asciilifeform: it is a form of theoretically-undetectable 'premine'.
asciilifeform: ben_vulpes: the (very old) gedankenexperiment concerned 'what if solving hashes is substantially cheaper than we chumps believe it to be, and promulgator of the coin knows the pill'
asciilifeform: to put it in more familiar frame, there is no way to prove that the majority of the bitcoin hash rate is not in fact happening on a pocket comp.
asciilifeform: 'proof of work', like 'symmetric crypto', does not in fact have a protocolic (vs promisetronic) existence !
asciilifeform: (and incidentally this is a problem shared with bitcoin, which may conceivably have been authored by someone with a pill for sha2.)
asciilifeform: as i see it , this is not satisfactorily solvable, the author cannot prove that he did not retain a crib sheet to the keyz.☟︎
asciilifeform: the cryptographic mega-puzzler would be re how 'ck coin' could be 'provably fair' (i.e. the ciphertexts provably represent privkeys containing the entire monetary base, in aggregate )
asciilifeform: (i am almost wholly ignorant of how the latter mechanically works - so possibly not)
asciilifeform: possibly this is analogous to eulora's 'copper' ?☟︎
asciilifeform: i.e. one where all of the coin is premined, but allocated into 'chests', published as privkeys enciphered in such a way as to be bruteforceable with reasonable effort
asciilifeform: unrelated to any of this, i recently went on a dig re crackpot altcoins, and was again disappointed, much of the phase space was never explored. for instance, it does not appear that anyone ever tried a 'captain kidd' alt☟︎
asciilifeform: ('martian bank' being simply a naive abstraction of 'idealizes swiss bank', where money supply is constant, and i can send from account a1 can send to a2 if and only if i have the privkey for a1, and double-spend - impossible, etc.)☟︎
asciilifeform: (this might be in the l0gz, but asciilifeform's own private, abortive, and ~entirely pointless attempt to 'invent bitcoin' in 2005-6 involved 'homomorphotron' (did not at the time know the term, or of anyone else's work on subj) that simulates 'martian bank' as ordinary computer program but somehow executed 'crypto-blinded' by multitude of independent machines, with the aggregate behaving correctly so long as collusion is below lampo
asciilifeform: prolly the usual overcompensation for spamolade.
asciilifeform: other, unrelated observation, is that delegating computation with a homomorphotron is only +ev if you spend fewer cycles to encipher 'the question' and decipher 'the answer' than it would have taken you to carry out the entire computation in your own comp
asciilifeform: (and if i could! wouldn't need crypto at all. just shamir's secret-splitting algo...)
asciilifeform: if it relies on my being able to send packet from my house without it being immediately logged, some fraction of the time, then i personally cannot much profit from the scheme.
asciilifeform: btw i've been trying to come up with useful scheme standing on paillier, for >decade now, and if mircea_popescu writes one, i promise to read it.
asciilifeform: i would rather leave it as exercise to the patient reader, mircea_popescu et al, than press it
asciilifeform: let's temporarily leave this part for later, and posit that mircea_popescu can both add and multiply homomorphically, via whatever means. i'd like to hear how he carries out the branching.
asciilifeform: scheme that relies on a and b, in besieged castle, to communicate with a non-besieged C, is not crypto.
asciilifeform: this gedankenexperiment strikes me as quite similar to the one where you 'defeat' 2nd law of thermo. by dumping heat into a black hole, and similar.
asciilifeform: crypto that dun work inside a 100% surrounded castle is not crypto.
asciilifeform: it isn't that i can say, with 100% certainty, that you multiplied; it is that i have != 0 bits of info re what you might be doing.
asciilifeform: (and we still have not arrived at the question of how to branch)
asciilifeform: how not ? if i know that you delegated a total of 3 ops, i know that your multiplicand is <= 3.
asciilifeform: aite. (i dun even dispute that a scheme where multiple parties are used for obfuscatory/smoke purposes ~can be useful~ - but it is not crypto in the normal sense. stego, perhaps.)
asciilifeform: would you still think that rsa were strong, if it sufficed to, say, collect 90% of the ciphertext that's left your house, to derive the privkey ?
asciilifeform: this is rather like the 'send the new key and signature in one shot' thread. crypto that dun work if the enemy watches both of your hands, ain't crypto.
asciilifeform: well they know that there were 3 additions.
asciilifeform: if you're locked in a room with'em, and see all of the steps, they know the 3.
asciilifeform: instead, you would need something like F(C1, C2, C3) == P3 + max(P1, P2).
asciilifeform: you cannot turingate with this, alone.
asciilifeform: homomorphic-under-addition just means that you can take C1, C2, encrypted ints P1, P2, and get C3, encrypted sum, that decrypts later to the correct sum of P1+P2
