This is not even the first paper by Dorit Ron and Shamir on Bitcoin; they did an analysis of the transaction graph earlier: http://eprint.iacr.org/2012/584.pdf
And that one too was quite poorly done; from the text, it actually seemed like they thought that "the blockchain" is a file stored on blockchain.info. Disappointing from the inventor of Shamir's Secret Sharing and differential cryptanalysis.
We acquired the complete state of the Bitcoin transaction system [...]
This required downloading 180,001 separate but linked HTML fi les [...]
following the links backwards to the zeroth block [...]
Each fi le was parsed in order to extract all the multisender/multireceiver transactions in it, and then the collection of transactions was encoded as a standard database on our local machine.
This is definitely a very strange way of retrieving the blockchain for research purposes. Couldn't they have simply issued RPC calls to the regular bitcoind client after downloading the blockchain via the built-in peer-to-peer mechanism?
No. Blockchain.info indexes the block chain by address. bitcoind indexes the block chain by transaction IDs (if you enable it). You'd still have to index the data you get from RPC calls by address if you want to track the movement of certain coins.
It's a lot easier to just get it from blockchain.info.
> it actually seemed like they thought that "the blockchain" is a file stored on blockchain.info
People seem to confuse that a lot. It's a badly named service at the best of times. I wonder how many legal requests the site will get from people believing they run Bitcoin.
Blockchain.info is storing a centralized database for Bitcoin. Just not the centralized database... because there's not any official one. They're a value-added replica (via indexing & UI), not a constitutional authority.
(They have some earned authority, by a record of useful service.)
I can see where you are coming from, but how could you word that to be technically correct, succinct (not a full blown lecture on what bitcoin is), and not leave yourself open to giving people that impression?
Bitcoin isn't the simplest concept around. Unless you are in the business of packaging up bitcoin for non-technical consumers, I think it is reasonable to expect your users to bring some knowledge about bitcoin to the table.
Yes indeed. The first time they actually scraped the blockchain.info website, this time they've finally figured out that the blockchain is public and parsed a local blockchain.dat
The New World is built on the results of that generation of cryptographers, but they can't keep up.
Does that matter? If two people independently invent the same thing, they're both inventors with equal standing. The classic example being Leibniz and Newton with regards to calculus of infintesimals.
Apparently it matters to the good people of Marshall, Texas. According to them, Whitfield Diffie didn't invent public key encryption for exactly that reason.
Yeah, I'm more than a little bitter about the technologically illiterate being allowed to judge complex technology.
I find the criticism of research papers on the part of Bitcoin supporters a bit ironic. Have people forgotten how poorly researched the original Bitcoin paper was?
Not sure what you mean by 'poorly researched'. Whatever it's flaws, it produced a hell of an innovative idea (or rather, a conglomeration of ideas into something innovative), and it has grown into something undeniably huge. Something people are building businesses upon. Something that is trading at over $900 USD/unit right now, despite countless rounds of naysayers decrying its intrinsic worthlessness and foretelling it's doom.
Meanwhile these guys are merely riding on the huge waves which that 'poorly researched' paper left in its wake, trying to catch some press-coverage-by-association with their shoddy research. I'm failing to see the irony here, this is apples and oranges stuff. Really seems like you just wanted to sneer at 'Bitcoin supporters'.
I mean that it was poorly researched. There was no definition of security, no mention of the vast body of related work in digital cash or secure multiparty computation, a weak security analysis, no mention of the fact that polynomial time attacks are usually considered to indicate that a system is not secure (one would think that a different security model would require at least some justification), and so forth. That is not the mark of a solid research paper; the fact that Bitcoin has become so famous or that people are making money with it has no bearing on the quality of Satoshi's own research.
It was a simple white paper, offered up anonymously for only what it was. It made no claims which have been demonstrated to be false, which is more than you can say about the paper being discussed here.
The Bitcoin whitepaper does what it says on the tin, you're the one inventing criteria for it that it doesn't meet. The white paper is also remarkably readable, which is something you can't say for most academic works.
Betterunix has been in this discussion many, many times.
I don't think there is any way to get him to stop saying that bitcoin isn't an achievement and that it is a priori invalid because it doens't have a "formal security model."
I believe that I responded to that paper at least once. By my memory, the formalization of Bitcoin's security left room for a polynomial time attack on the system. That is a fine restatement of what we already know about Bitcoin, but:
1. It is irrelevant to this thread, because I was only talking about Satoshi's paper.
2. It is not the sort of security people demand out of other cryptosystems. There is a reason nobody uses this:
"It made no claims which have been demonstrated to be false"
That is because no falsifiable claims were made.
(Edit: Strictly speaking, this is not true. Falsifiable claims were made; this, for example:
An attacker can only try to change one of his own transactions to take back money he recently spent.
This claim has already been falsified: an attacker who can control the block chain can also selectively deny transaction verifications and prevent miners from receiving the mining reward.)
"you're the one inventing criteria for it that it doesn't meet"
No, I am just stating the criteria that determine how well-researched a paper is. If a paper does not cite the relevant previous work, it is poorly researched -- that is the standard that every other paper is held to. If a cryptography paper does not have a well-formed or clearly articulated security definition, it is poorly researched -- that is the standard other cryptography papers are held to. If a security paper breaks from widely accepted notions of security but never bothers to justify that, it is poorly researched. These are not unheard-of criteria, these are standard fare.
"The white paper is also remarkably readable"
What is your point? Readability is orthogonal to how well-researched a paper is.
> If a paper does not cite the relevant previous work,
This is elevating form above substance. Ron & Shamir's work has the proper form, the proper names, and yet the material it contains is rubbish. It cites "relevant previous work", so long as you think that none of the work in industry is relevant.
The gold standard should not be if a work follows a set of practices, advisable as they may be, it should be if a work advances the understanding of mankind. One of these papers did, the other does not.
Reference to previous work is not some perfunctory requirement to satisfy for academic due process. It is critical for the advancement of knowledge. Also, its pretty much entirely the definition of "well-researched". Work that is done completely independent of the established base of knowledge in a field can be valuable but someone has to do the work of integrating it and contrasting it with what was already known or else how can you weed out the cranks without many people spending many hours working through their enormous stacks of drivel?
G. H. Hardy said that his most important contribution to the study of mathematics was the discovery of Ramanujan. One could easily make the mistake of thinking this contribution could have been easily replicated by someone else, but its entirely likely that never would have happened at all because Ramanujan was not aware of much of the contemporary work that he blitzed past.
Real-world cryptography often doesn't have security definitions, e.g. AES. In parts that is because security definitions tend to be asymptotic (which is a massive simplification), and real cryptography is working at a fixed parameter. Coming up with a good security definition is hard, the 2013 Turing award was given for one. I think it will take a long time before we get a realistic security definition for Bitcoin.
"Real-world cryptography often doesn't have security definitions, e.g. AES"
Block ciphers do have security definitions; what AES lacks is a rigorous proof that it satisfies the definition of security for a block cipher. There are different definitions for different notions of security, but that does not mean there is no security definition. It is also untrue to suggest that security parameters are fixed in practice; this is certainly false for public-key cryptography, but Rijndael was designed to support arbitrary parameters, as are many other practical block ciphers and hash functions.
"Coming up with a good security definition is hard, the 2013 Turing award was given for one."
Not one definition, but several definitions and an entire paradigm for definitions. The work also set the groundwork for proving that cryptosystems and cryptographic constructions meet such definitions.
Really, the importance of having a security definition cannot be understated. Without a security definition, you cannot have any falsifiable claims about security. If I claim a system without a definition is insecure, you can always refute me by claiming that the system was never designed to defend against my attack -- which is technically correct, because without a definition the system cannot be said to be designed to defend against any attacks.
Also, note that I did not say that Satoshi failed to give a good security definition for Bitcoin. What I said is that Satoshi failed to give any security definition. If Satoshi had given an unrealistic or otherwise bad security definition, then we could have a productive conversation about the definition and about whether or not Bitcoin satisfies it.
"I think it will take a long time before we get a realistic security definition for Bitcoin."
The thing is that we do have realisitic security definitions for digital cash -- the definitions just happen to rely on the existence of a central authority that issues the currency, which is a deal-breaker for the Bitcoin community.
Personally, I say thank god it was poorly researched. If the whole thing was inundated with 20 pages of obscure terminology and various arcane inequalities far fewer people would have understood it. Also, Bitcoin takes such a completely different tack from existing digital cash and SMPC schemes that I think including any discussion on those would have been distracting.
And that one too was quite poorly done; from the text, it actually seemed like they thought that "the blockchain" is a file stored on blockchain.info. Disappointing from the inventor of Shamir's Secret Sharing and differential cryptanalysis.