What is the right and fair way to stop Mike Hearn?

[Mike Hearn]

I think he way is out of line, trying to force everybody to proof their identity by verifying their passport.

It's obvious you either didn't watch the video of my talk or didn't understand it. If you had understood it, you would know the difference between someone verifying their identity, and providing a zero-knowledge proof that they own a passport. These are entirely different things: the purpose of one is to avoid anonymity and the purpose of the second (what I was talking about) is to preserve it.

I must say, this is one of the most tiresome things about doing research on Bitcoin development - people who simply do not listen or understand yet have strong opinions anyway.

To summarise for other people who didn't/won't watch the talk: in a peer to peer network, there are times when it would be useful to know that the peers you connected to are not cooperating against you. This is obviously impossible to guarantee but we can make it significantly less likely with a variety of techniques, which we call anti-sybil techniques. Cases where it's useful to know this:

• Unconfirmed transactions with lightweight clients with no trusted third party, i.e. SPV clients like MultiBit, the Android wallet or Hive. Once you get a confirmation or two you can put your faith in majority hash power, but with Bitcoin as it works today, until then you have to just ask a bunch of peers if they believe it's valid. If you think you're talking to the real P2P network but in fact you're talking to a man in the middle attack, you could be misled into believing in a transaction that isn't valid.
• For floating fees, you need to poll random peers. You can't rely on the block chain here because it's being created by the parties that have most to gain from lying about fee levels.
• In Tor, you want to pick nodes/relays that aren't cooperating because if they were they could deanonymize you and Tor wouldn't work.

None of today's solutions are satisfying. Bitcoin Core relies on picking nodes spread out across a big range of IP addresses, but anyone with a botnet can beat that. SPV wallets (bitcoinj) just ask the DNS seeds and hope they're doing a good job, but DNS is insecure and the responses could be faked. Tor places much less emphasis on decentralisation than Bitcoin does and relies on a kind of central control by a group of "directory authorities", which can (and do) ban nodes.

So I discussed a couple of other solutions. One is proof of sacrifice, also known as fidelity bonds. For a while I called them "anonymous passports" but given the second line of research this name is ambiguous so I don't call them that anymore. Basically you throw some money away to miner fees and then use the Bitcoin addresses associated with that transaction to prove it was you who did it. With such a scheme if someone wanted to bring up 10,000 bitcoin or Tor nodes that were all run by the same person, that'd be very expensive.

But we don't want running Bitcoin or Tor nodes to require expensive sacrifices. We want them to be as cheap and numerous as possible. So, I suggest a second line of research - use some very advanced and modern mathematics to create a mathematical proof that you possess a passport (the government issued kind) without revealing any information from it. You would literally produce just a mathematical proof that you own a passport which hashes to a certain value. This does not require any co-operation from governments, it just processes data they already issued and they can't stop us doing it. This idea is useful because most people have one (or maybe two/three) passports, but it's very hard to own 10,000 of them. So you can easily get good diversity of nodes, and it's hard for Joe Hacker to flood the network with botnet bitcoinds that screw around with our system. Same for Tor.

Some people have noticed that although this approach would stop a large variety of different attackers, governments could make fake passports and use them. Yes, this is true. However they could also run fake Bitcoin/Tor nodes today too, so it's not making things any worse. And in fact there's a neat move we can make here too - an interesting thing about this new mathematical technique is you can potentially (I think) selectively reveal particular fields, like the country. So your wallet app could pick nodes run by citizens of the USA, Germany, China, Russia and Brazil. Because the worst attacks require the majority of nodes to be bad, this is strong - even if the USA decides to mint a pile of fake passports they still can't do anything bad. It'd require all those governments to co-operate to flood the network, which is a massive upgrade over the situation we have today.

Glancing at Reddit I see comments like "this is a statist solution". I guess a few people don't appreciate the irony of inverting an infrastructure of government control, to build strong anonymous peer to peer networks.

[tvbcof]

My approach to the solution would be to have a completely open hardware solution for TPM modules with design, manufacturing, and distribution overseen by a coalition including the likes of the EFF.  These would take the place of government issued passports, and would fit the bill of being relatively cheap, but not so cheap as to allow trivial mass accumulation.

To further gain confidence in the node distribution, employ methods like Kaminisky's 'nOOter' and Eli Ben-Sasson's 'PCPs' as presented at the SJ 2013 conference.

[Mike Hearn]

The proof technique I referred to in the talk is indeed what Eli Ben-Sasson presented at the conference. PCP's are just a part of it. You have to convert a C program into an arithmetic circuit nd then convert that into a quadratic arithmetic program before you can start creating a PCP from it.

Trusted hardware can be OK, but I think techniques based purely on maths can ultimately be more trustable when applicable.

[pungopete468]

I don't have a passport. My wife doesn't have a passport. Nobody in my extended family has a passport that I'm aware of.  

I don't think they're as common as you assume they are. You don't need one unless you travel out of the country and in these economic times I bet the number of people travelling is decreasing.

Thank you for working on improving the network but the closer Bitcoin is to digital cash; the better... We already have plenty of centralized and highly regulated options and we don't need Bitcoin turning into another one. There should be no link to your identity outside of a currency exchange for a centralized fiat currency.

The exchanges can deal with identity if you ask me...

If the solutions of today aren't satisfactory then wait for the solutions presented tomorrow. Don't just choose the least harmful out of a handful of poor solutions for lack of a good solution yet to be discovered...

[Mike Hearn]

There would be no link to your identity.

I think I'm going to have to find a simpler way to explain this. Maybe a diagram would help. A lot of people aren't getting it.

[Peter Todd]

Glancing at Reddit I see comments like "this is a statist solution". I guess a few people don't appreciate the irony of inverting an infrastructure of government control, to build strong anonymous peer to peer networks.

There's no irony in handing control of those systems to government. In a fantasy world these passport certificates aren't subvertable - they'll always be issued honestly, never duplicated, and the private keys in them will stay in them - but in the real world that's not something you can guarantee. People are worried that we'd find out in a few years for Snowden Jr. that the (three-letter-acronym) had been making up fake passports for the purpose of running Tor nodes - certainly possible - or had been issuing passports that they actually had the secret keys to after all and were signing anonymous signatures using that fancy crypto-math to run said Tor nodes.

Or hell, if this is one-passport-one-tor-node I'm sure these large surveillance/police/military government bodies could just ask their employees to donate their passports briefly to a good cause...

Anyway, two out of three of your examples have better solutions to them; notably there's no need to trust nodes to be "honest" anyway.

My approach to the solution would be to have a completely open hardware solution for TPM modules with design, manufacturing, and distribution overseen by a coalition including the likes of the EFF.  These would take the place of government issued passports, and would fit the bill of being relatively cheap, but not so cheap as to allow trivial mass accumulation.

To further gain confidence in the node distribution, employ methods like Kaminisky's 'nOOter' and Eli Ben-Sasson's 'PCPs' as presented at the SJ 2013 conference.

Something really interesting re: TPM is it appears you can make open-source community audited remote-attestation-capable hardware. The trick is that you can build hardware that creates the secret keys after manufacturing in some kind of initialization process, yet have the process itself verify the integrity of the "strong-box" the computer is in, and have the hardware implementing that process be designed such that third-parties can take it apart and verify that the hardware would have done that honestly. Pulling off this trick requires a minimal bootstrap routine in ROM that creates the keys on startup - since it's ROM you can pull the circuit itself apart to verify that the ROM was guaranteed to be executed and thus the keys generated securely when the internal batteries were connected the first time.

As for the "strong-box" to provide the tamper resistance, tempered glass and mirror silver work well. The glass is notoriously difficult to breach without causing it to shatter due to the internal stresses, and mirror silver lets you make tamper-detection circuits that detect that shattering and wipe the internal keys. Both techniques are low-technology, yet effective.

Now to verify the remote attestation, you take production lots of these boxes, have third-parties select sample boxes and tear them apart looking for flaws. The chance of getting away with shipping a bugged box is some function of how many sample devices were audited, the size of the production lot, and how good you are at detecting bugged devices. A secondary audit technique is to put Bitcoin private keys in the devicse, pay coins to them, and see if any get spent!

I spent some time a few months ago going through some of the details and think I covered them in principle, but just didn't have the time to pursue the project. There's a lot of details to cover, most of them nitty-gritty hardware level stuff, and you're likely to end up with "reasonable" assurance rather than anything all that convincing. But for Tor routers that's not a bad start. Combine it with Mikes passports maybe for more assurance.  

[pungopete468]

There would be no link to your identity.

I think I'm going to have to find a simpler way to explain this. Maybe a diagram would help. A lot of people aren't getting it.

You're really going to have to work to sell your idea... This isn't a friendly business arena you're operating within and people are used to being screwed sideways.

I'm not saying you operate the same way but you still have to convince people that you aren't.

[Mike Hearn]

People are worried that we'd find out in a few years for Snowden Jr. that the (three-letter-acronym) had been making up fake passports for the purpose of running Tor nodes

But they can run fake Tor nodes today, without doing any work at all. And as I pointed out, nothing stops you from picking nodes run out of different countries. The NSA might be able to fake US passports just fine. If they can get the Russian and Chinese private keys, well .... at least all the incentives are right to make that hard.

It really can't make anything worse. You can easily run multiple nodes off one passport. Just don't expect the same wallet app to connect to more than one of them. Tor has the notion of families, it maps naturally to that.

[Mike Hearn]

You're really going to have to work to sell your idea... This isn't a friendly business arena you're operating within and people are used to being screwed sideways. I'm not saying you operate the same way but you still have to convince people that you aren't.

This obligation flows both ways. If I explain why nobody is getting screwed, it's up to people who are worried to take time and understand those explanations. Some people are doing this, fortunately - thanks!

[Loozik]

Some people have noticed that although this approach would stop a large variety of different attackers, governments could make fake passports and use them. Yes, this is true.

Very true. And you do not need Snowden to tell you this (a short story how espionage guys duplicate passports of ordinary people to run their operations): http://www.dailymail.co.uk/news/article-1261435/How-Mossad-blew-The-gripping-story-Israels-brutally-efficient-secret-service-botched-Dubai-assassination.html

[Mike Hearn]

Yes, but faking paper passports is probably a lot easier than faking the digital signatures. Unless the Mossad can break RSA, either:

1) They faked non-NFC passports (likely)
2) They managed to steal the UKPA private key

Given the date of when that event happened, not all passports were electronic back then (they still aren't) so there would have been no need to do anything with digital signatures.

Anyway, like I said, it's still better than the big fat nothing that P2P networks have today. Governments are not the only attackers we care about, remember!

[Peter Todd]

People are worried that we'd find out in a few years for Snowden Jr. that the (three-letter-acronym) had been making up fake passports for the purpose of running Tor nodes

But they can run fake Tor nodes today, without doing any work at all. And as I pointed out, nothing stops you from picking nodes run out of different countries. The NSA might be able to fake US passports just fine. If they can get the Russian and Chinese private keys, well .... at least all the incentives are right to make that hard.

It really can't make anything worse. You can easily run multiple nodes off one passport. Just don't expect the same wallet app to connect to more than one of them. Tor has the notion of families, it maps naturally to that.

Tor's got a structure that makes running fake Tor nodes not quite as trivial as it sounds. Remember that Tor node operators are not anonymous, and Tor on the other hand is a semi-centralized service.

In any case, my personal objection isn't so much the passports for Tor idea - that's a genuinely hard problem - it's the application of that to zeroconf and fee estimation where there's much better ways to do it by not relying on trusting third parties. That's an example of lazily resorting to centralization when there's better solutions out there.

You know, I don't think I've ever seen you advocate a genuinely decentralized solution to something. It's just not how you think, and the community recognizes this. I'll bet you had I advocated that passport idea people would have chalked it up as just another cool idea from Peter Todd, but I can do that because unlike you I seem to have a generally good reputation for honestly promoting decentralization - among other things I get the sense that people generally trust me not to gloss over the flaws.

[Cameltoemcgee]

Yes, but faking paper passports is probably a lot easier than faking the digital signatures. Unless the Mossad can break RSA, either:

1) They faked non-NFC passports (likely)
2) They managed to steal the UKPA private key

Given the date of when that event happened, not all passports were electronic back then (they still aren't) so there would have been no need to do anything with digital signatures.

Anyway, like I said, it's still better than the big fat nothing that P2P networks have today. Governments are not the only attackers we care about, remember!

Just an idea, but something like Ethereum can serve as the data layer for a fully decentralized reputation system... It seems to me that something along these lines would be less likely to be compromised than any central authority tied into a physical item with a key. a well connected trust web is equally hard if not harder to reproduce than a TPM chip.

of course its up to people as to whether or not they want to use it... If it gained traction i could see instant transactions requiring signing from a key with a trustworthy reputation, and large transactions requiring verification via confirmations as the preferable method.

This would also allow for people in less fortunate countries who are unable to get a passport to still benefit from the increased security.

[augustocroppo]

There would be no link to your identity.

I think I'm going to have to find a simpler way to explain this. Maybe a diagram would help. A lot of people aren't getting it.

Some people cannot visualize what they read because they lack the technical understanding of what you are talking about. I personally pretty much appreciate this approach which appears very interesting and not difficult to implement. Perhaps instead to use only passports to produce the mathematical proof, also government issued encrypted keys? I have one stored in an USB stick which is impossible to replicate.

[NanoAkron]

I wrote earlier that Mike Hearn was just using the passport in his talk to demonstrate a centralised piece of ID and to show that there is a better way of issuing zero-trust non-centralised ID tokens based on some recent advances in mathematics.

I now stand corrected and am genuinely appalled at the idea of requiring a piece of real-world, centrally-issued ID to perform ANY activity with bitcoin.

Mike & Augusto - what do you say to the billions of poor and unbanked people around the world who stand to benefit from the personal-banking aspects of bitcoin, yet who don't have passports, encrypted USBs or other forms of trustworthy ID? Why are you interested in centralised solutions that only affect bitcoiners from wealthy nations?

[tvbcof]

I wrote earlier that Mike Hearn was just using the passport in his talk to demonstrate a centralised piece of ID and to show that there is a better way of issuing zero-trust non-centralised ID tokens based on some recent advances in mathematics.

I now stand corrected and am genuinely appalled at the idea of requiring a piece of real-world, centrally-issued ID to perform ANY activity with bitcoin.

Mike & Augusto - what do you say to the billions of poor and unbanked people around the world who stand to benefit from the personal-banking aspects of bitcoin, yet who don't have passports, encrypted USBs or other forms of trustworthy ID? Why are you interested in centralised solutions that only affect bitcoiners from wealthy nations?

"Don't run a node for SPV clients to hook up to."

People need to start view the Bitcoin network as it is going to look in the near future (if not already.)

(Actually, I have to wait until midnight my time to watch the presentation for bandwidth reasons, but my take is that this is method to limit the potential for that infrastructure providers to cheat.  Some dirt-poor tribesmen in Africa is not going to be an infrastructure provider.  Nor are you and I for that matter.  We are all just SPV clients.  (But that's OK, 'cuz they're so rich, and we ain't nothin' but a dopeman's bitch! (I'm on a bit of an NWA kick these last few days...)))

[justusranvier]

But we don't want running Bitcoin or Tor nodes to require expensive sacrifices. We want them to be as cheap and numerous as possible.

A lot of the inventive problems with the network right now are due to the anomaly of the block reward being larger than the transaction fee revenue. Subsidies always cause economic distortions, and Bitcoin is no different.

In a future where the transaction rate is high and transaction fee are more important than the subsidy in terms of miner revenue then things start to look a lot different in terms of the miner/full node dynamic.

Perhaps it's better to get the network to that state first as quickly as possible because that's what needs to happen for long term viability of the currency anyway, and then see what needs to be done.

[MarketNeutral]

There would be no link to your identity.

I think I'm going to have to find a simpler way to explain this. Maybe a diagram would help. A lot of people aren't getting it.

On the contrary, I think many people are "getting it."

Nevertheless, please explain how using government-issued passports squares with "no link to your identity."

Further, what does "trustless" mean to you?

Has your vision of bitcoin always included state-dependent, centralized solutions?

Are you playing the role of "bad cop" to promulgate further regulation of bitcoin?

Is the mention of Tor a clever way to toss breadcrumbs to us while blacklisting some and and passport-linking others?

Are you attempting to establish the parameters of the narrative in a coercive way?

[giszmo]

I ranted against core developers, too, only to be set right afterwards so I don't want to be too harsh with OP but I want to express my 100% confidence in Mike Hearn who does an excellent job at pushing Bitcoin in the right direction. Fortunately he is 2 steps ahead of most of us and sadly he's drawn into ridiculous threads like this due to a lack of … mind reading devices? Not sure what could fill that gap when there is such a small number of people that can code the future of Bitcoin/spend their time on explaining it to mere mortals.

I have yet to see Gavin, Mike or any core dev push for anything unethical in the sense of what most in this community see in Bitcoin and I wish OP would be satisfied with what he read so far and mark this thread as resolved to not draw more attention to this non-issue.

[anti-scam]

On the contrary, I think many people are "getting it."

Nevertheless, please explain how using government-issued passports squares with "no link to your identity."

Further, what does "trustless" mean to you?

Has your vision of bitcoin always included state-dependent, centralized solutions?

Are you playing the role of "bad cop" to promulgate further regulation of bitcoin?

Is the mention of Tor a clever way to toss breadcrumbs to us while blacklisting some and and passport-linking others?

Are you attempting to establish the parameters of the narrative in a coercive way?

https://en.wikipedia.org/wiki/Zero-knowledge_proof

Why don't you actually educate yourself before making a bunch of cryptic accusations phrased as questions? This ridiculous bashing of Mike Hearn has to stop. I don't agree with all of his proposed solutions but I'd sure hate to see a smart, capable individual driven out of the community by a bunch of people who can't even be bothered to understand what they're talking about. This is why Gavin doesn't even bother visiting these forums anymore. Keep making inflammatory comments and all that will happen is that Bitcoin development will continue without any sort of community input.

The Bitcoin community needs both Mike Hearns and Amir Taakis. There is room for both solutions that work now and aren't as ideologically pure and solutions that will work later and are "perfect".  Hardcore cryptolibertarians aren't the only Bitcoin users nor should they be. Look up "Worse is better" vs. "MIT approach". Mike Hearn is proposing things that will work as quickly and easily as possible and advance Bitcoin's utility for your average person. This is hardly treason. None of his solutions will conflict with having the perfect solution later. Implementing X.509 certificates won't prevent PGP from being implemented later. Grandma probably doesn't have to worry about Verisign collaborating with the government to steal her morning coffee money.