📅 Original date posted:2022-01-25
📝 Original message:Hi Billy,
I read through the description. I think systems like this *mostly* fail due to game theory.
With punishment-by-burn you have various issues that make it to my mind pretty unstable, too unstable to use for any serious system. To be fair, this isn't cut-and-dried. So let me unpack:
(I briefly touched on why I dismissed penalties via burn in my gist, section: "Not feeling the burn".)
There is a distinction between penalty via burn to unspendable output and penalty via burn to miner fees. The latter has an obvious problem: if your counterparties collude with (or are) miners, they may not actually be penalized at all (now to be clear, that is a problematic attack ex nihilo: nobody usually can be sure who's mining the next block, but markets have a way of solving and coordinating such things: see e.g. the various MEV discussions and initiatives in Ethereum for an example of that).
But the former (provable burn) is still imo extremely unstable: if the penalty tx destroys all the money, what is the incentive for the honest party to punish? In such a scenario even a one cent donation from the attacker to the victim might prevent the penalty from happening.
You can combine 'destruction of most, or some, of the funds' with a smaller payout to the aggrieved party, but then again you have to factor in the possibility of bribes. The Sabu post you linked describes it as: "There are precise and delicate formulas for calculating the amount of loss of the issuer and the creditor, which ensures that just and true act in both parties are cost-effective in all situations." I agree it's delicate, but after having spent time looking into these things, my strong intuition is that it will never be properly stable.
In the PathCoin description I am specifically looking for a trustless system, with this finesse: we still count it as trustless even though we are using penalties as disincentive, because the penalty *consists of a payment directly from the attacker to the attacked, and that payment is larger than the amount stolen*. I claim that that *is* stable.
Notice that Lightning has the same model (in LN-Penalty), as long as 'claiming the whole channel capacity' is enough to be larger than what is stolen (see: channel reserves etc.).
Sent with [ProtonMail](https://protonmail.com/) Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 25th, 2022 at 11:53, Billy Tetrud via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
> There was a protocol someone mentioned a while back called Sabu that had the same goals. As i recall, it had some pretty promising constructs, but would have a critical vulnerability that could be exploited by miners. This is the write up:
>
> https://raymo-49157.medium.com/time-to-boost-bitcoin-circulation-million-transactions-per-second-and-privacy-1eef8568d180
>
> Perhaps some of the techniques there could be combined with your ideas to get closer to a solution.
>
> On Mon, Jan 24, 2022, 08:51 AdamISZ via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
>
>> Hello list,
>>
>> I took the time to write up this rather out-there idea:
>>
>> Imagine you wanted to send a coin just like email, i.e. just transfer data to the counterparty.
>>
>> Clearly this is in general entirely impossible; but with what restrictions and assumptions could you create a toy version of it?
>>
>> See this gist for a detailed build up of the idea:
>>
>> https://gist.github.com/AdamISZ/b462838cbc8cc06aae0c15610502e4da
>>
>> Basically: using signature adaptors and CTV or a similar covenant, you could create a fully trustless transfer of control of a utxo from one party to another with no interaction with the rest of the group, at the time of transfer (modulo of course lots and lots of one-time setup).
>>
>> The limitations are extreme and as you'd imagine. In the gist I feel like I got round one of them, but not the others.
>>
>> (I very briefly mention comparison to e.g. statechains or payment pools; they are making other tradeoffs against the 'digital cash' type of goal. There is no claim that this 'pathcoin' idea is even viable yet, let alone better than those ideas).
>>
>> Publishing this because I feel like it's the kind of thing imaginative minds like the ones here, may be able to develop further. Possibly!
>>
>> waxwing / AdamISZ
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev at lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20220125/e672234b/attachment.html>;
AdamISZ [ARCHIVE] /
npub1nv…kqw2t
2023-06-07 23:02:45
in reply to nevent1q…cxsn
Author Public Key
npub1nv7tjpn2g8tvt8qfq5ccyl00ucfcu98ch998sq4g5xp65vy6fc4sykqw2tPublished at
2023-06-07 23:02:45Event JSON
{
"id": "8193e78d0874185b63f37edba379e8de81c35911a14c132c12a5b8857e86ea6d",
"pubkey": "9b3cb9066a41d6c59c090531827defe6138e14f8b94a7802a8a183aa309a4e2b",
"created_at": 1686178965,
"kind": 1,
"tags": [
[
"e",
"49407a029ab97373bfc72edefef2f649a7084f7cf877ed66347e80a0bff03436",
"",
"root"
],
[
"e",
"e8937ad9a01182520aed9bbc8f4f3ac2779a74a5a4e8c6180f379c8df6be10c7",
"",
"reply"
],
[
"p",
"3030ec2d70259fdd55ba8e063740c139c3daaa618f86e3fae34cebcb73c742ba"
]
],
"content": "📅 Original date posted:2022-01-25\n📝 Original message:Hi Billy,\nI read through the description. I think systems like this *mostly* fail due to game theory.\n\nWith punishment-by-burn you have various issues that make it to my mind pretty unstable, too unstable to use for any serious system. To be fair, this isn't cut-and-dried. So let me unpack:\n\n(I briefly touched on why I dismissed penalties via burn in my gist, section: \"Not feeling the burn\".)\n\nThere is a distinction between penalty via burn to unspendable output and penalty via burn to miner fees. The latter has an obvious problem: if your counterparties collude with (or are) miners, they may not actually be penalized at all (now to be clear, that is a problematic attack ex nihilo: nobody usually can be sure who's mining the next block, but markets have a way of solving and coordinating such things: see e.g. the various MEV discussions and initiatives in Ethereum for an example of that).\n\nBut the former (provable burn) is still imo extremely unstable: if the penalty tx destroys all the money, what is the incentive for the honest party to punish? In such a scenario even a one cent donation from the attacker to the victim might prevent the penalty from happening.\nYou can combine 'destruction of most, or some, of the funds' with a smaller payout to the aggrieved party, but then again you have to factor in the possibility of bribes. The Sabu post you linked describes it as: \"There are precise and delicate formulas for calculating the amount of loss of the issuer and the creditor, which ensures that just and true act in both parties are cost-effective in all situations.\" I agree it's delicate, but after having spent time looking into these things, my strong intuition is that it will never be properly stable.\n\nIn the PathCoin description I am specifically looking for a trustless system, with this finesse: we still count it as trustless even though we are using penalties as disincentive, because the penalty *consists of a payment directly from the attacker to the attacked, and that payment is larger than the amount stolen*. I claim that that *is* stable.\n\nNotice that Lightning has the same model (in LN-Penalty), as long as 'claiming the whole channel capacity' is enough to be larger than what is stolen (see: channel reserves etc.).\n\nSent with [ProtonMail](https://protonmail.com/) Secure Email.\n\n‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐\nOn Tuesday, January 25th, 2022 at 11:53, Billy Tetrud via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\n\u003e There was a protocol someone mentioned a while back called Sabu that had the same goals. As i recall, it had some pretty promising constructs, but would have a critical vulnerability that could be exploited by miners. This is the write up:\n\u003e\n\u003e https://raymo-49157.medium.com/time-to-boost-bitcoin-circulation-million-transactions-per-second-and-privacy-1eef8568d180\n\u003e\n\u003e Perhaps some of the techniques there could be combined with your ideas to get closer to a solution.\n\u003e\n\u003e On Mon, Jan 24, 2022, 08:51 AdamISZ via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e\n\u003e\u003e Hello list,\n\u003e\u003e\n\u003e\u003e I took the time to write up this rather out-there idea:\n\u003e\u003e\n\u003e\u003e Imagine you wanted to send a coin just like email, i.e. just transfer data to the counterparty.\n\u003e\u003e\n\u003e\u003e Clearly this is in general entirely impossible; but with what restrictions and assumptions could you create a toy version of it?\n\u003e\u003e\n\u003e\u003e See this gist for a detailed build up of the idea:\n\u003e\u003e\n\u003e\u003e https://gist.github.com/AdamISZ/b462838cbc8cc06aae0c15610502e4da\n\u003e\u003e\n\u003e\u003e Basically: using signature adaptors and CTV or a similar covenant, you could create a fully trustless transfer of control of a utxo from one party to another with no interaction with the rest of the group, at the time of transfer (modulo of course lots and lots of one-time setup).\n\u003e\u003e\n\u003e\u003e The limitations are extreme and as you'd imagine. In the gist I feel like I got round one of them, but not the others.\n\u003e\u003e\n\u003e\u003e (I very briefly mention comparison to e.g. statechains or payment pools; they are making other tradeoffs against the 'digital cash' type of goal. There is no claim that this 'pathcoin' idea is even viable yet, let alone better than those ideas).\n\u003e\u003e\n\u003e\u003e Publishing this because I feel like it's the kind of thing imaginative minds like the ones here, may be able to develop further. Possibly!\n\u003e\u003e\n\u003e\u003e waxwing / AdamISZ\n\u003e\u003e _______________________________________________\n\u003e\u003e bitcoin-dev mailing list\n\u003e\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20220125/e672234b/attachment.html\u003e",
"sig": "6321b010fd57f200ba7a51f34de8abc562cffea41a89684e42d6cad2b0d4561c4228c8388a504c0adff85beb61a797bcae84baa3b98bd0719241f1a0e6fc065c"
}