Pages:
Author

Topic: Bribery: The Double Double Spend - page 2. (Read 5556 times)

legendary
Activity: 3431
Merit: 1233
November 08, 2012, 11:35:33 AM
#30
What mechanism would they use to lower the network speed?  It is very easy to add mining incentives, but impossible to reduce them. 

Firstly, it is not that easy to ad mining incentives if you pay in BTC. And secondly, it is not that difficult to reduce network speed if you have unlimited access to USD or EUR. You raise the network difficulty through cheap subsidized ASICS and when independent miners gave up the entire network is yours. After all ASICS manufacturers are paying dollars to produce them.
kjj
legendary
Activity: 1302
Merit: 1026
November 08, 2012, 11:20:17 AM
#29
I don't think you understood what he is proposing.  He is saying that if the current network speed is acceptable to most people, but a few people would like it higher for their own reasons (whatever those reasons are), they have a mechanism to pay for that extra speed without changing the system.
I don't think this makes much sense. It is just the opposite what OP is about. It is the same as - if the current network speed is acceptable to most people, but a few people would like it lower for their own reasons (whatever those reasons are), they have a mechanism to pay for that extra low speed without changing the system - and then launch an attack!

So I suggest first group will pay / bribe in BTC while the second one will pay / bribe in USD or EUR?

What mechanism would they use to lower the network speed?  It is very easy to add mining incentives, but impossible to reduce them.  There are no anti-fees that you can put in a transaction to lower the reward for mining.

The OP proposes a scheme that he thinks will break the system, but he hasn't ever done a proper accounting of the costs, risk and rewards for all of the parties at each step along the way.  His conclusion is based on shitty bookkeeping, and a desire to find a way, any way, for his prejudgment about proof-of-work to be right.
legendary
Activity: 3431
Merit: 1233
November 08, 2012, 11:04:01 AM
#28
I don't think you understood what he is proposing.  He is saying that if the current network speed is acceptable to most people, but a few people would like it higher for their own reasons (whatever those reasons are), they have a mechanism to pay for that extra speed without changing the system.
I don't think this makes much sense. It is just the opposite what OP is about. It is the same as - if the current network speed is acceptable to most people, but a few people would like it lower for their own reasons (whatever those reasons are), they have a mechanism to pay for that extra low speed without changing the system - and then launch an attack!

So I suggest first group will pay / bribe in BTC while the second one will pay / bribe in USD or EUR?
kjj
legendary
Activity: 1302
Merit: 1026
November 08, 2012, 10:25:14 AM
#27

A group of people or companies want network speeds to be higher. However, none wants to be the sucker who pays for all the others.

They broadcast an assurance contract on a separate p2p network with a pledge from themselves.
This is not a wise approach. What you generally suggest is a second network to support bitcoin network, a network of insurers. This would be bitcoin level 2 network. And who will insure the insurers? May be a group of people or companies on a third p2p network, a bitcoin level 3 network?

I don't think you understood what he is proposing.  He is saying that if the current network speed is acceptable to most people, but a few people would like it higher for their own reasons (whatever those reasons are), they have a mechanism to pay for that extra speed without changing the system.
legendary
Activity: 1050
Merit: 1003
November 08, 2012, 10:17:55 AM
#26
minimum txn fees is a central question!
Minimum txn fees are a hard fork (and a not particularly useful one)
legendary
Activity: 1050
Merit: 1003
November 08, 2012, 10:11:12 AM
#25

Assurance contracts are a well studied method to incentivise the creation of public goods. There are some useful economics papers on the topic if you want to read the literature.

Okay, you prefer a perpetual waste of resources to a hard fork. That is ridiculous in its own right, but worse yet it is not likely to work. You should read the work of Elinor Ostrom. She tries to distinguish situations where private provision of public goods works well from situations where private provision of public goods works poorly. There are many situations where it works poorly. Bitcoin will prove to be such a case. (anonymous participants, impossible to sanction free-riders, large number of participants) all these are no-nos.

Please provide an example (comparable to bitcoin) where an assurance contract has functioned effectively.

legendary
Activity: 3431
Merit: 1233
November 08, 2012, 09:55:30 AM
#24

A group of people or companies want network speeds to be higher. However, none wants to be the sucker who pays for all the others.

They broadcast an assurance contract on a separate p2p network with a pledge from themselves.
This is not a wise approach. What you generally suggest is a second network to support bitcoin network, a network of insurers. This would be bitcoin level 2 network. And who will insure the insurers? May be a group of people or companies on a third p2p network, a bitcoin level 3 network?
legendary
Activity: 1526
Merit: 1134
November 08, 2012, 09:42:54 AM
#23
Like network assurance contracts.

A group of people or companies want network speeds to be higher. However, none wants to be the sucker who pays for all the others.

They broadcast an assurance contract on a separate p2p network with a pledge from themselves. The contract is a transaction with a zero value output, ie, it exists purely for fees and to incentivise mining. If others find the size of the incentive acceptable they also submit pledges in whatever amount they prefer. Once enough pledges are broadcast they are automatically combined and submitted to the main Bitcoin p2p network. Miners then race to find a block including this fee paying transaction. Once new blocks are broadcast the process can repeat. Alternatively nLockTime can be used to set up a few contracts ahead of the current chain head block.

You might say, perhaps miners would include only the incentive transaction and not any others. But with good software including other transactions, even free transactions, is so easy that miners should do it anyway for the overall health of the network (they do today, after all).

Assurance contracts are a well studied method to incentivise the creation of public goods. There are some useful economics papers on the topic if you want to read the literature.
legendary
Activity: 3431
Merit: 1233
November 08, 2012, 09:38:20 AM
#22
What speed is the right speed for the Bitcoin network?
The simplest answer of course is "as high as needed". It must be a dynamic variable.

- needed just right to discourage attacker(s), no more.
- discouraging can be done only by attracting more honest miners.
- ad hoc attracting more honest miners can be done only by increasing incentives i.e. increasing the minimum txn fees.
- who will increase the minimum txn fee?
- if it is the mining community, can they abuse this power by launching false attacks just to increase their income?
- who will reject all transactions with insufficient txn fees?
- the process of evaluating network health must be autonomous.
- the process of evaluating network health must be closely linked to the process of defining "next block minimum txn fee" or something like that.

It is a question discussed last year. The question of dynamically defined minimum txn fees is a central question!
legendary
Activity: 1050
Merit: 1003
November 08, 2012, 09:18:40 AM
#21
I'd rather wait until it becomes a problem. I disagree we need any hard forks. There are plenty of proposals that don't need that.

Like what?

Moreover, do you think big fixes like this will get easier if bitcoin grows? I expect the opposite.
legendary
Activity: 1526
Merit: 1134
November 08, 2012, 09:18:00 AM
#20
I'd rather wait until it becomes a problem. I disagree we need any hard forks. There are plenty of proposals that don't need that.
legendary
Activity: 1050
Merit: 1003
November 08, 2012, 09:12:42 AM
#19

Some people have claimed this is a fundamental weakness of Bitcoin and that funding network security post inflation will result in a race to the bottom that destroys the system

Right, I am the undisputed number one proponent of this argument. If you look at my post history you will see that about 50% of my posts are related to me screaming "bitcoin will fail because of a race to the bottom." That is how I got so many ignores.

If you are worried about this, why not try to solve the root problem? There are a number of promising approaches (e.g. requiring randomly selected sequence of private keys to sign hash(block,txns in block) before the block enters the chain.) Admittedly a hard fork is absolutely required for any solution. You don't have to create inflation or stop giving block reward to PoW miners. I don't think they can keep 100% of the txn fees though.

legendary
Activity: 1526
Merit: 1134
November 08, 2012, 08:50:04 AM
#18
What speed is the right speed for the Bitcoin network?

  http://bitcoin.sipa.be/speed-lin-ever.png

The simplest answer of course is "as high as possible", but that's not a good answer because we can always divert more and more wealth into hashing. The right answer  is "as much as necessary but no more". Doing more work than necessary just wastes energy and the money needed to pay for it.

So how much is necesssary? Well, it's impossible to know today because merchants don't seem to be complaining about double spends. At least if this is a regular problem I've not seen any discussion of it. So it's safe to say that our current speeds are better than necessary. We can only really find out the speed that is necessary by letting the speed fall until people start complaining. As inflation dries up and we catch up with the best possible technologies for hashingn, speeds will eventually fall until double spends start happening with some degree of regularity. At that point the community will find some way to fund the network (insurance, assurance contracts, attaching fees to important transactions, whatever).
 
This opens the question of what the right speed is, given that people have differing tolerances for risk. Some people have claimed this is a fundamental weakness of Bitcoin and that funding network security post inflation will result in a race to the bottom that destroys the system, but I don't think so. I suspect Bitcoin will stabilize at some kind of group consensus on something that's "good enough". Users with extreme needs will have to wait, combine Bitcoin with security enhancing technologies like trusted computing / smart cards, use insurance, rely on reputation and risk analysis.
legendary
Activity: 1050
Merit: 1003
November 08, 2012, 08:12:16 AM
#17
I'm not sure what "atomistic" means, are you sure that's the word you wanted? The definition is apparently "divided into separate and often disparate elements."

There is a conspiracy because the behavior you are suggesting all miners will adopt is not the behavior of the standard software, somebody would have to write the necessary patches and then others would have to switch their regular software to the modified version. That's a "conspiracy" in the sense that it only makes sense to do so if others do it too, hence they must collude. That collusion would certainly be detected, and the fact that Bitcoin was about to get less reliable would cause selloffs that depress the exchange rate, and perhaps closure of some merchants. Certainly any miner who had any investment in Bitcoin would see the value of that investment shrivel up long before users learned about the new "status quo" and began regularly trying to use complicated bribe schemes.

This is the problem with game theory. It reduces complicated situations and actors with many competing agendas down to simple automatons.

A much bigger problem is simply people who are paid directly to mine, via sites like HashPower or GPUMAX, and who don't care what they mine on. It simplifies mounting some kinds of attack but the general economics still hold.

You are right. Downloading special software or mining at a special pool like GPUMAX is a form of conspiracy. There is an important distinction between GPUmax and special software. GPUmax is easier to set up. Special software could duplicate the function of GPUmax. Because the software could be P2P and could behave just like bitcoind under non-attack circumstances, it would be more difficult to detect and destroy. It would also be more difficult to gauge the threat posed by such software. Moreover, the software would help the attacker remain pseudonymous. This is possible with GPUmax, but probably more difficult.

In game theory, "Atomistic" refers to the assumption that individual choices have no impact on aggregate variables, i.e. individuals are tiny and numerous like atoms; aggregate variables emerge through integration over infinite numbers of tiny atoms. It is a simplifying assumption for analyzing games with large numbers of players. Here it just means that individual decisions have no effect on whether the attack succeeds. The hashing power of any one decision maker is simply too small to make a difference. Therefore, individual decision makers ignore the effect of their decisions on attack success probability. This makes it irrelevant whether they have investments in bitcoin or not.

Sorry for being a little pissy.

I agree that game theory doesn't predict behavior very well. But there isn't a good alternative to game theory besides experimentation.

Anyways, the most interesting question is why you think there will be semi-regular double spends in the future. Why?

legendary
Activity: 1526
Merit: 1134
November 08, 2012, 07:32:21 AM
#16
I'm not sure what "atomistic" means, are you sure that's the word you wanted? The definition is apparently "divided into separate and often disparate elements."

There is a conspiracy because the behavior you are suggesting all miners will adopt is not the behavior of the standard software, somebody would have to write the necessary patches and then others would have to switch their regular software to the modified version. That's a "conspiracy" in the sense that it only makes sense to do so if others do it too, hence they must collude. That collusion would certainly be detected, and the fact that Bitcoin was about to get less reliable would cause selloffs that depress the exchange rate, and perhaps closure of some merchants. Certainly any miner who had any investment in Bitcoin would see the value of that investment shrivel up long before users learned about the new "status quo" and began regularly trying to use complicated bribe schemes.

This is the problem with game theory. It reduces complicated situations and actors with many competing agendas down to simple automatons.

A much bigger problem is simply people who are paid directly to mine, via sites like HashPower or GPUMAX, and who don't care what they mine on. It simplifies mounting some kinds of attack but the general economics still hold.
legendary
Activity: 3431
Merit: 1233
November 08, 2012, 07:14:06 AM
#15
That possibility is explicitly addressed in Satoshis paper:

Quote
He ought to find it more profitable to play by the rules .... than to undermine the system and the validity of his own wealth.
It is always amusing to see how rational people believe that all people are rational. I have to disappoint all believers in the rationality of homo sapiens. I agree that long term a human or organization of any kind has to be rational to survive, but the world is full of short term madness.

Even institutionalized madness is on the rise recently. For instance, the president of ECB Mario Draghi is such an example. When discussing the future of euro he said they will protect euro "whatever it takes"... Can you imagine what this can really take? Can you imagine what will it take if EUR, USD, YEN, GBP, CHF, etcetera all together need to be saved?

If you want to really protect a system you have to protect it against irrational behavior as well.
legendary
Activity: 1050
Merit: 1003
November 08, 2012, 05:20:11 AM
#14
Yes, this issue (and variants) have been discussed before.

This type of analysis has a few problems. The first is that it redefines the word "rational" to mean "short term thinker",
In the OP I used "rational". In a reply, I clarified to write "rational" and "atomistic". "Rational", "atomistic" miners are of course "short term thinkers" by definition.
I invite you to point out any problems you see with the analysis in this case. I don't see any at all.

Incidentally, I think eventually double spends will happen semi-regularly and anonymous purchases will become less common for that reason, but I think it'll happen for different reasons to what you think (ie not a conspiracy of short term miners).
There is no conspiracy involved here. All of the miners are individually rational. They are not colluding in any way. There is a single attacker who mined one block and then leverages this to execute an attack in full public view.

You are being presumptuous. This post does not refer to what I think will happen. I think that PoW mining (if it survives at all) will become a completely centralized monopoly. The attack scenario is no longer relevant in this case, but this type of attack provides one important reason to expect the PoW monopoly to emerge or alternatively PoW to be supplanted by a more robust design. I'm not sure whether the monopoly will allow treat bitcoin like cash or credit cards (regular double spends). That will be up to the monopoly operator.

Could you explain why you think there will be regular double spends in the future?
legendary
Activity: 1526
Merit: 1134
November 08, 2012, 04:52:50 AM
#13
Yes, this issue (and variants) have been discussed before.

This type of analysis has a few problems. The first is that it redefines the word "rational" to mean "short term thinker", which is not the same thing. Life is full of examples where you can make a quick buck in the short term but destroy your income over the long term, and somehow civilization still makes progress. A rational miner would not simply double-spend any transaction with high enough fees, because that would result in a short term profit at the cost of destroying confidence and thus usage of Bitcoin over the long run.

That possibility is explicitly addressed in Satoshis paper:

Quote
He ought to find it more profitable to play by the rules .... than to undermine the system and the validity of his own wealth.

The actual quote is discussing the case of trying to individually obtain enough mining power to outrun the chain and double spend, but buying hash power to do so is not much different.

So the only way this scenario can occur is if all miners end up being exclusively short term and being willing to sacrifice Bitcoin to get a few double-spend fees that they then immediately cash out. But many miners are in it for the long term, either for ideological reasons, or because they have large sunk costs in Bitcoin-specific hardware, or both. Killing confidence in the system is not in their interests.

The other problem is that it's not true that purchasers are always anonymous. Today that may often be true, but that's because Bitcoin is primarily used for relatively small and unimportant purchases. Nothing says merchants have to deal with anonymous customers, and if double spends become common merchants will just start requiring ID in order to sell you things, with some kind of distributed reputation system over those IDs. Eg, the Bitcoin Foundation does not sell membership to anonymous people.

Incidentally, I think eventually double spends will happen semi-regularly and anonymous purchases will become less common for that reason, but I think it'll happen for different reasons to what you think (ie not a conspiracy of short term miners).
legendary
Activity: 1050
Merit: 1003
November 04, 2012, 12:53:19 AM
#12

Well, you are wrong about that.  If that is the conclusion you've come to, then you aren't tracking the costs and rewards properly along with the probabilities of success for all of the parties.  It gets worse when you add in reputation costs, but even ignoring those, it still doesn't work.
You fail in reading comprehension, perhaps intentionally. I said "if" indicating an assumption, not a conclusion. You are assuming that reputation is strictly a positive force, which is not necessarily the case.

If GPUmax has a reputation for paying a premium on shares and miners are greedy, then reputation can make things worse. I think this is freemoney's point that this whole scenario is obvious. He is thinking of a centralized double-spending business, rather than a decentralized mechanism of attack. If the business pays more for shares and maintains a reputation for doing so, it should get 51% of the hash power.

I am thinking of decentralized double-spending p2p software that any attacker can use. The nice thing about the decentralized mechanism is that it allows attacker to be anonymous. This might be preferred if attackers face real world retribution.

It might be difficult to make GPUmax an anonymous hidden service (not sure though).

Finally, perhaps you are referring to the costs of failed attack which sucks for the attacker. You can solve this by making the bribes really big and not insuring the miners against failure at all. Then you only pay out for a successful attack. Problem is that attack is no longer a dominant strategy for miners. Whether you attack or not depends on your prior beliefs about attack success. This problem is considerably more complicated because you have to specify how beliefs are formed. In general, there will be multiple equilibria and these will depend on miners prior beliefs.
kjj
legendary
Activity: 1302
Merit: 1026
November 04, 2012, 12:37:44 AM
#11
Don't forget that no one will ever trust the attacker again after he publishes the proof of his misdeeds for the entire world to see.  Also, no one should be accepting transactions on low confirmation counts unless they can afford to lose it.

The attacker and the miners are pseudonymous. Coins are fungible. He can wash the dirty coins, put them in a new unknown wallets, and attack again using a fresh identity.

In a transaction big enough that you can afford to bribe miners to reverse it?  Not likely.

I thought the point was that (if miners behave rationally and are atomistic), then any tx is big enough that you can afford to bribe miners to reverse it.

Well, you are wrong about that.  If that is the conclusion you've come to, then you aren't tracking the costs and rewards properly along with the probabilities of success for all of the parties.  It gets worse when you add in reputation costs, but even ignoring those, it still doesn't work.
Pages:
Jump to: