--- Log opened Sun Aug 18 00:00:14 2013
23:15 < amiller> i ran into ben laurie finally
23:15 < amiller> i've been wanting to meet him for like 2 yrs and somehow convince him that proof-of-work based consensus and not inherently wasteful or inferior to designated identities
23:17 < gmaxwell> did he set you on fire and throw you out a window?
23:18 < amiller> no but it didn't go as well as i hoped anyway
23:18 < amiller> we kinda rambled at each other for a while
23:19 < amiller> he thinks during the conversation he came up with a great improvement that resembles proof-of-stake a bit
23:20 < amiller> an interesting (imo) line of thought came out of it though, which is that any spending on "defense" always appears as waste if it's spent to defend against an attacker that has no plausible chance of existing
23:21 < amiller> paranoid spending
23:21 < petertodd> ...yet we still have nuclear subs...
23:21 < petertodd> makes sure the attacker doesn't exist because they take one look at it and say "why try?"
23:23 < amiller> if someone comes to you with a proposal for building a defensive forcefield, there's only a few ways to go about good deciding
23:24 < amiller> i guess it helps if everyone can agree on what kinds of attacks we should defend against or deter
23:24 < petertodd> I prefer to think about it in terms of the value asymetry: in bitcoin an attack can spend much less than the total value of the currency to destroy it.
23:26 < petertodd> or in short, attack money is probably fungible
23:29 < amiller> in bitcoin's steady state, however the fees work out, the total amount of fees collected (funds raised) basically equals the amount of mining power expended on defending against bitcoin's particular 51% attacker
23:30 < petertodd> well, that's actually my key point: the fees may work out, but that's all you've got - it's hard to just spend more fees or something to defend against a previous unknown attacker
23:30 < amiller> so it's a sound/efficient system if it's basically a good way to in a decentralized way decide how much to spend on defense and how to decide who pays what
23:31 < petertodd> well see I'm mainly thinking in comparison to proof-of-sacrifice blockchains, which can be arrange in such a way that you sacrifice what funds you have left to stop the attacker - but they need an underlying proof-of-work to actually work...
23:32 < amiller> so what does it mean to choose an attack model by consensus
23:32 < amiller> basically everyone gets to have their own bogeyman
23:32 < petertodd> for me it's aliens
23:32 < amiller> and when it's done correctly the attacker likely won't even show up
23:32 < amiller> well aliens are far away so you can use my new overwhelmingly-powerful-but-distant-attacker proof of work model
23:32 < petertodd> for my brother it's fear that all his efforts towards preventing an attack will prove to be wasted against a phantom threat...
23:33 < petertodd> lol
23:33 < amiller> that's so tricky
23:33 < amiller> because you never get a good signal that you're wrong in that case
23:33 < petertodd> heh
23:33 < amiller> maybe leaving some cheap coins around as a decoy is a good principle?
23:34 < petertodd> interestingly I was talked to peter vesessenes the other day about changing the proof-of-work function, and he had been convinced that the option needs to be on the table and planned for
23:34 < petertodd> good indication of the social environment around btc
23:34 < amiller> yeah
23:35 < petertodd> he's right though in a way: the biggest strength is that bitcoin can fundementally change what it is to adapt
23:35 < amiller> well lets see how the community handles fragmentation and dozens of these cryptocoins as well
23:36 < petertodd> heh, hence having a entity named "the foundation"...
23:46 < amiller> i have a contradiction in even my really simple model
23:46 < amiller> i'm not really sure what to make of this, even intuitively
23:46 < amiller> here's the problem, i think of bitcoin as a protocol for synchronous networks
23:47 < amiller> the proof sketch in the satoshi whitepaper essentially assumes that blocks are broadcast immediately
23:48 < amiller> and there's no trouble carrying that through with some maximum delay, but that delay certainly has to be *known* and set globally as a parameter
23:49 < amiller> the problem is that given this assumption, it seems like it's possible to get security against even an arbitrary >50% attacker
23:50 < amiller> the reason why is that if you imagine that every honest node is able to broadcast, and also that somehow stale/parallel/fork blocks get included in every chain in a specially marked 'wastebin' pile or whatever,
23:51 < amiller> then you could also change the best block rule to ignore blocks you haven't heard about from a while ago
23:52 < amiller> or to put it another way, bitcoin is really lenient about time when picking the largest chain, which is good because it makes it tolerant to longer partitions
23:53 < gmaxwell> yea, means an modest intercontential partition doesn't just end the currency, even absent an attacker other than ActOfGod.
23:54 < amiller> it does basically require shutting down service though
23:55 < amiller> i mean, an intercontinental partition is still really harmful, especially if the attacker is better connected
23:55 < amiller> even eclipse-attacking an individual node is pretty bad
23:58 < amiller> how to reason something that's half-in and half-out of the attack model
--- Log closed Mon Aug 19 00:00:20 2013