Topic: delete - page 32. (Read 165538 times)

Is this the reason why the hash rate is so high compared to the price?

Yeh.... Until 22 days passes with nothing happening and BCX and TFM decide to change the goalposts yet again: "Oh, sorry everyone - just made a new calculation and it transpires the attack won't materialise for another 6 months..."

Wake up people. This is a psychological attack not a technical one.

More honest hash power is always more secure for any coin. Beyond that everything is a matter of guesswork.

If we increase the total hash power, will that elongate the judgement day?

That's not long... I'll be happy when this saga is behind us. For better or worse.

(If worse I'll be a little more angry than happy...but so be it)

I see no evidence that anyone on that thread has any idea what they are talking about with the possible exception of Cryddit. Nevertheless KGW looks like kind of a train wreck to me, and probably DGW too (but I haven't really looked that closely).


No, it isn't clear. You can't really hide any blocks just by making them outliers because the outliers starting at the most recent end of the adjustment window (for example if you timestamped into the future) still have to slide through the middle before exiting the window on the other end. So you can only defer them from contributing to the adjustment for a little while, but eventually they do get counted (similar in effect to a window-based adjustment like Bitcoin).  The outliers at the farthest-in-the-past end might be able to slide off without ever being counted, but even if you could figure out how to drop blocks there right away, that would only increase difficulty, not decrease it. There still might be a flaw, but we have to do better than that to graduate from FUD.


This can never happen because the chain length is sum of difficulty not block count, although with some probability you might have a slightly lower hash rate and still get lucky and win more than half of the (weighted) blocks, as usual.

ETA is Oct. 12, 5 days from now.

When I look at numerous Monero threads on forum, all hailing this greatest masterpiece coin, one of Seth Godin's post always comes to my mind:


http://sethgodin.typepad.com/seths_blog/2014/10/youre-right-theyre-wrong-but-they-won.html

Evan claims a KGW exploit was deployed against DRK.

The descriptions of the theory of such an exploit explain the difficulty can be reduced quickly by setting the timestamp of the latest block far into the future for the secret chain so the secret chain is mined with much lower difficulty, and then the secret chain can be brought back to the present time before publishing it, because timestamps that walk backwards in time aren't fully counted.

To compute the relative PoW of a chain, sum the modular additive inverse of each hash (e.g. hash subtracted from 2²⁵⁶). The secret chain can't end up with more blocks thus has a lower sum and isn't chosen as the longest chain. Or what appears to be more correct (what that thread is alleging) is if the longest chain is chosen by the greater number of blocks, the secret chain can mine more blocks since it is at a lower difficulty. The key is being able to mine faster at a lower difficulty by being able to move forward and then backward in time asymmetrically.

KGW offers other vulnerabilities because the secret chain can drop the difficulty, then mine faster without causing a rise of difficulty for up a day or so, by staying under the exponential well trigger threshold.

Clearly you see now the potential problem in Cryptonote with the 20% discard rule. It enables the secret chain to hide a bunch of fast blocks (bunching them together in time) without causing a rise in difficulty. Thus the secret chain can end up the longest chain without needing 50% of the hashrate.

I now change my opinion to very likely that BCX is building a secret chain nowRescinded. How many more days to the 22 day countdown?

Count me as interested.

Edit: it might be the asymmetry of the threshold between increase and decrease (i.e. 100+20 is +20%, but 120-20 is -16.7%). Others had mentioned that already and it is obvious on the chart.

To start I said I wasn't interested in KGW. But nevertheless, that was interesting and after reviewing it I think I understand where the exploit in KGW lies (and no it isn't what you suggested, exactly, nor is it merely "adjusting too fast"). But in any case the same exploit doesn't exist in cryptonote coins. Of course that doesn't rule out a different one.

If I have time I will write up what I think I found in KGW more carefully and see if it really holds up. Perhaps some of the coins using it will find that interesting.

The selfish mining paper shows that above 25%, the attackers % of the hashrate is amplified.

That is assuming you have employed the γ = 0.5 fix suggested in the paper which afaik Bitcoin never did so I assume CN copied the Bitcoin flaw? Otherwise the amplification starts from 0%. See the chart on page 11 of the paper.

So the attacker can selfish mine at the same time, to further amplify his hashrate.

BCX mentioned 20%, so it appears if γ = 0, his would be amplified to 25% and that is not including the KGW exploit.

Any way, it appears you only need enough to get the ball rolling downhill, because your hashrate grows over time as other miners drop off due to the drag on their profitability.

I still agree you need to quantify how much the potential KGW exploit accelerates over the selfish mining by itself. It is already known that all PoW coins in existence can theoretically be destroyed with selfish mining and 25% of the hashrate, but it might take a heck of a long time (perhaps exhausting the attacker's hardware rental capital or the profit he earn from such an attack) depending on if γ = 0 or the hashrate is higher such as 33%.

On KGW, that should take you about 15 minutes if you are really interested. There is your 20% hashrate triggering at less than a day...

http://bitcoin.stackexchange.com/a/22265/3441

Here is a quadruple dose of FUD...

Wouldn't it be ideal if a coin's whitepaper has a mathematical proof that it isn't vulnerable to anything less than a 50% attack (other than the normal 6 confirmations type risk of double-spend)?

And wouldn't it be porn, if that proof showed that every other proof-of-work coin (including Bitcoin) is so vulnerable?

And wouldn't it triple sexy if that proof showed that all (untraceable block chain) anonymous coins can't be fixed to remove that vulnerability?

Excuse my drooling, I can't contain myself.

Edit: I have not withheld any quantification of TW attack on CN afaik. I shared all of my (limited) knowledge on that. I am referring to something different above.

You are confusing trust model with being insecure, so you are misquoting, unless tacotime said something else I'm not aware of.

In any case, no tacotime was not one of the people who has claimed no exploit in KGW (that I'm aware of, but indeed maybe he has, it wouldn't surprise me).


This needs to be quantified to be real. If the hash rate you are using to drive and then pulling is large enough, this adds little to the well known greedy mining or 51% attacks. If it can be done with less, then it would be significant.

Anyway, I'm not particularly interested in KGW specifically, but it is a good example of an area where vague claims are made on both sides without specific proof (again on both sides), and it is impossible to tell who to believe without solid facts.

If you adjust too quickly then even without any TW, the last few blocks of before the difficulty adjustment (to reduced difficulty) the attacker grabs with higher probability are a higher percentage of all the blocks.

As I described previously the attacker can ramp up the hashrate for one period, then pull his hash rate from the next.

So too quick is not an option. Period. BCX said this, so he shows he knows his shit.

As I wrote before, this cycling of the hashrate higher drives away miners, combined with stealing blocks on the lower hashrate cycle drives away miners.

BCX said this, so he shows he knows his shit.

You are apparently not thinking deep enough on this yet.


TT who claimed that BBR's compression is insecure in some grand degree?

He was involved about Scrypt coins.



KGW clearly has an exploit because it is thresholded at an exponentially declining well. So if you have enough hashrate, you can drive the hashrate adjustment at the time of your choosing. So you can ramp it up very high, then pull your hashrate slow enough to mine a secret fork while the hashrate doesn't adjust.

And the real huge flaw is KGW will stop at the most recent block, if you hit the threshold. So you can shorten the difficulty adjustment intervals and take over the chain per what I wrote above.

That is very obvious conceptually.

I agree about freedom and not judging. I was trying to sincerely offer an interpretation of what is happening. I understandam empathetic to your predicamentcircumstances, so maybe it is best I say nothing. I am guessing you don't share my interpretation at this time, and I don't blame you for that, or even assume with certainty my interpretation is the correct one.

P.S. my interpretation of the predicament is whether you like it or not, you've gotten yourself joined at the hip with the net effect of all the politics. My Dog, I hate politics. What an enormous clusterfuck blackhole on time it can be.

You are misquoting me, but in any case, I'm capable of deciding what to claim or not claim on my own.


I don't even know if he had anything to do with it at all, and I've never claimed otherwise. I've just pointed out that some questions are there and anonymity plus red flags is not a healthy combination. I've also said on several occasions that Zoidberg is less anonymous than he once was since he now has a visible reputation and track record of at least several months on which he can be judged. I'd prefer not to comment further along that line of inquiry at this time.


Giving a different opinion on the merits of a design choice is not an attack. In his last reply, Zoidberg said something along the lines of "I see your point but I disagree." He was not attacking us for our opinion, nor us for his.


You will have to ask him about that opinion. I don't speak for him nor vice versa.


Sorry, Monero has no shocking porn to offer you. Just some interesting privacy-enhancing technology and a team that isn't lying to you.


Enjoy the walls of text.