Namecoin was stillborn, I had to switch off life-support

[justusranvier]

I disagree. If bitcoin fails everything based on bitcoin blockchain will also fail. Diversity in alt blockchains is the best chance for success.

Diversity in blockchains weakens all of them.

If your threat model included nation-state level attackers, your only chance of success is to have the highest possible hash rate protecting it. Splitting the processing power over a bunch of diverse blockchains increases the probability that each one will fall in succession because none of them have enough hashing power to survive the attack.

[1713960957]

1713960957

[1713960957]

1713960957

[1713960957]

1713960957

[1713960957]

1713960957

[Peter Todd]

If your threat model included nation-state level attackers, your only chance of success is to have the highest possible hash rate protecting it. Splitting the processing power over a bunch of diverse blockchains increases the probability that each one will fall in succession because none of them have enough hashing power to survive the attack.

Note that Namecoin is merge-mined, so splitting hashing power isn't directly a valid criticism. Rather the criticism is that Namecoin miners don't benefit from mining namecoin as directly as Bitcoin miners, screwing up the incentives, and because merge-mining is pretty much free for the miner so there isn't the incentive to mine properly. Both problems lead to Namecoin being less secure than it would be had it been designed to work on top of the Bitcoin blockchain.

[justusranvier]

Note that Namecoin is merge-mined, so splitting hashing power isn't directly a valid criticism.

I was speaking in general, not specifically Namecoin. I don't think merge mining is what people mean when they talk about blockchain diversity anyway.

[becoin]

Splitting the processing power over a bunch of diverse blockchains increases the probability that each one will fall in succession because none of them have enough hashing power to survive the attack.

If only they use the same hash algo. Fortunately, alt coins are using totally different or heavily modified hash algos and this is why they are alts not clones.

[justusranvier]

If only they use the same hash algo. Fortunately, alt coins are using totally different or heavily modified hash algos and this is why they are alts not clones.

That's exactly what causes the vulnerability.

[amincd]

Thank you for finding this bug OP. It appears to be confirmed in the Namecoin forum.

If only they use the same hash algo. Fortunately, alt coins are using totally different or heavily modified hash algos and this is why they are alts not clones.

A >50% attack is an economic attack. If you have the economic resources of honest miners split among different blockchains, an attack can focus on one at a time to take them out, and need fewer resources to successfully execute, as each network would have a lower hashrate than a single, non-fragmented network would have.

Combining all efforts in one blockchain (or several merge-mined blockchains) means that the threshold for a successful attack is higher, reducing the number of organizations that have the resources to be capable of executing it. In the case of POW security, scale is a major advantage.

Anyway, IMHO, Namecoin, while perhaps not perfect, has been running for a couple of years, already has a large community (relatively speaking) involved in it, and, for these reasons, is the best shot we have at a decentralized DNS. This bug is critical but fixable from what I've gathered.

[becoin]

If only they use the same hash algo. Fortunately, alt coins are using totally different or heavily modified hash algos and this is why they are alts not clones.

That's exactly what causes the vulnerability.

What do you mean? Bitcoin's hash algo is the best one and must be kept unchanged forever?!

[becoin]

Combining all efforts in one blockchain (or several merge-mined blockchains) means that the threshold for a successful attack is higher, reducing the number of organizations that have the resources to be capable of attacking it.

Same higher threshold that leads bitcoin mining into absolute centralization?

This is not the way life survived on planet Earth. The key to a successful ecosystem is diversity not uniformity!

[iddo]

Anyway, IMHO, Namecoin, while perhaps not perfect, has been running for a couple of years, already has a large community (relatively speaking) involved in it, and, for these reasons, is the best shot we have at a decentralized DNS. This bug is critical but fixable from what I've gathered.

If Namecoin is the best shot we have at a decentralized DNS then that's bad news, because the Namecoin protocol wasn't well thought through and therefore it doesn't really enable a decentralized DNS, see here:
https://bitcointalk.org/index.php?topic=233997.msg2534114#msg2534114
https://en.bitcoin.it/wiki/User:Gmaxwell/namecoin_that_sucks_less

[Rassah]

If Namecoin is the best shot we have at a decentralized DNS then that's bad news, because the Namecoin protocol wasn't well thought through and therefore it doesn't really enable a decentralized DNS, see here:
https://bitcointalk.org/index.php?topic=233997.msg2534114#msg2534114
https://en.bitcoin.it/wiki/User:Gmaxwell/namecoin_that_sucks_less

Is there such a thing as a thin client DNS server? I can't think of any way to store an entire database on IPs and domain names in a thin client...

[Peter Todd]

Is there such a thing as a thin client DNS server? I can't think of any way to store an entire database on IPs and domain names in a thin client...

Yes - you make it possible for someone else to store it and provide you a cryptographic proof that what they gave you was correct. This lets you distribute the actual data with any number of solutions.

Namecoin doesn't do this, so unless you have the full namecoin database you have no idea if a given DNS name->ip mapping was correct.

[d'aniel]

I might as well pile on too while we're all at it  Just some thoughts I've been having about this problem I wanted to share.

Using namecoin strings alone as identities is clearly crazy - they're first come first serve, and anyone can come and register one after you whose typesetting only very subtly different, opening the door for phishing.  So you need a PKI built on top, which is much more difficult to do than namecoin itself.  Not to mention, as retep did earler ITT, it can't do lightweight clients without trust.  Even with the complex UTXO commitments he mentioned, you have to trust that miners won't rewrite history (because lightweight clients won't be able to check a UTXO proof for every block for every name they're interested in).

If we slightly temper our expectations of a secure, decentralized naming system, then we can solve these problems very easily (or define them away, depending on how you look at it).  And the result is Good Enough IMHO.  Essentially, if we give up on names being meaningful (but still keep them short, pronounceable and memorable) then they can be used alone securely as identities - no PKI needed.  The idea is that there are a relatively small number of transactions in the Bitcoin blockchain (< 2^25 currently), so you don't need very many bits to encode a transaction's location in the blockchain uniquely.  You then run these encodings through an universally agreed upon cipher to make them dissimilar, and encode the result into some phonemic base.  By encoding a pubkey fingerprint in a transaction, you have a secure name to pubkey mapping.  This can build directly off of Jeff Garzik's identity protocol: https://en.bitcoin.it/wiki/Identity_protocol_v1.

For example, with a large set of CVC phonemes (consonant - vowel - consonant), you only need three to describe a 32 bit name: ~reb-mizvig.  Wisely selecting a smaller set of phonemes may make for more readable names in general at the expense of needing another phoneme: ~bitlyr-worwyd.  Might be worth it.  And you could have lots of different "languages" for different styles of names.  Or different alphabets even.  The guys working on Urbit are currently developing some of these phonemic bases and said we can just copy what they come up with if we like.

Note that all a lightweight client needs to resolve a name to a pubkey fingerprint is the block headers and a merkle path, which encodes the transaction's location via the ordering of hashes.  Also, names done this way would be very dissimilar, so you could safely use them alone as your identity.  This is probably best for identities that live purely online; if people know you only by this name, then key verification comes for free.

Regarding transfer of names, I wonder if that really makes sense.  I can wholeheartedly vouch for a person, but can I really sell your trust in me to to them?  The names are sufficiently throwaway, so I say don't bother with this.  System's much simpler without it.

Of course this all glosses over the need for good key management.  Maybe devices like Trezor could be useful here.  Some random thoughts on a distributed key revocation blockchain:
- Identity protocol's miner sacrifices makes this hard to spam.
- Authenticated prefix trees instead of merkle trees could make it so you only have to pay attention to small subsets of each block containing (or not containing) names you care about.
- We only care about unjammability, so we can pay attention to, say, the 5 longest branches to make it more difficult for miners to suppress revocations.

Thoughts?  Is this all crazy/expecting too much of people?  Am I misunderstanding the problem?

[gmaxwell]

My my, thats unfortunate.  Had this been fixed before being exploited it would have been a trivial soft forking adjustment.  Even a simple temporary softforking adjustment to deny all transactions while it would have fixed would have prevented basically all the harm.

[axilla]

decentralized DNS should in now way rely on the blockchain.. PERIOD..  It's madness to continue to build things into the blockchain that have in no way what so ever a relationship to bitcoin.  Anyone who says otherwise please show me with FACTS where a decentralized DNS would be better suited crammed into an already bloated block chain instead of its own entity that uses bitcoins in some way...  It's extremely lazy in my opinion and there are far better ways to do it. 

[snailbrain]

please check "fix"

http://dot-bit.org/forum/viewtopic.php?f=2&t=1297

[theymos]

One issue I could see with implementing NMC on top of BTC is future scalability. Specifically, when BTC blockchain gets huge, it would mean that the datacenters that store bitcoin blockchain information would have to also double as DNS providers. I think a NMC blockchain would be much much smaller in size compared to bitcoin, since transactions on namecoin are much less frequest, even if they may hold more data. So keeping the two separate would allow for many more smaller, independent DNS providers, instead of limiting it to just the few bitcoin providers we'll likely end up with in the future.

That's one area where Namecoin was very weak. Its blockchain may have started out smaller, but its scalability is no better than Bitcoin's, and it'll eventually have the same problems (like all Bitcoin-based altcoins). But if your decentralized DNS doesn't include a currency, then old data about domain ownership can be more easily forgotten. For example, if you require that registrants renew their domains weekly, then resolvers only need the last few weeks of full blockchain data (plus headers to verify the chain). There may also be better ways of doing this that don't require frequent renewal. (You can also do this sort of renewal thing with BTC in order to reduce download requirements, but it'd be really unpopular.)

Running a resolver on a well-designed DNS system will always be pretty cheap unless Bitcoin's network requirements become huge.

Could DNS be implemented as smart property on top of something like Mastercoin?

Probably, but I'm not a huge fan of smart property or Mastercoin.

[killerstorm]

Essentially, if we give up on names being meaningful (but still keep them short, pronounceable and memorable) then they can be used alone securely as identities - no PKI needed.  The idea is that there are a relatively small number of transactions in the Bitcoin blockchain (< 2^25 currently), so you don't need very many bits to encode a transaction's location in the blockchain uniquely.

FWIW I had pretty much the same idea about a half year ago.

https://bitcointalk.org/index.php?topic=138000.msg1471978#msg1471978

Although I thought about using words rather than phonemes: four words are enough.

E.g. somebody can register a name like "cranky corporate classic company".

[d'aniel]

Essentially, if we give up on names being meaningful (but still keep them short, pronounceable and memorable) then they can be used alone securely as identities - no PKI needed.  The idea is that there are a relatively small number of transactions in the Bitcoin blockchain (< 2^25 currently), so you don't need very many bits to encode a transaction's location in the blockchain uniquely.

FWIW I had pretty much the same idea about a half year ago.

https://bitcointalk.org/index.php?topic=138000.msg1471978#msg1471978

Although I thought about using words rather than phonemes: four words are enough.

E.g. somebody can register a name like "cranky corporate classic company".

Oh cool.  The phonemic names seem like an improvement on this (shorter and more memorable), but you can credit the Urbit developers for them.

[eldentyrell]

Well supposedly namecoin was never much use to start with because names were so cheap that basically everyone's name was already taken almost before anyone had heard of the thing?

Actually there was a long price ramp at the beginning and names started out very expensive.

No, actually there was a short price ramp.  That was the problem.

Because namecoin entries aren't fungible the viability of the system is much more sensitive to the inflation schedule.  BTC are fungible so if the initially-hardwired inflation schedule isn't "perfect" it simply amounts to a larger or smaller financial windfall for early adopters.

[eldentyrell]

No, but it does require a serialization mechanism whose developers aren't actively hostile to it being used for information storage.

In other words, you can't use the bitcoin blockchain for this.

They'll be overruled by an economy majority eventually.

Except that they aren't the majority!  You see, that's the issue.  As long as the majority of the use of the BTC blockchain is as money, not as a key/value store, people using it as a key/value store are vulnerable to sudden changes that aren't in their interest.