[Bitcoin-development] Discovery/addr packets (was: Service bits for pruned nodes)

Adam Back adam at cypherspace.org
Mon May 6 18:32:22 UTC 2013

btw with nodes for transport security you might use self-certifying keys. 
Referring to Zooko's triangle, then the key is the node identity.  Similar
to a bitcion address.  So then just another ECDSA key and use emphemeral
ECDH for transport authenticated with the nodes key.

Maybe there can be some value to reputation to a node - eg it can charge a
higher micropayment for its p2p network services, a node with a good
reptuation could charge a higher micropayment for relaying (though bitcoin
itself probably doesnt like micropayments as bloating the transaction log).

Another ZKS era idea I had was to have a gossip protocol for users to find
out what other people think about the trustworthiness and reliability of
nodes.  If that info is distributed via gossip over multiple channels and
network connections over time, and kept in something like a gnutella host
cache (just a cache of random info with some eg random replacement policy)
it becomes very hard for a dishonest node to censor evidence of its low

It is best as Gregory said to be able to directly prove, and punish by
block-chain validation, because that is more smart-contract like.  Bisbehave
and nodes wont connect to you or lose somehow.

But what exactly could you prove about a node?  You dont really know if a
node is an originator for a double spend, it could be relay.  And for
privacy and security you cant expect the node to use its coin address
private key.

Hmm: maybe one could use a Brands private credential with offline double
spend detection, with the reputation but not coin address of the node
disclosed, and the nodes coin address embedded in the proof.  Each node
could be is own CA, providing a ZKP.  If the node ever double spends a coin,
it loses its reputation as the coin address is revealed.

btw another old idea was to require proof of the existance of the private
key of a high value coin in the double-spend revealed information.  Then
basically to get a higher good-behaviour bond, the node ties up more coins,
and if a node cheats, the first person to discover this collects the
forfeited good behaviour bond.


ps I have an opensource openSSL based Brands (& Chaum) credential library at
http://www.cypherspace.org/credlb/ I didnt actually implement the ECDL
version, just the DL version, but that is not so hard, and its on my todo
list.  (There is also a strong RSA assumption version, also not

On Mon, May 06, 2013 at 11:01:22AM -0700, Gregory Maxwell wrote:
>> 1) Non-repudiation is only useful with fraud proofs, and they will have
>> to be thought out for everything the node might claim.
>That isn't so. If a node is reliably rogue I can go manually gather
>evidence and people can manually take action against it.  Consider the
>DNSseeds, right now fraud proofs really wouldn't matter— the limited
>amount of trust put in those things is based not on "oh no, nodes will
>ignore you in the future if you're bad", it's based on the ability of
>misconduct to sully the operator's reputation.
>But without non-repudiation the ability to tie reputation to good
>behavior is fairly limited especially if they perform targeted
>attacks. "Wasn't me"
>Instead— I'd argue that non-repudiation is always useful when there is
>trust. It's things like fidelity bonds— a trust generator that depend
>on automatic enforcement— that are only useful with fraud proofs.
>> Anyway, the concept of a per-node identity keypair is the first step
>> towards non-repudiation, and implementing SSL transport.
>Yea, indeed, per-node keys are useful for a bunch of things. Care is
>needed to avoid problems like deanonymizing use over tor with them.
>Learn Graph Databases - Download FREE O'Reilly Book
>"Graph Databases" is the definitive new guide to graph databases and
>their applications. This 200-page book is written by three acclaimed
>leaders in the field. The early access version is available now.
>Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>Bitcoin-development mailing list
>Bitcoin-development at lists.sourceforge.net

More information about the bitcoin-dev mailing list