[Bitcoin-development] The insecurity of merge-mining

Thu Jan 9 17:19:04 UTC 2014

On 1/6/14, Peter Todd <pete at petertodd.org> wrote:
> On Sat, Jan 04, 2014 at 01:27:42AM +0100, Jorge Timón wrote:
> It's not meant to prove anything - the proof-of-sacrificed-bitcoins
> mentioned(*) in it is secure only if Bitcoin itself is secure and
> functional. I referred you to it because understanding the system will
> help you understand my thinking behind merge-mining.
>
> *) It also mentions proof-of-sacrificed-zerocoins which *is* distinct
> because you're sacrificing the thing that the chain is about. Now that
> has some proof-of-stake tinges to it for sure - I myself am not
> convinced it is or isn't a viable scheme.

I'm not sure I understand all the differences between
proof-of-sacrificed-bitcoins and proof-of-sacrificed-newcoins, but I'm
still convinced this doesn't have anything to do with MM PoW vs PoW.
The idea looks very interesting and I will ask you and adam to
understand it better on IRC, but take into account that when you say
"merged mining is insecure" some people hear "merged mined altcoins
are less secure than non-MM altcoins" (which is false) and somehow
conclude "scrypt altchains are more secure than SHA256 altchains".
Whether we like it or not, many people believe that scrypt, quark or
primecoin PoW algorithms are somehow more secure than SHA256, and
claims that "merged mining is insecure" from core bitcoin developers
contribute to spread those beliefs and that no new altcoin has been
created with the intend of being merged mined for quite a while.
I'm not trying to make you or anyone here responsible for the mistakes
other people make.

But rephrasing your claims as "We're exploring new ideas for altchains
that could be more secure than MM..." sounds very different from "MM
is insecure, by the way look at this new idea..."

>> Feel free to ask for corrections in the example if you think it needs
>> them.
>> Feel free to bring your edge legal cases back, but please try to do it
>> on top of the example.
>
> You're argument is perfectly valid and correct, *if* the assumptions
> behind it hold. The problem is you're assuming miners act rationally and
> have equal opportunities - that's a very big assumption and I have
> strong doubts it holds, particularly for alts with a small amount of
> hashing power.

That's why I made the offer above.
What you point out is the reason why freicoin started without merged
mining, to grow its own independent security first, before starting to
be merged mined.

> You know, something that I haven't made clear in this discussion is that
> while I think merge-mining is insecure, in the sense of "should my new
> fancy alt-coin protocol widget use it?", I *also* don't think regular
> mining is much better. In some cases it will be worse due to social
> factors. (e.g. a bunch of big pools are going to merge-mine my scheme on
> launch day because it makes puppies cuter and kids smile)

Fair enough.
Do you see any case where an independently pow validated altcoin is
more secure than a merged mined one?
The reason why I participated in the discussion was that I believe
that merged mined PoW is more secure than
completely-independent-from-bitcoin pow.
And I thought that that was the general understanding in the Bitcoin
development community.

If that's the case, we agree on what's more important to me.

About the new proposal, I don't have a firm opinion yet. I'm sorry but
I have to understand it better and think about it in more depth.