[Bitcoin-development] The relationship between Proof-of-Publication and Anti-Replay Oracles

[Jorge Timón]

st

On Sun, Dec 21, 2014 at 6:52 AM, Peter Todd <pete at petertodd.org> wrote:
> On Sun, Dec 21, 2014 at 11:57:51AM +0800, Mark Friedenbach wrote:
>> I think you are trying to say something more specific / limited than that,
>> and I suggest you adjust your wording accordingly. Decentralized exchange
>> would be possible today with vanilla bitcoin using SIGHASH_SINGLE if only
>> the protocol supported multiple validated assets (which it could, but
>> doesn't). Rather straightforward further extensions to the protocol would
>> enable market participants to use a wider class of orders, as well as
>> enable the buyer rather than the seller to dictate order sizes via partial
>> redemption, as we demonstrate in our Freimarkets paper.
>
> Do you realise that all those Freimarket's uses are either based on
> proof-of-publication, or insecure due to sybil attacks?

So let's go through an example to see in which ways
non-proof-of-publication orders are "insecure".

Alice the seller wants to sell 1 unit of A for 100 units of B.
Bob is willing to pay up to 200 Bs for 1 A.

Let's assume a proof of publication system first, in which the
execution price is the mean between bid and ask.
Alice publishes her order.
Bob could publish his order at price 200 Bs and the order would
execute at 150 Bs.
But after seeing Alice's order he knows he doesn't need to pay that
much, so he publishes and order buying for 100 Bs.

Alice gets 100 Bs (what she signed she wanted) and Bob pays less than
he was wiling to pay, he pays 100 Bs. Everybody happy.

Now let's assume native assets and sighash_single.

Alice publishes her order (out of band, using various channels).
Bob could publish his order at price 200 Bs and then a miner would
execute at 100 Bs for Alice, at 200 Bs for Bob and pocket 100 Bs as
mining fees.
But after seeing Alice's order he knows he doesn't need to pay that
much, so he publishes and order buying for 100 Bs.

Again, Alice gets 100 Bs (what she signed she wanted) and Bob pays pays 100 Bs.
The main difference is that Alice didn't had to pay a fee to publish
her binding order.

Now let's try to articulate your concerns.
Your concern is that Carol, isolates Bob preventing him from seeing
Alice's order.
Then maybe Bob publishes his own order at 200 Bs.
If Carol sees both orders while preventing the other participants from
seeing them, she can build a tx in which Alice sells at 100, Bob buys
at 200, and Carol pockets the difference.
But...any smart miner will replace Carol's address with his own when
processing the trade, so Carol cannot win this way.

Another thing Carol can do is to buy the A herself for 100 Bs, leaving
Bob without them.
If Alice cares about Bob getting the deal instead of Carol she can do
two things:
1) Establish a direct communication channel with Bob
2) Move to a proof of publication system and start paying fees for
publishing binding orders.

So again, what's the advantage that proof-of-publication provides TO
ALICE so that she will be so eager to pay the higher costs to get the
same deal?
If this example is not enough to be able to explain the advantage of
proof-of-publication markets feel free to write a more complex one.