-06-23 12:58     ` Alex Mizrahi
2016-06-24 22:23       ` Peter Todd [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160624222316.GA28767@fedora-21-dvm \
    --to=pete@petertodd$(echo .)org \
    --cc=alex.mizrahi@gmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox