bitcoin-dev
Lamport scheme (not signature) to economize on L1
Posted on: December 18, 2023 22:43 UTC
The discussion revolves around the security of a cryptographic system that uses a concept referred to as the "key owner broadcasts first bundle." The argument presented is that it would be in every miner's best interest to include this bundle in their block attempts.
This is because if they do not, another miner will likely include it in the following block, thus ensuring its propagation within the blockchain.
The principle of the weakest link is used to illustrate the robustness of the system. It suggests that if breaking through the Lamport chain—used here as part of the system—within a certain number of blocks is more difficult than conducting a double-spending attack, then the security provided by the Lamport chain is sufficiently strong. To put this into perspective, consider a Lamport hash link of only 12 bytes or 96 bits, which is less than half the size of a Schnorr signature.
An extremely pessimistic scenario is proposed where the cracking capability is an order of magnitude greater than the current global hash rate, estimated at 10^21 hashes per second (H/s). Several reasons are given why this assumption is overly conservative: firstly, Bitcoin's security relies on the impracticality of such an attack; secondly, memory-hard hashes are inherently resistant to ASIC optimization, meaning that CPUs required for such an endeavor would be prohibitively expensive compared to today's total mining hardware.
To further examine the security under these conditions, a generous window of 1 million seconds is allowed for an attacker to attempt to crack the hash, resulting in 10^27 potential hash calculations. By converting this figure to binary and considering the logarithmic relationship between base 2 and base 10, we arrive at just under 2^89 possible hash computations. However, with 2^96 possible pre-images (the original values from which hashes are generated), the probability of successfully finding the correct pre-image is approximately 2^-6, reinforcing the argument of the system's strong security posture under even the most unfavorable conditions.