đź“… Original date posted:2014-04-27
đź“ť Original message:On 04/27/2014 05:36 AM, Sergio Lerner wrote:
>> Without invoking moon math or assumptions of honest peers and
>> jamming-free networks, the only way to know a chain is valid is to
>> witness the each and every block. SPV nodes on the other hand,
>> simply trust that the most-work chain is a valid chain, based on
>> economic arguments about the opportunity cost of mining invalid
>> blocks.
> I argue that you cannot talk about "the most-work chain" without
> actually making an assumption about honest peers.
I should have said "without invoking moon math or interactive protocols
requiring honest peers over jamming-free networks." The interactive
protocol was more the point than the honest peers and jamming-free
network. Yes, without an honest peer and an un-jammed network, you might
never learn about the most-work chain in the first place. But having the
security of the proof not depend on query access to an honest full node
is absolutely necessary for some applications and certainly desirable in
others.
Although strictly speaking what I said may not be 100% true. The single
alternative solution I've seen involves some sort of Fiat–Shamir
transform that could give you a probabilistic proof by including random
additional paths through the block chain chosen based on the combined
hash of the headers. However this is disadvantageous as it massively
increases the proof size and verification time, and you have to include
a lot of data to achieve assurance that more work was required to
generate the fraud than an honest chain.
> If you do not make the assumption, you compute the "economic
> arguments" wrong.
Not necessarily. By requiring connectivity you know that what you are
receiving is built off of the main chain, for example, and you can still
make assumptions about resulting opportunity costs.
> First this is a method that uses NPPs, not SPV proofs. Since the
> method chooses all peers that are synchronized (have the latest
> current block) then going back means only skipping a potential short
> fork (which I suppose has never been more than 3 blocks during normal
> network conditions). You're looking for a common ancestor, not the
> checkpoint. So the linear scan is actually O(1). The exact value can
> be approximated by the sum of the convergent infinite geometrical
> sequence of forking probabilities, which it's about 1.03 without
> considering selfish-mining, and probably less than 2.03 considering
> it.
Unless you're connected to attacker nodes which are wildly divergent
from each other. It's relatively easy to create a massive fake history
of difficulty-1 blocks.
If you assume honest peers things get very easy. But that's not a safe
assumption to be making. With back-link block-history commitments, on
the other hand, an interactive protocol allows you to do a binary search
to find common ancestors, and have trust that the intermediate links
actually exist.
Mark Friedenbach [ARCHIVE] /
npub1r3…48d0u
2023-06-07 15:20:26
in reply to nevent1q…n0f5
Author Public Key
npub1r3san9v5njl6798hvauyu9ntm6r9c7u8s0t65wls58gpfdcvqp5sa48d0uPublished at
2023-06-07 15:20:26Event JSON
{
"id": "06350dc2b13540fb50a228f38e34e2ca3769aba921a6833b3f30996adada0221",
"pubkey": "1c61d995949cbfaf14f767784e166bde865c7b8783d7aa3bf0a1d014b70c0069",
"created_at": 1686151226,
"kind": 1,
"tags": [
[
"e",
"52601dddf7ab03b9f5df6b1d060ac7041d101e77a4d0b631e8e74b466abf4568",
"",
"root"
],
[
"e",
"e27633c76ca1507e515552c3c5a8b60de2635a676fa765c4288d3ba46edba13b",
"",
"reply"
],
[
"p",
"60f7a1f85420f38fa26db24af48330bd1800ed3bef3168454263dcfcef62a8ce"
]
],
"content": "📅 Original date posted:2014-04-27\n📝 Original message:On 04/27/2014 05:36 AM, Sergio Lerner wrote:\n\u003e\u003e Without invoking moon math or assumptions of honest peers and\n\u003e\u003e jamming-free networks, the only way to know a chain is valid is to \n\u003e\u003e witness the each and every block. SPV nodes on the other hand,\n\u003e\u003e simply trust that the most-work chain is a valid chain, based on\n\u003e\u003e economic arguments about the opportunity cost of mining invalid\n\u003e\u003e blocks.\n\u003e I argue that you cannot talk about \"the most-work chain\" without \n\u003e actually making an assumption about honest peers.\n\nI should have said \"without invoking moon math or interactive protocols\nrequiring honest peers over jamming-free networks.\" The interactive\nprotocol was more the point than the honest peers and jamming-free\nnetwork. Yes, without an honest peer and an un-jammed network, you might\nnever learn about the most-work chain in the first place. But having the\nsecurity of the proof not depend on query access to an honest full node\nis absolutely necessary for some applications and certainly desirable in\nothers.\n\nAlthough strictly speaking what I said may not be 100% true. The single\nalternative solution I've seen involves some sort of Fiat–Shamir\ntransform that could give you a probabilistic proof by including random\nadditional paths through the block chain chosen based on the combined\nhash of the headers. However this is disadvantageous as it massively\nincreases the proof size and verification time, and you have to include\na lot of data to achieve assurance that more work was required to\ngenerate the fraud than an honest chain.\n\n\u003e If you do not make the assumption, you compute the \"economic\n\u003e arguments\" wrong.\n\nNot necessarily. By requiring connectivity you know that what you are\nreceiving is built off of the main chain, for example, and you can still\nmake assumptions about resulting opportunity costs.\n\n\u003e First this is a method that uses NPPs, not SPV proofs. Since the\n\u003e method chooses all peers that are synchronized (have the latest\n\u003e current block) then going back means only skipping a potential short\n\u003e fork (which I suppose has never been more than 3 blocks during normal\n\u003e network conditions). You're looking for a common ancestor, not the\n\u003e checkpoint. So the linear scan is actually O(1). The exact value can\n\u003e be approximated by the sum of the convergent infinite geometrical\n\u003e sequence of forking probabilities, which it's about 1.03 without\n\u003e considering selfish-mining, and probably less than 2.03 considering\n\u003e it.\n\nUnless you're connected to attacker nodes which are wildly divergent\nfrom each other. It's relatively easy to create a massive fake history\nof difficulty-1 blocks.\n\nIf you assume honest peers things get very easy. But that's not a safe\nassumption to be making. With back-link block-history commitments, on\nthe other hand, an interactive protocol allows you to do a binary search\nto find common ancestors, and have trust that the intermediate links\nactually exist.",
"sig": "de9b05f894e9c007da951212300ef6984d7933becb89e4aaccbf5ea7ec7ec6f27987c9b9e299ea36916983899d162af07f5a4af6aafa0c3e21c16a96cbceab60"
}