Blockchain rollback limit? - page 3.

Kupsi

legendary

Activity: 1193

Merit: 1003

9.9.2012: I predict that single digits... <- FAIL

Quote from: SgtSpike on February 05, 2013, 03:22:15 PM

Quote from: Kupsi on February 05, 2013, 03:14:18 PM

Quote from: JoelKatz on February 05, 2013, 02:47:39 PM

Quote from: Kupsi on February 05, 2013, 01:35:15 PM

I believe the problems with limiting (automatic) rollback to 120 blocks is smaller than the possible problem with a government building a lot of ASICs, making blocks in the dark and release them to the network after a long time. This could kill Bitcoin.

Say you limit rollback. Say about half the network watched chain X unfold and it's the longest chain. And say half the network is on chain Y and would need a rollback past the limit to get to chain X. Isn't it true that both chains are now equally correct by the rules? I'm not so sure it's such a good idea to introduce path dependence to a network that can't even remotely guarantee that all nodes take the same path.

I agree, if you ever need a rollback passed a sensible limit, you're kind of screwed. But it seems to me that you're screwed whether or not you limit the rollback. You can now have two perfectly functioning clients with the same information who disagree on the which set of blocks is valid.

I would say it makes sense to detect that a very large rollback would normally occur. But as for what you do in that case, I can't see not rolling back as being right. Perhaps prevent further operation until humans can decide what to do.

So let's find the sensible limit and use that. If we set the limit at 288 blocks, we would have about 96 hours to merge the network again if there was a 50 / 50 split. I don't think we ever will have a network split larger than 96 hours with exactly 50 / 50 share on both sides. If the network merged again after 96 hours, and one side have made more blocks than the other side, miners would jump to the largest blockchain and the small one will die.

Isn't this the very definition of a "rollback"? Miners always jump to the longest chain.

If they manually need to jump to the longest chain, if it's more than x number of blocks to roll back, we are much better protected against a hostile attack.

Kupsi

legendary

Activity: 1193

Merit: 1003

9.9.2012: I predict that single digits... <- FAIL

Quote from: DannyHamilton on February 05, 2013, 03:16:42 PM

Quote from: Kupsi on February 05, 2013, 03:14:18 PM

If the network merged again after 96 hours, and one side have made more blocks than the other side, miners would jump to the largest blockchain and the small one will die.

How could they do this if there was a limit. Wouldn't the limit prevent those on the shorter chain from being rolled back to ump to the longer chain?

They will manually delete the x last blocks and download the longest chain.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: Kupsi on February 05, 2013, 03:14:18 PM

Quote from: JoelKatz on February 05, 2013, 02:47:39 PM

Quote from: Kupsi on February 05, 2013, 01:35:15 PM

I believe the problems with limiting (automatic) rollback to 120 blocks is smaller than the possible problem with a government building a lot of ASICs, making blocks in the dark and release them to the network after a long time. This could kill Bitcoin.

Say you limit rollback. Say about half the network watched chain X unfold and it's the longest chain. And say half the network is on chain Y and would need a rollback past the limit to get to chain X. Isn't it true that both chains are now equally correct by the rules? I'm not so sure it's such a good idea to introduce path dependence to a network that can't even remotely guarantee that all nodes take the same path.

I agree, if you ever need a rollback passed a sensible limit, you're kind of screwed. But it seems to me that you're screwed whether or not you limit the rollback. You can now have two perfectly functioning clients with the same information who disagree on the which set of blocks is valid.

I would say it makes sense to detect that a very large rollback would normally occur. But as for what you do in that case, I can't see not rolling back as being right. Perhaps prevent further operation until humans can decide what to do.

So let's find the sensible limit and use that. If we set the limit at 288 blocks, we would have about 96 hours to merge the network again if there was a 50 / 50 split. I don't think we ever will have a network split larger than 96 hours with exactly 50 / 50 share on both sides. If the network merged again after 96 hours, and one side have made more blocks than the other side, miners would jump to the largest blockchain and the small one will die.

Isn't this the very definition of a "rollback"? Miners always jump to the longest chain.

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Quote from: Kupsi on February 05, 2013, 03:14:18 PM

If the network merged again after 96 hours, and one side have made more blocks than the other side, miners would jump to the largest blockchain and the small one will die.

How could they do this if there was a limit. Wouldn't the limit prevent those on the shorter chain from being rolled back to ump to the longer chain?

Kupsi

legendary

Activity: 1193

Merit: 1003

9.9.2012: I predict that single digits... <- FAIL

Quote from: JoelKatz on February 05, 2013, 02:47:39 PM

Quote from: Kupsi on February 05, 2013, 01:35:15 PM

I believe the problems with limiting (automatic) rollback to 120 blocks is smaller than the possible problem with a government building a lot of ASICs, making blocks in the dark and release them to the network after a long time. This could kill Bitcoin.

Say you limit rollback. Say about half the network watched chain X unfold and it's the longest chain. And say half the network is on chain Y and would need a rollback past the limit to get to chain X. Isn't it true that both chains are now equally correct by the rules? I'm not so sure it's such a good idea to introduce path dependence to a network that can't even remotely guarantee that all nodes take the same path.

I agree, if you ever need a rollback passed a sensible limit, you're kind of screwed. But it seems to me that you're screwed whether or not you limit the rollback. You can now have two perfectly functioning clients with the same information who disagree on the which set of blocks is valid.

I would say it makes sense to detect that a very large rollback would normally occur. But as for what you do in that case, I can't see not rolling back as being right. Perhaps prevent further operation until humans can decide what to do.

So let's find the sensible limit and use that. If we set the limit at 288 blocks, we would have about 96 hours to merge the network again if there was a 50 / 50 split. I don't think we ever will have a network split larger than 96 hours with exactly 50 / 50 share on both sides. If the network merged again after 96 hours, and one side have made more blocks than the other side, miners would jump to the largest blockchain and the small one will die.

JoelKatz

legendary

Activity: 1596

Merit: 1012

Democracy is vulnerable to a 51% attack.

Quote from: Kupsi on February 05, 2013, 01:35:15 PM

I believe the problems with limiting (automatic) rollback to 120 blocks is smaller than the possible problem with a government building a lot of ASICs, making blocks in the dark and release them to the network after a long time. This could kill Bitcoin.

Say you limit rollback. Say about half the network watched chain X unfold and it's the longest chain. And say half the network is on chain Y and would need a rollback past the limit to get to chain X. Isn't it true that both chains are now equally correct by the rules? I'm not so sure it's such a good idea to introduce path dependence to a network that can't even remotely guarantee that all nodes take the same path.

I agree, if you ever need a rollback passed a sensible limit, you're kind of screwed. But it seems to me that you're screwed whether or not you limit the rollback. You can now have two perfectly functioning clients with the same information who disagree on the which set of blocks is valid.

I would say it makes sense to detect that a very large rollback would normally occur. But as for what you do in that case, I can't see not rolling back as being right. Perhaps prevent further operation until humans can decide what to do.

Kupsi

legendary

Activity: 1193

Merit: 1003

9.9.2012: I predict that single digits... <- FAIL

Quote from: Gabi on February 05, 2013, 02:31:26 PM

Why this 120 block thing?

I thought about 144 blocks (24 hours), but since 120 blocks is the limit for spending fresh coins a 120 block limit makes sense.

Quote from: Gabi on February 05, 2013, 02:31:26 PM

As long as someone have a backup blockchain (for example if the 51% attack use a chain where the modifies start 6 months ago or a year ago in the chain) we are totally fine.

A 6 months rollback is not fine!

Gabi

legendary

Activity: 1148

Merit: 1008

If you want to walk on water, get out of the boat

There is no limit. Actually there is no "rollback" at all.

Why this 120 block thing? It is just the number of confirmations required to spend mined coins, nothing more. Totally unrelated to "rollback"

As long as someone have a backup blockchain (for example if the 51% attack use a chain where the modifies start 6 months ago or a year ago in the chain) we are totally fine.

Yes, this will require a fix in the client to tell the client "ehi ignore the wrong chain" Wink

Kupsi

legendary

Activity: 1193

Merit: 1003

9.9.2012: I predict that single digits... <- FAIL

Quote from: kjj on February 02, 2013, 09:22:23 AM

There are problems with limiting rollback. I've proposed a scheme where reorgs become exponentially more costly, but it still has the problem that it adds new state to the system and messes with automatic convergence.

I believe the problems with limiting (automatic) rollback to 120 blocks is smaller than the possible problem with a government building a lot of ASICs, making blocks in the dark and release them to the network after a long time. This could kill Bitcoin.

Can someone point me to a discussion on this topic? I've tried to search.

kjj

legendary

Activity: 1302

Merit: 1026

Checkpoints are in checkpoints.cpp. As of 0.7.1, the latest was 193,000. I'm not sure if 0.7.2 moved it up.

There are problems with limiting rollback. I've proposed a scheme where reorgs become exponentially more costly, but it still has the problem that it adds new state to the system and messes with automatic convergence.

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Quote from: Kupsi on February 02, 2013, 08:07:23 AM

Is there a limit for how many blocks that can be rolled back after a network split or if someone tries to do a 51% attack?

The reference client (Bitcoin-Qt) includes checkpoints built in to the source code. It shouldn't be possible to orphan any blocks in the blockchain from prior to the most recent checkpoint. I believe the last checpoint in the current version 0.7.2 was block 210,000.

Kupsi

legendary

Activity: 1193

Merit: 1003

9.9.2012: I predict that single digits... <- FAIL

Is there a limit for how many blocks that can be rolled back after a network split or if someone tries to do a 51% attack?

New coins can be spent after 120 blocks, and I guess a 120 blocks rollback limit makes sense. Then transfers would be 100% resistant against a 51% attack after about 20 hours. And if there was a network split with 50% hashing power on each side, the network would have about 40 hours to merge. If there was a network split with 75% and 25% hashing power on the two sides, the 25% side would have about 80 hours to connect to the 75% side again.

Topic: Blockchain rollback limit? - page 3. (Read 4772 times)