[messaging] Namecoin

Tao Effect contact at taoeffect.com
Thu Aug 21 11:09:09 PDT 2014


Hi all!

Thanks much to Trevor for doing what I was unable to do: starting and facilitating a foundation for discussion of how blockchain technology is relevant to end-to-end encrypted messaging projects.

Please forgive any excess brevity on my part as I reply to Zaki and Trevor's comments (I am in the middle of a cross-country move atm).



#### Reply to Trevor's comments

> Similar structures have been proposed for certificates and revocation
> (Naor-Nissim [2] and related; Certificate Transparency and related).


It's important to emphasize that CT and the blockchain have very significant differences, and that these significant differences lead to meaningful differences in the security that they are able to provide.

The main differences are:

- CT logs are generated in a centralized manner, whereas in Bitcoin they are generated in a decentralized manner
- CT logs are not secured by any decentralized consensus mechanism such as Proof-of-work / Proof-of-stack / Proof-of-activity / etc.
- CT is much more centralized and relies on central authorities to run these logs (the FAQ suggests logs will be maintained by "every major CA") [1]

These differences have major security implications:

- CT cannot to deliver on its promise to document every certificate that is issued. It makes it possible for malicious actors to issue fraudulent certs and never actually log or report them. [2] [3]
- Certs must be purchased via yearly subscriptions, whereas with Namecoin / DNSChain they are free.
- CT does not prevent MITM attacks, whereas DNSChain does.
- Whereas certificate revocation for compromised certificates is not an issue in Namecoin / DNSChain, it is still an unsolved problem with CT. [4]


[1] http://www.certificate-transparency.org/faq
[2] http://www.ietf.org/mail-archive/web/trans/current/msg00233.html
[3] http://okturtles.com/#oktvs
[4] https://news.ycombinator.com/item?id=7556909

// reference enumeration is reset after this point.


> 2)  Namecoin is a centralized namespace dependent on Bitcoin

Namecoin maintains its own blockchain that is completely independent of Bitcoin's blockchain.

Also, I think you meant "global" instead of "centralized". Namecoin's namespace a decentralized, global namespace.

> not just a log that different parties could run.


Perhaps I'm misunderstanding what you mean by "run" here, but just to be clear: the decentralized nature of Namecoin means anyone (not just CAs) can "run" this log.


> (1) means Namecoin-type logs probably can't be used with existing
> namespaces, since existing service providers probably don't want to
> surrender control over their names.  But these logs might be a good
> way to assign a new name to a public key (e.g. an alternative to
> fingerprints).  Bob just has to check that his name was registered, he
> doesn't have to worry about changes after that.

If you're referring to ICANN TLDs, there is a proposal for how to migrate these over:

https://forum.namecoin.info/viewtopic.php?f=5&t=1439

I think it would difficult to implement, and there seems to be little interest at the moment, but it seems possible.

> (2) means Namecoin *definitely* can't be used with existing
> namespaces, as there's a single global namespace and anyone could
> register any names.  It also means we're tied to this blockchain and
> its quirks, and the only way to get names is to buy them via Namecoin,
> which seems like a poor user experience at the moment.


Yes, this is a relevant issue that must be solved. The underlying issue here is name squatters and spam on the blockchain, and so far I am aware of only a handle of ways to deal with this:

- The current pay-for-name and keep updating it mechanism.
- Some type of auction mechanism on the blockchain (this is something that Bitshares DNS is working on, I think. It may also be possible with Ethereum contracts.)
- Centralized "official" registration points.

> Greg Slepak has DNSChain [4], which looks up
> Namecoin entries so you don't need your own copy of the blockchain
> (currently 2 GB).  Interestingly it doesn't provide Merkle Tree proofs
> that the entries match widely published root hashes.  The argument is
> you should just query a trusted DNSChain server.
> 
> I don't see anyone else using proofs either.  I'm a little surprised
> by that, since that seems like the main point of this datastructure.
> Curious if anyone has an explanation.

Merkle proofs play a greater role in CT and SPV-based blockchain clients than they do in standard (height-based) blockchain verifications, see Thin-Client Security:

https://en.bitcoin.it/wiki/Thin_Client_Security

Either way, all of the proof-stuff is implied by the authenticated connection to DNSChain (since it is speaking to the local namecoind). In other words, it is being used.



#### Reply to Zaki's comments

> 1. The inefficiencies of the proof of work scheme for block ordering in NameCoin are unlikely to remain relevant over the medium term. Virtually all Blockchain 2.0 are considering some variation on the block ordering algorithm that does not involve competitive hashing. BitShares is an example of an umbrella Blockchain 2.0  project that has been pursuing support for the DNS application and plans to release a working client within the next few weeks/months.

Their previous consensus algorithm was called TaPoS, or Transactions as Proof of Stake. I reviewed that and pointed out some issues to them.

Their new one is called Delegated Proof of Stake:

http://bitshares.org/delegated-proof-of-stake/
http://bitshares.org/intro-to-delegated-proof-of-stake/
https://bitcointalk.org/index.php?topic=558316.0

I haven't yet had time to fully review it, but I'm sure there will be concerns with it as well. If anyone has reviewed it please comment with your thoughts!

> 2. While the blockchain data structure itself offers a high degree of cryptographic trust, it isn't appropriate structure for doing fast lookups. The current state of the art in bitcoin technology is to parse a blockchain and generate a derivative structure that supports fast response to a number queries. Either building a full SQL database of names, values, transactions etc or building a variety of key/value stores is common. What is lost in building derivative data structures is the underlying cryptographic trust, these query tables can only be trusted if built locally under the users control. Maintaining a locally built database is an expensive operation from both a bandwidth and storage point of view. Running a queriable bitcoin instance requires about 20GB for the blocks and up to 40gb for indexed data tables of ledger. The need to provided some sort of query interface in generic Blockchain 2.0 clients has been getting increasing attention in the last few months.

Chain.com seems to be trying to address this issue, but it's a centralized solution and therefore I'm not terribly thrilled with it.

Libcoin uses sqlite to provide a queriable interface, but has the storage issue.

Storage and bandwidth issues can be completely solved with UTXO and/or a "rolling-root". UTXO seems best for dealing with Bitcoin. Am running out of time to find the links for this, but it's there in bitcointalk forums (search for sugarpuff's posts in the UTXO thread).



Thanks again Trevor for spinning off this discussion! Gotta hit the road again...

Kind regards,
Greg Slepak

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140821/f94b5660/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140821/f94b5660/attachment.sig>


More information about the Messaging mailing list