Pages:
Author

Topic: Bribery: The Double Double Spend - page 3. (Read 5550 times)

legendary
Activity: 1246
Merit: 1016
Strength in numbers
November 04, 2012, 12:21:30 AM
#10
I might be missing something but I don't see how this isn't just obvious. You can buy more mining power yourself or your could hire out.
legendary
Activity: 1050
Merit: 1003
November 04, 2012, 12:09:59 AM
#9
Don't forget that no one will ever trust the attacker again after he publishes the proof of his misdeeds for the entire world to see.  Also, no one should be accepting transactions on low confirmation counts unless they can afford to lose it.

The attacker and the miners are pseudonymous. Coins are fungible. He can wash the dirty coins, put them in a new unknown wallets, and attack again using a fresh identity.

In a transaction big enough that you can afford to bribe miners to reverse it?  Not likely.

I thought the point was that (if miners behave rationally and are atomistic), then any tx is big enough that you can afford to bribe miners to reverse it.
legendary
Activity: 1050
Merit: 1003
November 04, 2012, 12:04:28 AM
#8
The assumption is that mining is decentralized.

And yet you have some centralized channel setup to announce your attack chain to miners?  Perhaps I'm misunderstanding it somewhere but doesn't the satoshi client not forward competing blocks until they become part of the longest chain?  I see how it mirrors game theory in that your individual reward might be highest helping the attacker, but the assumption there is that the players can't communicate with each other and I'm not sure that holds true in this case.

Of course, I am assuming that people don't use the satoshi client to mine. Otherwise how can there be attackers? Instead they adopt some another client which is more flexible (allows communication with attackers), but which still produces valid blocks. You can think of the new client as League of Shadows P2Pool. They adopt this client because it works just as well for honest purposes, but also allows for extra earnings through illicit activity.

You mean the assumption is that the players can communicate with each other? (Otherwise how does the attacker announce his sidechain?) Yes, I'm assuming players can communicate freely and that the modified client allows them to do this. I think that is a pretty standard assumption. Assuming that no one can communicate at all except via the Satoshi client is bizarre.

How would communication across players possibly help them rationally fight the attacker?

full member
Activity: 125
Merit: 100
November 03, 2012, 11:44:59 PM
#7
The assumption is that mining is decentralized.

And yet you have some centralized channel setup to announce your attack chain to miners?  Perhaps I'm misunderstanding it somewhere but doesn't the satoshi client not forward competing blocks until they become part of the longest chain?  I see how it mirrors game theory in that your individual reward might be highest helping the attacker, but the assumption there is that the players can't communicate with each other and I'm not sure that holds true in this case.
kjj
legendary
Activity: 1302
Merit: 1026
November 03, 2012, 11:42:04 PM
#6
Don't forget that no one will ever trust the attacker again after he publishes the proof of his misdeeds for the entire world to see.  Also, no one should be accepting transactions on low confirmation counts unless they can afford to lose it.

The attacker and the miners are pseudonymous. Coins are fungible. He can wash the dirty coins, put them in a new unknown wallets, and attack again using a fresh identity.

In a transaction big enough that you can afford to bribe miners to reverse it?  Not likely.
legendary
Activity: 1050
Merit: 1003
November 03, 2012, 11:30:11 PM
#5
This seems to assume that miners are either working for one side or the other, it seems to me that if the "bribe" is less than the block generation amount the optimal mining strategy is to keep both chains going out as long as the attacker can afford and have the attack fail in the end.

The assumption is that mining is decentralized. Suppose you extend the main chain, then individually you get block reward if the attack fails, nothing otherwise. The attacker needs to distribute more bribes, but these are divided evenly (in expectation) across everyone mining the attack chain. It is not individually rational to extend the main chain in order to distribute handouts across all attack miners.

full member
Activity: 125
Merit: 100
November 03, 2012, 11:18:35 PM
#4
This seems to assume that miners are either working for one side or the other, it seems to me that if the "bribe" is less than the block generation amount the optimal mining strategy is to keep both chains going out as long as the attacker can afford and have the attack fail in the end.
legendary
Activity: 1050
Merit: 1003
November 03, 2012, 11:14:11 PM
#3
Don't forget that no one will ever trust the attacker again after he publishes the proof of his misdeeds for the entire world to see.  Also, no one should be accepting transactions on low confirmation counts unless they can afford to lose it.

The attacker and the miners are pseudonymous. Coins are fungible. He can wash the dirty coins, put them in a new unknown wallets, and attack again using a fresh identity.
kjj
legendary
Activity: 1302
Merit: 1026
November 03, 2012, 10:53:41 PM
#2
Don't forget that no one will ever trust the attacker again after he publishes the proof of his misdeeds for the entire world to see.  Also, no one should be accepting transactions on low confirmation counts unless they can afford to lose it.
legendary
Activity: 1050
Merit: 1003
November 03, 2012, 10:27:18 PM
#1
Attackers can easily bribe rational miners to double spend using txn fees. [this seems likely to have been discussed before; point me there if my discussion is old hat]

Say attacker starts with significant balances in two addresses at block t-1: D (double-spend) and B bribe; attacker also has empty addresses as follows: A1,A2,... and C.

1) Mine a secret side chain block that extends block t-1, In the first block of your side chain, include a txn that (secretly) transfers B->A1.  (wait to get 1 side chain block before moving to step 2)
2) On the main chain in block t, send D to purchase something you want to steal. Simultaneously, include a txn that sends B->C in this block. (this is the 'double double-spend.' You plan to reverse both txns.)
3) Wait to get the good you purchased using D (the sooner the better)
4) Announce your attack chain. Send a sequence of bribes as follows: send a high-fee txn from A1 to A2. After this enters a block, send a high-fee txn from A1 and A2 to A3. After this enters a block send a high-fee txn from A1 and A3 to A4, keep sending out the bribe sequence until you overtake the main chain or your bribe fund is exhausted.
5) Simultaneously, after each attack block is found, identify the generation address on the attack block. On the main chain, Send block reward to this generation address using address C. These sends gets reversed if the attack succeeds. If the attack fails, these sends compensate the attack miners for participation.


Consider the rational miners problem: If the attack succeeds, honest miners get nothing. If the attack fails, honest miners get block reward.
                                                  If the attack succeeds then attack miners, get block reward + bribe. If the attack fails, then attack miners get block reward.
                                                  Therefore the dominant strategy is to attack. The probability of attack success is irrelevant.

Consider the attackers problem:       If the attack succeeds, then the attacker gets a stolen value of D - bribe.
                                                  If the attack fails, then the attacker loses n*block reward, where n is the number of confirmations on the initial spend.
                                                  Therefore, if p is the probability of attack success, you attack if  p(D-B) > (1-p)(block reward)n
                                                  Clearly, B has some positive influence on p, but it is hard to guess what. If all miners were atomistic and perfectly rational, then p is 1 for B>0, so you want to attack
                                                  whenever you buy anything of strictly positive value.

Notes: To mitigate this problem, it would help if ...

a) It was extremely difficult to make secret one-block long side chains. One block public forks are fine. If it were public, the double-spend in step 2 would set off alarm bells and prevent timely completion of step 3.
b) Miners were not rewarded with fees.

I think (a) is the larger problem, (b) is kind of a side issue. Even without fees, you could still offer ex-post rewards as was done in step (5). Fees just help you commit.

Pages:
Jump to: