Pages:
Author

Topic: Dynamic Defensive Hashing for the Bitcoin Network - page 2. (Read 3177 times)

donator
Activity: 2058
Merit: 1054
Perhaps your most important statement is the Difficulty != Security, which is true. Security derives from the cost of mounting an attack. If all miners today used FPGA boards and were much more efficient per Gh/s, then difficulty would be much higher... but if these FPGA boards are just as cheap as the GPU's which preceded them, then the cost of the attack hasn't increased and thus the higher difficulty is irrelevant.
This is completely banal. It's all about invariants. If the type and technology level of the hardware used is invariant, then the "difficulty" number very strongly correlates with security. If not, then of course the difficulty correlates more than anything with the hardware technology.

For discussing the issues in the OP, it is perfectly acceptable to assume the hardware technology (as well as the value of the Bitcoin system) is invariant, so "hashrate" is interchangeable with security. The OP's main point (which I don't really agree with) is that it is not the continuous hashrate that matters, but the reserve hashrate.
legendary
Activity: 1008
Merit: 1023
Democracy is the original 51% attack
Really cool points da2ce7

Perhaps your most important statement is the Difficulty != Security, which is true. Security derives from the cost of mounting an attack. If all miners today used FPGA boards and were much more efficient per Gh/s, then difficulty would be much higher... but if these FPGA boards are just as cheap as the GPU's which preceded them, then the cost of the attack hasn't increased and thus the higher difficulty is irrelevant.

So, I haven't had my coffee yet, but I think this means Security = Cost per Block. The more expensive it is to mine blocks, the better. The Difficulty figure doesn't capture the cost, thus making it a good but inadequate statistic for measuring the security of the network.
donator
Activity: 2058
Merit: 1054
I think you are greatly overestimating the marginal cost of turning on mining hardware. Hardware depreciation is a much more significant cost than electricity.

Also, you're mistakenly assuming that attacker blocks have an "evil bit" set. When a node is facing a massive reorg, in general he doesn't know if the new branch is one built in secret by an attacker, or if so far he has been isolated by an attacker and finally he gets a glimpse of the real chain.

And, if the node does have some way to determine that a branch belongs to an attacker, there's no need at all to fire up the hardware to work to orphan this branch - the network can just agree to reject this obviously malicious branch.

The practice of rejecting a new branch if it conflicts with a known branch X blocks deeps is what I call "cementing". This has its uses but it carries the risk that a node will be stuck on the wrong branch. Which is why proof of stake is needed to have the final say - the cemented branch will be given up once proof-of-stake favors a different branch.
legendary
Activity: 1222
Merit: 1016
Live and Let Live
Block rewards are going to be very low, so are transaction fees.  The the only reason to turn your miner on is to defend against an attack.

Insurance companies have a vested interest in making attacks against their customers unprofitable.  (by orphaning a double spending chain that hurts their customers).  So any attack is likely to be killed by the free market.
legendary
Activity: 1222
Merit: 1016
Live and Let Live
It won't work

The economic incentive to cheat would be too great. I might want to turn on my miners for "just a few days" to recover my sunk costs.  A few days becomes a few Weeks becomes a few months.

Although the analogy isn't perfect, the middle east oil cartel came to mind.

I'm sorry.  Where is the economic incentive to cheat?

If an insurance company is protecting your transaction, they may choose to let the reorganization happen (cheaper just to pay the lost transactions they cover).  However if it is cheaper to orphan the hidden chain.  Then that choice will be taken.)

However if a few different insurance companies are going to loose money on the reorganization, then they will decide as a team to orphan the offending chain.  This has a feedback where if one of the companies didn't play fair, they will loose reputation.
legendary
Activity: 1764
Merit: 1002
It won't work

The economic incentive to cheat would be too great. I might want to turn on my miners for "just a few days" to recover my sunk costs.  A few days becomes a few Weeks becomes a few months.

Although the analogy isn't perfect, the middle east oil cartel came to mind.
legendary
Activity: 1222
Merit: 1016
Live and Let Live
Also, the more long the hidden chain has been kept, the more obvious it is when it is released.
A WOT based chain locking after 1000 blocks would stop the most long-term attacks.

However it is easy to display a warning when there is a large reorganization... And even if there is a large lead... With much more hashing power 'in waiting' any reorganization is likely to be very short lived; and never successful. (in the long run).
legendary
Activity: 1050
Merit: 1003
If the motivation is to establish an enduring mining monopoly (which seems like the most plausible 51% scenario to me), then dynamic variation in hashing power will not help at all.

Yes it dose.

1.  The attacker knows how much hashing power is needed to attack the network now.  With dynamic hashing the ammount of power needed is unknown untill untill that attack is atempted.

2.  The network is expending unnecessary resources maintaining a high hashrate when there is no attack.  It is much more efficient to save the resources now, in preperation for when an attack.

3.  The network may be able to defend at a much higher hashrate for a short amount of time.  While the attacker dose not know how long or what % of the total defencive power is used.


Okay, I'll admit that adding extra uncertainty to the attacker's problem is helpful. It is still pretty marginal help, however.
legendary
Activity: 1222
Merit: 1016
Live and Let Live
problem is that anyone with enough hashpower can create a rogue chain in secret and publish it all at once. It's impossible to detect this attack until is too late and instead of using all the power to make it harder and costly to him you are helping him because you want to reduce costs

When an attacker publishes a 'seceret' chain that reverses some transactions, the network will detect this and quickly mine enough blocks to orphan that seceret chain.

The network must maintain enough "base load" to make such hidden attacks unprofitable in the general case.

Say the network has 100x dynamic hashing power to use against such double spending attacks.  A 100 block hidden fork will take only 1 block (of time) to reset back to the non attacker chain.

Also clients can be desigened to detect such a reorganizatio, and wait a fewmore bocks for confidence.  
hero member
Activity: 686
Merit: 500
Bitbuy
problem is that anyone with enough hashpower can create a rogue chain in secret and publish it all at once. It's impossible to detect this attack until is too late and instead of using all the power to make it harder and costly to him you are helping him because you want to reduce costs

This! If the attacker doesn't broadcast any blocks until he has a significant lead, and then broadcasts them all at once, effectively rewriting a large part of the chain, there's no way to mount a defense on time.
legendary
Activity: 1222
Merit: 1016
Live and Let Live
If the motivation is to establish an enduring mining monopoly (which seems like the most plausible 51% scenario to me), then dynamic variation in hashing power will not help at all.

Yes it dose.

1.  The attacker knows how much hashing power is needed to attack the network now.  With dynamic hashing the ammount of power needed is unknown untill untill that attack is atempted.

2.  The network is expending unnecessary resources maintaining a high hashrate when there is no attack.  It is much more efficient to save the resources now, in preperation for an attack.

3.  The network may be able to defend at a much higher hashrate for a short amount of time.  While the attacker dose not know how long or what % of the total defencive power is used.

Edit: Grammar.





full member
Activity: 134
Merit: 100
problem is that anyone with enough hashpower can create a rogue chain in secret and publish it all at once. It's impossible to detect this attack until is too late and instead of using all the power to make it harder and costly to him you are helping him because you want to reduce costs
legendary
Activity: 1050
Merit: 1003
If the motivation is to establish an enduring mining monopoly (which seems like the most plausible 51% scenario to me), then dynamic variation in hashing power will not help at all.
legendary
Activity: 1222
Merit: 1016
Live and Let Live
So why is this post important?...

Lots of people have been scared of the natural low difficulty bitcoin will have once the reward per block is lowered dramatically, and the block size is increased.

What the above post sugests is th having a constant high difficulty will in the long run be less secure.

Instead it will be much more secure for the network to have lots of hashing power "in the wings" waiting to defend against an attack.

Then I proposes a "bitcoin transaction insurance company" so that the defensive hashing power will not be subject to the "tragedy of the commons" problems that plauge other defensive solutions.
legendary
Activity: 1222
Merit: 1016
Live and Let Live
Hello.  I just want to clear up some half-truths about this topic.

First:  Difficulty != Security. -  However generally there lots of correlation between the two.

Security is defined by: Cost of carrying out a successful attack against the bitcoin network v.s. direct gain to the attacker.


Bitcoin has never provided security against attacks that have 3rd party financial gain.
Even with the block reward at 50, bitcoin is not secure against a large attacker whom take their gain from maintain the status co.  For example: a Bank, or a Government.  (This is why it is important that the community designs non-proof-of-work based crypto-currencies as alternatives)
So point 1:  Bitcoin isn’t secure from a power determined attracter, even with the ideal settings that it has now.

Continually-high difficulty will tend to be less secure than ‘very high only when needed’ difficulty.
If the entire network is expending large amounts of resources on maintaining a constant very high difficulty; this will lower the total resources available to the bitcoin economy to defend against a (relatively) short-term attack.
For example, maintaining a difficulty of 1M necessitates that the entire bitcoin community spend the resources to maintain that value.  However an attacker only needs to spend the resources to gain a hashing value of 2M equiv. for two weeks, to do significant disruption to the entire bitcoin economy.
There is a constant loss of 1M equiv. on the bitcoin economy.  However the attacker only needs to budget for a loss of 2M equiv. for a much shorter time… This gives the potential attacker a large financial advantage over the long term.
Point 2:  Continuous high difficulty make the bitcoin economy less well positioned to defend against a real attack.

Attacks against the bitcoin network are statistically easily detectable and can be quickly defended against.
There are two main types of attacks that an opponent with a majority hashing power would carry out; the they are both very obvious.
1.   Double Spending, this attack “re-writes” the order of the transactions, making retrospectively (to the POV of the receiver of the coins), removing the previously agreed to transaction.
2.   Supply blocking.  This attack either the attacker requires a registration of every transaction before accepting them into the block chain… or will just reject every transaction.  This is likely to me a much more damaging attack to the long-term future of the bitcoin economy.
When either of these attacks happen, the bitcoin economy is going to be very away of them happening.  There will be time to mount a significant defence before serious damage has been done to the economy.
Point 3:  Attacks are easily detected, and there is enough time to mount a defence against them.


Vested interest in the Bitcoin economy’s health
Everyone who owns bitcoins, or indirectly is dependent on the bitcoin economy, has a financial (or philosophical) interest to defend the bitcoin network from attack.
This means that there is a very large potential amount of value that can be put behind the bitcoin network in the case that the bitcoin network is indeed actively being attacked.  (50% value is better than 0% value on investment).
This value is NOT dependant on the rewards that the bitcoin network provides to the continuous active miners.  This value is dependent on the bitcoin economy size at-large.
Point 4:  The value behind protecting the bitcoin network is much larger than the value provided by the block rearwards or transaction fees.


With these points in mind, I would like to make this suggestion for the most secure way that the bitcoin network may wish to work:
1.    The block rewards (eg, new bitcoins, + transaction fees), only need to cover trivial internal annoyances that happen when the continuous hash rate is too-low.  I suggest that 0.1% of the bitcoin market cap per year will be about what is required to stop these trivial attacks.
2.   The bitcoin network may have a continuous hashing value as low as 100K or less.  Yet remain generally secure.


Conclusions

Bitcoin Transaction Insurance companies will hold much of the 1st line dynamic hashing power.  The will be companies that sell a service to businesses that will cover any losses due to reversed transaction double spending.
When an double spending attempt is (automatically) detected, against one of the insurances companies clients, they will dynamically decide if it is cheaper to fire up their miners and orphan the offending block, or pay-out the value of the transaction.
For the functional security of their customers they don’t require a very high constant hashing rate.  Rather a known potential very high hash rate.  (Something that it isn’t profitable to attack against).
The free market will bring down the price of the insurance to the minimum cost that it requires to defend against the attackers.

The 2nd line of dynamic hashing power will be bitcoin banks and other bitcoin trading businesses.
These companies will keep very large hashing power offline, unless there a systematic attack against the network is detected.  In that case, they will turn on their miners and out-power the attacker for as long as the attacker has resources for.  Once the attack has been given up the miners turn off, and are ready to turn on again at the drop of a hat.

The 3rd line of dynamic hashing power will be individuals whom have a large stake in the success of bitcoin.  They will work much the same as the 2nd line, however will only turn their miners on when everything else looks about to fail.

TL;DR:
Once the network changes from a static hashing defence, to a dynamic hashing defence; and potential attacker must not only overcome continuous hashing rate, (that may be quite low).  But also overcome a massive hashing power that is only activated in the case of an attack.
The bitcoin economy only needs to expend additional resources _when_ an attack is occurring. (and expending resources in maintaining the offline miners, and purchasing them in the first case; but this is generally a one-off investment, not a continuous cost).
While the attacker must provide a continuously high hash rate, above all the defensive dynamic hash rate available.


Edit: Formating/Spelling
Pages:
Jump to: