Topic: Establishing the Trustworthiness of Nodes without External Tokens (eg Passports) (Read 3524 times)

Well I guess I should retract that statement as these guys seem to have solved the problem:

"There are various means of authenticating Icelanders on the Internet"  auroracoin.org/airdrop.php


Lets see how it goes  

What's the point? Anybody running a faster system can just slow it down to pretend to be the old, slower one.

Bingo.  Newbie gets it right, news at 11  

You're not solving the sybil problem, it's information theory impossible.  I don't care if you have iris scanners and thumbrints and your nazi papers , information can be copied.  

(seriously,  passports?  

Article 13(2) of the Universal Declaration of Human Rights:

Everyone has the right to leave any country, including his own, and to return to his country. )

Hmm…I see.

NanoAkron, those are things I've thought of, too. but there is no way that such schemes can be implemented in bitcoin itself. The protocol can't change arbitrarily. what you're suggesting is at odds with TCP/IP. TCP/IP deals with unreliable communication over a scale free network (all nodes are equal). bitcoin depends crucially on long block times. Send some packets over random locations over the globe and you will see there will be a lot of statistical variance. Which is the reason why blocks exist (one can imagine geographically distributed blocks). TCP/IP only knows of nodes with IP addresses. You don't know where the node is (exact for datamining through approximation). For example people suggested changing the chain selection rule (GHOST). but all of the elements are carefully balanced, which makes the invention so ingenious.

Time spacing could be achieved at the node-node handover of a block.

N1 isn't known to N2.

N1 --> N2: Here's a block. It has timestamp t0.
N2 waits a random amount of time <1sec.  
N1 <-- N2: Ok, now solve this small puzzle and send me a new timestamp.
N1 --> N2: Here's the solution and timestamp t0+N2_delay+x.

Now, t0+N2_delay+x must be greater than t0 - so the person in control of the node isn't just winding their clock backwards and forwards between problems. The latencies for the connection should also be the same in both directions, to within a narrow margin. Comparing the timestamps tells you how long that node should take to solve a particular puzzle, which can then be used as a reference when asking the same puzzle later. This tells you the physical make-up of the machine hasn't been swapped out and another one is just spoofing the ID.

This map of latencies and 'puzzle-solving-times' acts like a map/proof for other nodes in the network when they now want to talk to N1.

Again, I'm sure there are parts I'm missing, but this would be internal to the protocol itself and not require external tokens, and be fairly easy to bootstrap outwards from a single trusted server.

That's true, they do. It's like a bigger variant of the hotel attack. So maybe the "reveal country and play geopolitics" wouldn't work well.

I thought of a couple of countermeasures but they decrease convenience a lot. One would be to find a way to do the time-spacing trick, perhaps by committing to a hash of some (derived?) data in the block chain, and then incorporating that and a block hash from N days later into the proof. However in the absence of AA it doesn't work, and most passports don't do AA, so that seems like a dead end.

The second is to have some random/semi/low trusted third party do a match between face and passport photo data (it can be extracted independently from the rest), in such a way that it's clear the owner of the passport is consenting to creating the fresh identity. That way attacks based on just grabbing someones data wouldn't work. Because matching two photos together perhaps with a MySpace style "salute" (write a code on a piece of paper and hold it up to the camera), is very easy, it could be a Mechanical Turk style microwork scheme. There's no need for the face-matching-person to know anything about who they are seeing. Accuracy could be measured and enforced by having other low-trusted third parties do random audits.

But that's very complicated and would take a lot of effort to set up. If Tor strongly suspected it was really being infiltrated by a lot of intelligence agency controlled nodes, it might become worth it. But otherwise I doubt it's worth it.

Note that ZKPOPs have use cases outside "how do we beat the government at sybil attacks". For instance, one reason porn sites hestitate to use Bitcoin is that they use credit cards as a form of age verification. Anonymous age verification, anti-spam systems, helping manage identities in end-to-end encrypted email ... there's lots of places where selectively revealed yet hard-to-forge identities would be useful.

I'm not sure what problem you're trying to address. botnets are the problem which would be partly solved by such an ID mapping.

I like the idea of using location data, but that is orthogonal to bitcoin/Proof-of-work, which is intertwined with TCP/IP. Although bitcoin could potentially change DNS and SSL through something like BitDNS/Namecoin.

But this is much like a criticism that Bitcoin doesn't really 'solve' the Byzantine Generals problem. Sure, it doesn't fully satisfy the definition of a 'solution' in a pure mathematical sense, but for all intents and purposes it's 'good enough' to be useful.

You don't have to 'prove' a node is real in a hard sense, just that it's behaving exactly like a real node would (relaying transactions to and from the greater network, not compromised by allowing external observer programs to 'look inside' during runtime) when it's asked to.

How do you know your OS is not rooted? perfect backdoors are invisible. its hard to write a rootkit, but as they propagate its impossible to stop them. for example Zeus was a well-known Win rootkit. black hats can earn a lot of money (I assume), so there is the incentive. for the attacker it takes only one exploit, but the defenders have to cover all exploits. its not possible to write programs which defend all possible attacks. there is the idea you could use BTC in connection to compute cycles, but it seems unlikely that is workable in the near term. You can't write programs that prove that other programs are not malicious, which is connected to Turing's halting problem [1].

[1] http://en.wikipedia.org/wiki/Halting_problem

I'm not sure Mike is serious about this proposal, although it sounded like it in the talk. He knows that miners/users will never accept this. bitcoin is unlikely to change in so major ways. And if you solve the mapping of identity to computer in new ways you can potentially have better systems than proof of work. there is no need for all nodes doing the same computation N times. going forward nodes is an increasing less useful concept. In the future compute power will not be local, but on some server. So the P2P model is really going away to some extent. bitcoin is now 5 years old, and since then the rise of cheap servers has been probably the most dramatic change. soon "cloud" will be even more ubiquitous, although there are of course many security issues.

So take the ID requirement back a step and put the burden of proof on the nodes themselves. How does a node prove to other nodes that it is real and not spoofed?

People need to realize that proof of work is a means to an end. A better system is possible if nodes are connected to identities.

It seems to me very unlikely than there will be an establishment of a global identity system which can't be corrupted. You might be able to prove you own a passport, but you can't prove you haven't stolen the passport. There is no key testing. Human markers (fingerprints, eye scan, genetic information) are unique and testable. Other information usually used to create a map person => identity are physical addresses and bank accounts

So let's go back to the topic at hand: How do we establish the trustworthiness of nodes without external tokens?

What structural/functional properties of bitcoin can we use to establish a node is a real node in a trustless and distributed fashion?

I believe the idea is that the ZKPOP can reveal the country that issued the passport, so when setting up your Tor circuit, you'd select relays from distinct countries.  Then a sybil attack against Tor would require international coordination of governments.

Though don't governments generally have access to lots of foreign passport scans from border crossings, airport, etc.?

Hrm. The problem is that even if the network decided to ask for passport blind-signing, that solution doesn't work for this use case because the attacker can issue passports.

On the other hand, it's a thought. If you had to sign with an identity that was fundamentally difficult to create due to some other consideration...

So why did Mike Hearn go to lenghs to describe passport based verification of nodes? What problem was he proposing this would solve?

Are you aware that the block reward is currently worth 19200 USD? That's how much it costs to spoof a single confirmation. Nodoby is going to do that just to get a few free drinks in a bar.

Except for 2 things: in rapid low-value retail environments where we're told 0 conf should be ok, and I know bars that turn over £2,000+/night. Plenty of easy pickings if you spoof a few confirmations by pretending to be the rest of the network.