[Bitcoin-development] The relationship between Proof-of-Publication and Anti-Replay Oracles

Peter Todd pete at petertodd.org
Mon Dec 22 00:11:37 UTC 2014


On Sat, Dec 20, 2014 at 09:48:01AM -0500, Peter Todd wrote:

Andrew Miller asked me to publish the following to the mailing list on his
behalf: (https://twitter.com/socrates1024/status/546819355565391872)

One of the main points in this note is that you can use a
"proof-of-publication" system to implement an "anti-replay" system.
However this isn't true - at least not given the description of
proof-of-(non)-publication in 2) and the definition of "anti-replay"
given here.

In 2), proof-of-*non*-publication allows you to prove that *some
specific message* has never been published. You can imagine having a
function ProveNotPublished(m), which proves "message m was not
published."

However, the anti-replay mechanism is about proving that *no* message
satisfying some property has been published. Hence
VerifyAntiReplaySig(m, p, s) checks that "for all possible messages m'
(distinct from m), AntiReplaySign(m', p) has not been called."


This isn't *just* splitting hairs, this distinction is actually
relevant for analyzing several cryptocurrency designs. You can imagine
extending the definition of proof-of-(non)-publication to take in some
predicate P, so that you can prove "no message m such that P(m) holds
has ever been published." However, to do this efficiently requires
anticipating some classes of P and building some appropriate indices.

- As a baseline, as long as you have the whole blockchain available,
you can scan through the entire blockchain and evaluate P for every
transaction, but this is pretty inefficient.
- Other tradeoffs are available if you are willing to trust some
(quora of) servers to maintain indices for you
- Bitcoin's UTXO set effectively supports a predicate for each txout,
where P(x) = "x is a valid tranasction that spends <txout>"
- Ethereum contracts, in a sense, allow for general purpose contracts
to 'build-your-own" index. On the other hand its key-value store
doesn't support range queries, so it's not necessarily "universal" or
as expressive as SQL, for example.


But the point isn't to argue about design choices and tradeoffs in
this thread. The main point I want to make is:
*Indexes and Validation Matter!*
The classic "proof-of-publication" system is to embed opaque data (as
far as bitcoin miners are concerned) in transactions using OP_RETURN.
A significance of establishing "proof-of-publication" as a universal
underlying primitive is that this OP_RETURN trick is then sufficient
for anything you might want. But part of what Bitcoin provides is
indexing and validation/exclusion, and this is important for
supporting efficient anti-replay proofs. Proof-of-(non)-publication
alone isn't sufficient for this.

-- 
'peter'[:-1]@petertodd.org
00000000000000000a7b40becd0babbd64ec49b8b34823fb4f4b081c95188b66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 650 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20141221/f4d89c08/attachment.sig>


More information about the bitcoin-dev mailing list