Establishing the Trustworthiness of Nodes without External Tokens (eg Passports)

[NanoAkron]

Problem: Walk into a bar, pay for a drink, BTC vanishes into thin air because the node was spoofed or you got MITMd.

What problem? Nobody can steal a customer's money that way. The bar won't give the customer an address that the bar doesn't control, and the customer won't sign a transaction to any other address than the one he receives from the bar. Are you worried that customers will double spend against the bar? If so, it'll quickly be discovered by the bar.

That's not the worry. A man-in-the-middle attack (MITM) means that what the bar thinks is a valid node to the rest of the bitcoin network is actually the perpetrator.

That's the scenario we're talking about here - validating the pathway between user <--> node.

I want the validation to remain trustless and to not require any external validation e.g. "I say my node is valid and here's my driver's license to prove it." - validation should be like the rest of bitcoin: trustless and distributed, built upon a cryptographically signed 'proof-of-x' function.

[1714031303]

1714031303

[1714031303]

1714031303

[1714031303]

1714031303

[Minthos]

Problem: Walk into a bar, pay for a drink, BTC vanishes into thin air because the node was spoofed or you got MITMd.

What problem? Nobody can steal a customer's money that way. The bar won't give the customer an address that the bar doesn't control, and the customer won't sign a transaction to any other address than the one he receives from the bar. Are you worried that customers will double spend against the bar? If so, it'll quickly be discovered by the bar.

That's not the worry. A man-in-the-middle attack (MITM) means that what the bar thinks is a valid node to the rest of the bitcoin network is actually the perpetrator.

That's the scenario we're talking about here - validating the pathway between user <--> node.

I want the validation to remain trustless and to not require any external validation e.g. "I say my node is valid and here's my driver's license to prove it." - validation should be like the rest of bitcoin: trustless and distributed, built upon a cryptographically signed 'proof-of-x' function.

So if nobody can steal anything, what's the problem?

[NanoAkron]

So if nobody can steal anything, what's the problem?

What do you mean? The MITM spoofing the node gets to run away with all of the BTC that the pub took that evening.

[Minthos]

So if nobody can steal anything, what's the problem?

What do you mean? The MITM spoofing the node gets to run away with all of the BTC that the pub took that evening.

How? It can't get the bar's private keys, and it can't change the bar's receiving addresses. So how is it supposed to get hold of those coins?

[NanoAkron]

So if nobody can steal anything, what's the problem?

What do you mean? The MITM spoofing the node gets to run away with all of the BTC that the pub took that evening.

How? It can't get the bar's private keys, and it can't change the bar's receiving addresses. So how is it supposed to get hold of those coins?

The bar thinks the man with the suitcase in the corner is actually a node. The bar is relaying blocks to the rest of the network through this supposed node. The blocks either get edited or just not relayed to the rest of the network. The man with the suitcase pretends to the bar that the block has been confirmed correctly. The man with the suitcase walks out with BTC.

[Minthos]

So if nobody can steal anything, what's the problem?

What do you mean? The MITM spoofing the node gets to run away with all of the BTC that the pub took that evening.

How? It can't get the bar's private keys, and it can't change the bar's receiving addresses. So how is it supposed to get hold of those coins?

The bar thinks the man with the suitcase in the corner is actually a node. The bar is relaying blocks to the rest of the network through this supposed node. The blocks either get edited or just not relayed to the rest of the network. The man with the suitcase pretends to the bar that the block has been confirmed correctly. The man with the suitcase walks out with BTC.

You need to read more about how bitcoin works. First of all, the bar doesn't send blocks anywhere since it doesn't mine. It doesn't even send transactions, it just listens for incoming transactions and incoming blocks. Secondly, transactions are signed before they're broadcast to the network. Once they have been signed, they can't be tampered with. So your MITM can't edit any transactions. What he can do is be selective about which transactions he forwards where. If he were to collude with the customers, he could help facilitate double-spending attacks against the bar, but as mentioned previously any such attack could quickly be detected.

[coinrevo]

Its not how bitcoin works, but its an interesting concept. Instead of having the whole world verify blocks, one could somehow use nodes in some proximity. One could call it local web of trust.

[NanoAkron]

Its not how bitcoin works, but its an interesting concept. Instead of having the whole world verify blocks, one could somehow use nodes in some proximity. One could call it local web of trust.

One worry is the bar thinks its getting paid because it's seeing false confirmations, when in reality it's giving away drinks for free because the transactions are never getting relayed to the rest of the network.

[Minthos]

Its not how bitcoin works, but its an interesting concept. Instead of having the whole world verify blocks, one could somehow use nodes in some proximity. One could call it local web of trust.

One worry is the bar thinks its getting paid because it's seeing false confirmations, when in reality it's giving away drinks for free because the transactions are never getting relayed to the rest of the network.

Nope. A "confirmation" is a valid block with the transaction included, and a valid block includes a proof of work. The proof of work is far too valuable to waste trying to double spend in a bar.

[NanoAkron]

Its not how bitcoin works, but its an interesting concept. Instead of having the whole world verify blocks, one could somehow use nodes in some proximity. One could call it local web of trust.

One worry is the bar thinks its getting paid because it's seeing false confirmations, when in reality it's giving away drinks for free because the transactions are never getting relayed to the rest of the network.

Nope. A "confirmation" is a valid block with the transaction included, and a valid block includes a proof of work. The proof of work is far too valuable to waste trying to double spend in a bar.

Except for 2 things: in rapid low-value retail environments where we're told 0 conf should be ok, and I know bars that turn over £2,000+/night. Plenty of easy pickings if you spoof a few confirmations by pretending to be the rest of the network.

[Minthos]

Its not how bitcoin works, but its an interesting concept. Instead of having the whole world verify blocks, one could somehow use nodes in some proximity. One could call it local web of trust.

One worry is the bar thinks its getting paid because it's seeing false confirmations, when in reality it's giving away drinks for free because the transactions are never getting relayed to the rest of the network.

Nope. A "confirmation" is a valid block with the transaction included, and a valid block includes a proof of work. The proof of work is far too valuable to waste trying to double spend in a bar.

Except for 2 things: in rapid low-value retail environments where we're told 0 conf should be ok, and I know bars that turn over £2,000+/night. Plenty of easy pickings if you spoof a few confirmations by pretending to be the rest of the network.

Are you aware that the block reward is currently worth 19200 USD? That's how much it costs to spoof a single confirmation. Nodoby is going to do that just to get a few free drinks in a bar.

[NanoAkron]

So why did Mike Hearn go to lenghs to describe passport based verification of nodes? What problem was he proposing this would solve?

[d'aniel]

So why did Mike Hearn go to lenghs to describe passport based verification of nodes? What problem was he proposing this would solve?

2) Flooding networks with peers that look unrelated but actually aren't. Tor has the same problem, so I'm interested in solutions that generalise to all P2P networks. For these proofs of propagation etc are irrelevant. For Bitcoin it might be possible in every case to come up with fancy tricks based on proof of work, though remember someone has to actually write the code for all of these ideas! But I don't see how to avoid the issue with Tor. There just isn't any reasonable way that the Tor directory operators can know if nodes are related today, and if they are, Tor fundamentally breaks. Given that GCHQ has been tasked with breaking Tor (they're thinking of the children you see), advanced sybil attacks on it seem more likely than not in the near future.

[Qoheleth]

2) Flooding networks with peers that look unrelated but actually aren't. Tor has the same problem, so I'm interested in solutions that generalise to all P2P networks. For these proofs of propagation etc are irrelevant. For Bitcoin it might be possible in every case to come up with fancy tricks based on proof of work, though remember someone has to actually write the code for all of these ideas! But I don't see how to avoid the issue with Tor. There just isn't any reasonable way that the Tor directory operators can know if nodes are related today, and if they are, Tor fundamentally breaks. Given that GCHQ has been tasked with breaking Tor (they're thinking of the children you see), advanced sybil attacks on it seem more likely than not in the near future.

Hrm. The problem is that even if the network decided to ask for passport blind-signing, that solution doesn't work for this use case because the attacker can issue passports.

On the other hand, it's a thought. If you had to sign with an identity that was fundamentally difficult to create due to some other consideration...

[d'aniel]

Hrm. The problem is that even if the network decided to ask for passport blind-signing, that solution doesn't work for this use case because the attacker can issue passports.

I believe the idea is that the ZKPOP can reveal the country that issued the passport, so when setting up your Tor circuit, you'd select relays from distinct countries.  Then a sybil attack against Tor would require international coordination of governments.

Though don't governments generally have access to lots of foreign passport scans from border crossings, airport, etc.?

[NanoAkron]

Hrm. The problem is that even if the network decided to ask for passport blind-signing, that solution doesn't work for this use case because the attacker can issue passports.

I believe the idea is that the ZKPOP can reveal the country that issued the passport, so when setting up your Tor circuit, you'd select relays from distinct countries.  Then a sybil attack against Tor would require international coordination of governments.

Though don't governments generally have access to lots of foreign passport scans from border crossings, airport, etc.?

So let's go back to the topic at hand: How do we establish the trustworthiness of nodes without external tokens?

What structural/functional properties of bitcoin can we use to establish a node is a real node in a trustless and distributed fashion?

[coinrevo]

People need to realize that proof of work is a means to an end. A better system is possible if nodes are connected to identities.

It seems to me very unlikely than there will be an establishment of a global identity system which can't be corrupted. You might be able to prove you own a passport, but you can't prove you haven't stolen the passport. There is no key testing. Human markers (fingerprints, eye scan, genetic information) are unique and testable. Other information usually used to create a map person => identity are physical addresses and bank accounts

[NanoAkron]

People need to realize that proof of work is a means to an end. A better system is possible if nodes are connected to identities.

It seems to me very unlikely than there will be an establishment of a global identity system which can't be corrupted. You might be able to prove you own a passport, but you can't prove you haven't stolen the passport. There is no key testing. Human markers (fingerprints, eye scan, genetic information) are unique and testable. Other information usually used to create a map person => identity are physical addresses and bank accounts

So take the ID requirement back a step and put the burden of proof on the nodes themselves. How does a node prove to other nodes that it is real and not spoofed?

[coinrevo]

What structural/functional properties of bitcoin can we use to establish a node is a real node in a trustless and distributed fashion?

I'm not sure Mike is serious about this proposal, although it sounded like it in the talk. He knows that miners/users will never accept this. bitcoin is unlikely to change in so major ways. And if you solve the mapping of identity to computer in new ways you can potentially have better systems than proof of work. there is no need for all nodes doing the same computation N times. going forward nodes is an increasing less useful concept. In the future compute power will not be local, but on some server. So the P2P model is really going away to some extent. bitcoin is now 5 years old, and since then the rise of cheap servers has been probably the most dramatic change. soon "cloud" will be even more ubiquitous, although there are of course many security issues.

[coinrevo]

So take the ID requirement back a step and put the burden of proof on the nodes themselves. How does a node prove to other nodes that it is real and not spoofed?

How do you know your OS is not rooted? perfect backdoors are invisible. its hard to write a rootkit, but as they propagate its impossible to stop them. for example Zeus was a well-known Win rootkit. black hats can earn a lot of money (I assume), so there is the incentive. for the attacker it takes only one exploit, but the defenders have to cover all exploits. its not possible to write programs which defend all possible attacks. there is the idea you could use BTC in connection to compute cycles, but it seems unlikely that is workable in the near term. You can't write programs that prove that other programs are not malicious, which is connected to Turing's halting problem [1].

[1] http://en.wikipedia.org/wiki/Halting_problem