https://bitcointalksearch.org/topic/m.2526828
Probably best to continue the discussion on that thread if you want to respond.
----
This is my contribution to the November 2012 discussion of the potential for a Double Double Spend attack on bitcoin. Since it is an old thread, I'll start by trying to recap the existing discussion.
As described in cunicula's original post, the attacker secretly mines a side chain block containing a double spend and then, after the victim has received enough confirmations to accept the original spend, the attacker bribes miners to mine on his side chain. Every time a side-chain block is mined the attacker pays the miner, on the main chain, an amount equal to the block reward, and also pays some small amount to the miner on the side chain in addition to the block reward that the miner automatically receives for mining a block. By paying the rewards on the main chain and the bribes on the side chain from a separate double spend, the attacker only pays the rewards if the attack fails. However, if miners are purely profit-driven the attack should succeed because mining the side chain is just as profitable as mining the main chain if the attack fails and it is more profitable if the attack succeeds.
mskwik pointed out that the satoshi client doesn't propagate blocks that aren't on the longest chain so the attacking miners would need to be running a client that allowed them to share the side chain while they were attacking. cunicula agreed but didn't think it was safe to assume that miners would refuse to run a more profitable client.
Mike Hearn said that miners wouldn't take part in such an attack because the attack would destroy confidence in bitcoin, which is something they have a lot invested in either financially or ideologically. He also said that if double spends become too common, merchants would require identification and a reputation system would emerge to prevent them.
cunicula's preferred fix is requiring blocks to be signed by a sequence of randomly selected private keys. If signers refused to sign blocks containing double spends, then double spends could not occur.
The rest of the thread is a discussion of the separate issue of what will happen to bitcoin as the block reward drops to zero and what, if anything, should be done about it. While I think that is an important issue, I want to focus on the attack that cunicula proposed in his original post.
Since I didn't find Mike Hearn's response particularly reassuring, I went looking for other reasons that the attack might not be as easy as cunicula's explanation makes it seem. I think I've found two things missing from cunicula's analysis.
First, the victim is a player as well, and has at least one potential counter-strategy. Once he sees the side-chain, he can bribe the miners to mine blocks on the main chain instead of the side-chain. He can even play the same type of strategy as the attacker, paying the block reward on the side-chain for blocks mined on the main chain, and paying a bribe on the main chain.
Second, any pool operator or solo miner in possession of a locked post-fork main chain block reward will lose that reward if the attack succeeds. These entities are collateral damage from the perspective of the attacker, but they have a financial interest in stopping the attack, perhaps even stronger than the victim of the double spend. They are players as well and can use the same counter strategy as the victim. Let's call these players plus the victim collectively defenders.
With these two additions, the dominant strategy for rational miners then becomes mining for whichever side (the attacker or the defenders) offers the largest bribe.
This leaves the attacker in a war of attrition game with the defenders. The first thing to note is that depending on how the defenders play this game, the attacker might lose or might need to pay more than the value of the double spend in order to win. This means that attacking is *not* a dominant strategy as cunicula suggested. Moreover, my understandating is that the symmetric Nash equilibrium for such a war of attrition game involves both sides paying the miners at least the amount that the losing side has at stake. As a result, even if the attacker managed to win the war of attrition using a Nash equilibrium strategy, the expected cost would make the attack unprofitable, so the attacker would still not attack to begin with.
Comments?