Author

Topic: Fascinating what Michael Deletes [BTCguild 90% luck and dropping] (Read 4238 times)

legendary
Activity: 1540
Merit: 1001
Kinda sucky that they're using live pools as test beds, but I doubt there's much you can do about it.  Their error has cost us all.  C'est la vie.

I fail to see how it cost us all?

If A == how many blocks would be solved without them
If B == how many blocks could have been solved with them

You ended up with a value > A, but less than A + B.  In other words, you did better with them, than without them.  But not as good as you could have if their software was working properly.

Right?

M
Hmmmm.  Is this a trick question?  The way I look at it is that if they solo-mined with those miners they would have got nothing.  As it is they got value for their shares.

I think actually A=B in this case.  But A is now divided between the pool and them, so my share of A is less than it would have been.  At least that's my simplified view of things.  I'm happy to be shown how I might be wrong though.

Or put another way, they added nothing to the pool as it was impossible for them to solve a block, but they took payouts that would have been paid to other miners.

I think I misunderstood.  If they weren't solving *any* blocks, then you are right, their shares made yours less valuable.

I read it as only certain types of blocks were failing.  I see now I read it wrong.  Nevermind! Smiley

M
sr. member
Activity: 672
Merit: 250
Buy, sell and store real cryptocurrencies
But not as good as you could have if their software was working properly.
And coincidentally I think this is a very good way of saying that it cost us.  The difference between doing as well as we did and as well as we could have done is a direct cost.
sr. member
Activity: 672
Merit: 250
Buy, sell and store real cryptocurrencies
Kinda sucky that they're using live pools as test beds, but I doubt there's much you can do about it.  Their error has cost us all.  C'est la vie.

I fail to see how it cost us all?

If A == how many blocks would be solved without them
If B == how many blocks could have been solved with them

You ended up with a value > A, but less than A + B.  In other words, you did better with them, than without them.  But not as good as you could have if their software was working properly.

Right?

M
Hmmmm.  Is this a trick question?  The way I look at it is that if they solo-mined with those miners they would have got nothing.  As it is they got value for their shares.

I think actually A=B in this case.  But A is now divided between the pool and them, so my share of A is less than it would have been.  At least that's my simplified view of things.  I'm happy to be shown how I might be wrong though.

Or put another way, they added nothing to the pool as it was impossible for them to solve a block, but they took payouts that would have been paid to other miners.
legendary
Activity: 1540
Merit: 1001
Kinda sucky that they're using live pools as test beds, but I doubt there's much you can do about it.  Their error has cost us all.  C'est la vie.

I fail to see how it cost us all?

If A == how many blocks would be solved without them
If B == how many blocks could have been solved with them

You ended up with a value > A, but less than A + B.  In other words, you did better with them, than without them.  But not as good as you could have if their software was working properly.

Right?

M
-ck
legendary
Activity: 4088
Merit: 1631
Ruu \o/
So what's the confidence level that this has been isolated and we're back to normal variance?  Are these miners going to be delivered to paying customers?  Or have they been already?  (i.e. is there a significant number of broken miners out in the wild.)  A 1.8 PH/s user is a lot easier to spot than 1.8PH/s sent out in 1TH/s units.
This is why customers should buy only miners where the software is free and they can audit and modify it. Already there are miners out there using binary forks of cgminer without distributing their code, and there are so many of them that I can't go chasing them (mostly out of China so far). But as per always, people do not buy on principle, just on cost, availability, potential profit etc. (which is understandable but a shame), and just look at how badly they even made those decisions (which still never ceases to amaze me).
sr. member
Activity: 672
Merit: 250
Buy, sell and store real cryptocurrencies
So what's the confidence level that this has been isolated and we're back to normal variance?  Are these miners going to be delivered to paying customers?  Or have they been already?  (i.e. is there a significant number of broken miners out in the wild.)  A 1.8 PH/s user is a lot easier to spot than 1.8PH/s sent out in 1TH/s units.
sr. member
Activity: 672
Merit: 250
Buy, sell and store real cryptocurrencies
Kinda sucky that they're using live pools as test beds, but I doubt there's much you can do about it.  Their error has cost us all.  C'est la vie.
legendary
Activity: 1750
Merit: 1007
I think the options are:

- withholding attack
- malicious op
- some other attack we don't know about
- ridiculous bad luck streak

Keep in mind Eligius is at 93% luck for 90 days as well.  But no one is complaining there.

M

At least a significant portion of the recent bad luck streak was already traced to a group of users that are developing their own ASICs, currently at ~1.8 PH/s.  They had previously mined on Eligius back in March and had solved blocks back then.  They moved to BTC Guild in early April, after difficulty crossed 4.2b.  They were not 1.8 PH/s at the start, they slowly grew over time.

We've since identified that their software was having problems at diff > uint32 maximum value (~4.2b).  They patched their software and went to Eligius to test the fix.  They solved a few blocks.  They had their accounts unfrozen on BTC Guild, and have since found a number of blocks in the last 24 hours for BTC Guild as well.

This being the Bitcoin community, most people are going to assume malice forever, even though these users got back to me immediately after their accounts were frozen when they could've easily proxied their miners and split them up more to make it impossible to trace.  They fixed the issue, and have since been reporting block solves as expected.
legendary
Activity: 1540
Merit: 1001
The reality is you can not conclusively say if the miner is or is not cheating in any of those three scenarios.

So are we back to square one?

It seems everyone is assuming there's a withholding attack going on?

M

Not really, but are we back assuming it's just bad luck? No other option? Have we ruled out everything?

I think the options are:

- withholding attack
- malicious op
- some other attack we don't know about
- ridiculous bad luck streak

Keep in mind Eligius is at 93% luck for 90 days as well.  But no one is complaining there.

M
legendary
Activity: 1904
Merit: 1007
The reality is you can not conclusively say if the miner is or is not cheating in any of those three scenarios.

So are we back to square one?

It seems everyone is assuming there's a withholding attack going on?

M

Not really, but are we back assuming it's just bad luck? No other option? Have we ruled out everything?
legendary
Activity: 1540
Merit: 1001
The reality is you can not conclusively say if the miner is or is not cheating in any of those three scenarios.

So are we back to square one?

It seems everyone is assuming there's a withholding attack going on?

M
legendary
Activity: 1904
Merit: 1007
The reality is you can not conclusively say if the miner is or is not cheating in any of those three scenarios.

So are we back to square one?
legendary
Activity: 2128
Merit: 1073
It's more than "additional configuration" if one's router doesn't support IPSEC.  Plus, and this is more to the point, if the pool doesn't support securing the other end this won't even be an option.

Of course this will protect only up to the pool boundary, but I'm not going to go there...  Smiley
In my experience these days even the cheapest "ADSL modem & WiFi gateway router" (that are practically given away by ISPs) do support IPsec. And even if they don't support IPsec directly they support passthrough of IPsec tunneled in UDP. It really is a matter of expending some effort to configure the endpoints, be they routers or the hosts. All the well-known OSes support IPsec for about a decade now.

Also in my experience the reluctance to enable IPsec on somebody's behalf typically points to other problems:

1) generally lousy network infrastructure with high BER
2) inside jobs at vendors/clients who then try to blame MITM or bitsquatting or whatever esoteric enough
3) generally incompetent operations/sysop/sysadmin staff
4) some other "layer 8" political/religious problems in the organizations

In my experience cost was never a problem. In addition to the above doing a "show crypto ipsec" (in Cisco IOS or equivalents in other routers) was the surest way to get the problem escalated to the appropriate personnel at the ISP, NOC, DC, etc. in the rare cases that there was an actual problem somewhere in the infrastructure.
sr. member
Activity: 278
Merit: 254
Quote
Nowadays the cost of the defense against MITM is also extremely low: IPsec. AH is sufficient, more complex ESP is not required. No software changes are required either, only some additional configuration on the routers. I've discussed this already with Slush in the original "Stratum" thread, not the later "Stratum Mining" thread.

It's more than "additional configuration" if one's router doesn't support IPSEC.  Plus, and this is more to the point, if the pool doesn't support securing the other end this won't even be an option.

Of course this will protect only up to the pool boundary, but I'm not going to go there...  Smiley
donator
Activity: 1218
Merit: 1079
Gerald Davis
Oining ASICs are nearly 100% deterministic, more precisely (100% - allowable fault rate).

On the off chance you aren't trolling, lets imagine the "easiest" possible scenario for detecting a cheater.  

Lets assume all miners use "perfect" hardware.  Once they start a unit of work, they always check all nonce values (0% unchecked nonces), they always increment ntime rolling by one second and one second only (0% unchecked seconds), and they never have any errors have any hardware errors (either reported or not reported). 

Your pool sends test work to 10% of your users and waits 6 seconds (roughly 1% increase in orphan rate) for a response and then broadcast the block.

The miner in question:
a) returns the test work prior to broadcasting the block.
b) returns the test work but after you had broadcast the block.
c) does not return the test work.

In each scenario is the miner cheating or not?

I think you would agree that this scenario is about as simplistic as possible.   Right?  The real world is far more chaotic but this simplistic scenario takes ASIC complexity out of the picture.  The reality is you can not conclusively say if the miner is or is not cheating in any of those three scenarios.
legendary
Activity: 2128
Merit: 1073
A man in the middle attack can accomplish the same effect as bad hardware.  This might be more than a spiteful attack, it could even be profitable if the cost of being a MITM can be made low enough. The attacker would mine solo or on other pools that he is not attacking.  The payoff would come in a lower difficulty.  There are various ways that this attack can be detected if miners are looking for it.
Nowadays the cost of the defense against MITM is also extremely low: IPsec. AH is sufficient, more complex ESP is not required. No software changes are required either, only some additional configuration on the routers. I've discussed this already with Slush in the original "Stratum" thread, not the later "Stratum Mining" thread.
legendary
Activity: 2128
Merit: 1073
OK, D&T again went into the mode where he posts some strawman arguments then deletes them. I'll have to paraphrase:

Mining ASICs are nearly 100% deterministic, more precisely (100% - allowable fault rate). The problem we are facing is that thus far only "false positive" faults were measured by the mining software. Maybe the threat of the block withholding attacks will force everyone to cooperate on the measurement of the "false negative" fault rate.

Hopefully vendors will cease to obfuscate like this:
It won't work. Our miners for example don't check all nonce range, and a lot of cgminer generated jobs get dropped. Also we use ntime-rolling differently from other pools. It's impossible to know what the miner will generate from stratum template.
or like eldentyrell did with the timebomb in his Tricone Mining bitstream for Xilinx Spartans.
sr. member
Activity: 278
Merit: 254
A man in the middle attack can accomplish the same effect as bad hardware.  This might be more than a spiteful attack, it could even be profitable if the cost of being a MITM can be made low enough. The attacker would mine solo or on other pools that he is not attacking.  The payoff would come in a lower difficulty.  There are various ways that this attack can be detected if miners are looking for it.




legendary
Activity: 2128
Merit: 1073
I assume you are confused because you believe that hardware normally checks all nonces all the time.
Dude! I have to assume that you've again went into the mode where you can't read with comprehension and started arguing with the voices in your head. I normally agree with over 90% what you say, except when you start ranting like when you've claimed that Apple Computer doesn't take money orders. Please chill out or maybe switch to decaf?
Obviously this test has to be hardware specific, because e.g. bitfuries only test 768/1024 of the available nonce space. This would have to be even more complex to account for failed sub-engines in the multi-engine chips.
Anyway, I think that the problem is solvable. Maybe a Bloom filter of "hashing blind spots". It certainly would require a cooperation from the ASIC vendors with the developers of the miner and the pool software. As most of the things in Bitcoin mining it will be some sort of probabilistic solution, not a mathematical proof of failure.

The first person posting on this forum about false negatives in mining was hardcore-fs with his XUPV5 FPGA miner, but I don't think that he published his results nor code.

Likewise Spondoolies made promises of their ASIC designer to start posting on the forum after Passover, but apparently they haven't had time to do this yet.

In general, I'm optimistic that problem will be solved. Nowadays, who remembers when the long-polls were the major problems for mining pools? From my experience in the electronic and software industry: one person's problem is other person's opportunity. For example: NTSC started as "Never Twice the Same Color" and ended up where even the cheapest TV set receiver chipsets have been precisely calibrating themselves 29.97 times per second (using Vertical Interval Reference and Ghost Canceling Reference). And that was done quite effectively over all-analog broadcast retransmission networks including satellite links, where the end-users were completely oblivious to the problems in the transmission channel. All it took was to build a reasonable model of the distortion and run the tests frequently enough.

Quoting below just for future reference:
You are correct that there isn't any observable difference between the 2 types of problems.  And in practice, I think it's extremely unlikely that someone with hardware that has catastrophic levels of false negative errors is unaware of the issue, so the intent is likely equivalent as well.

When you have people of very questionable competence designing silicon on crash schedules it's inevitable that serious hardware defects are going to be in play.  And with the money involved, if there is a way to externalize the cost of failure to pool participants people are going to choose that over eating the loss themselves.

I think it's an absolute must that stratum allow pools to send test jobs to validate hardware integrity in a blind way that allows detection of malicious withholding as well.  Without that, I expect the days of public pools are numbered, and with them all hope of even modest decentralization will go as well.

It has nothing to do with hardware errors (although they are another minor source of false positives). 

Simple version:
If nonce 728937289 solves the block for a given unit of work and a particular hardware for a variety of reasons doesn't check nonce 728937289 it is not going to find a solution.

If a user doesn't return a solution is it because he is cheating or is it because his hardware didn't check that nonce with that work?  The answer is there is absolutely no way to know.
It isn't a hardware fault or error.

If nonce 728937289 solves the block for a given unit of work and a particular hardware for a variety of reasons doesn't check nonce 728937289 it is not going to find a solution.  It is that simple.  I assume you are confused because you believe that hardware normally checks all nonces all the time.  Nothing could be further from the truth.  There are dozens of reasons why a nonce wouldn't be checked and no software is going to report that as an error.  HW errors as reported by cgminer and the like are the result of the hardware reporting that work A + nonce B produces a hash of particular difficulty and it doesn't.

Quote
I think that Stratum Mining protocol can be extended to allow the client to send to the pool server the maps of the "blind spots" in the nonce space.
It isn't a static range.  Say you have an ASIC with 64 cores the designer may decide to take the nonce range (2^32) and break it into 64 chunks.  It does this by assinging an offset to each core.  So all the cores get the same work, each one starts at a difference nonce value and they all increment 2^26.  However due to yields not all chips will have all 64 cores operating.  The seller may have designed it around 60 cores being "good enough" to achieve the hashrate.   So if 4 cores are "off" then that means millions of nonces will never even be attempted.  Most ASICs also work on dynamic load so as the hardware error rate and/or temp rise it shuts off the cores.   So the same nonces won't be covered all the time.

Still it goes way beyond just which nonces are checked.  Both the ASICs and the mining software queue work.  So what happens when a miner has 30 seconds worth of work queued up and you send him the "test work".  Are you going to hold the block for 30 seconds which would mean a >7% orphan rate?  What happens if due to latency the miner returns the proper solution but only after you have broadcast the block?  If he cheating or just slow or just had a lot queued up?   How are you going to avoid the attacker just sharing info between workers?  Say you send the test work to 10% of workers and wait 30 seconds.  You probably will end up with hundreds maybe thousands of false positives AND 7%+ orphan rate (on top of whatever you are losing to attacks).  If the attacker had say 30 accounts there is a less than 3% chance that 1 and only one would be given the test work and end up withholding it.  So 3% of the time you will catch the worker, due to false positives lets say you don't boot someone until they fail 3 times.  That means on average the attacker will pass 99 blocks before failing out.  However you are only testing him 10% of the time so you MIGHT (I doubt it) catch him after he withholds or attempts to withhold 990 blocks.

Of course even your legit users are going to start working against you (or just flee to where they aren't attacked by the pool).  Those who want to stay will probably design a work relay system so they can identify your test works if for no other reason than to be falsely kicked out (especially if you confiscate the work completed).  The attacker could join those relay networks and all but guarantee he would pass all tests.

Also don't take this is exhaustive I just don't feel like covering every possible scenario.  These issues are just the tip of the iceberg.  The only way to prevent these types of attacks is for the pool to know something the miner doesn't.  The current block hashing protocol doesn't make that possible.





donator
Activity: 1218
Merit: 1079
Gerald Davis
Can someone explain to me how is "block withholding attack" different from the "false negative" type of hardware fault? I mean in the observable symptoms, not in the intent.

The last time I looked into the miners source codes (late FPGA era,early bitfuries) I've only seen the "false positives" counted as "hardware errors": nonce comes up as gold, but software re-check shows that it isn't.

I haven't seen any published source code that does the opposite check for "false negatives": chip should find a golden nonce but hadn't.

From the skimming of the available hardware documentation I see that only Spondoolies has a BIST operation that allows to cheaply test for false negative. By "cheaply" I mean "cheaper than doing a regular, full scan".

Obviously this test has to be hardware specific, because e.g. bitfuries only test 768/1024 of the available nonce space. This would have to be even more complex to account for failed sub-engines in the multi-engine chips.

I think that Stratum Mining protocol can be extended to allow the client to send to the pool server the maps of the "blind spots" in the nonce space. Then the pool can sensibly proctor the tests meant to discover withholding attacks.


You are correct that there isn't any observable difference between the 2 types of problems.  And in practice, I think it's extremely unlikely that someone with hardware that has catastrophic levels of false negative errors is unaware of the issue, so the intent is likely equivalent as well.

When you have people of very questionable competence designing silicon on crash schedules it's inevitable that serious hardware defects are going to be in play.  And with the money involved, if there is a way to externalize the cost of failure to pool participants people are going to choose that over eating the loss themselves.

I think it's an absolute must that stratum allow pools to send test jobs to validate hardware integrity in a blind way that allows detection of malicious withholding as well.  Without that, I expect the days of public pools are numbered, and with them all hope of even modest decentralization will go as well.

It has nothing to do with hardware errors (although they are another minor source of false positives). 

Simple version:
If nonce 728937289 solves the block for a given unit of work and a particular hardware for a variety of reasons doesn't check nonce 728937289 it is not going to find a solution.

If a user doesn't return a solution is it because he is cheating or is it because his hardware didn't check that nonce with that work?  The answer is there is absolutely no way to know.
donator
Activity: 1218
Merit: 1079
Gerald Davis
It isn't a hardware fault or error.

If nonce 728937289 solves the block for a given unit of work and a particular hardware for a variety of reasons doesn't check nonce 728937289 it is not going to find a solution.  It is that simple.  I assume you are confused because you believe that hardware normally checks all nonces all the time.  Nothing could be further from the truth.  There are dozens of reasons why a nonce wouldn't be checked and no software is going to report that as an error.  HW errors as reported by cgminer and the like are the result of the hardware reporting that work A + nonce B produces a hash of particular difficulty and it doesn't.

Quote
I think that Stratum Mining protocol can be extended to allow the client to send to the pool server the maps of the "blind spots" in the nonce space.
It isn't a static range.  Say you have an ASIC with 64 cores the designer may decide to take the nonce range (2^32) and break it into 64 chunks.  It does this by assinging an offset to each core.  So all the cores get the same work, each one starts at a difference nonce value and they all increment 2^26.  However due to yields not all chips will have all 64 cores operating.  The seller may have designed it around 60 cores being "good enough" to achieve the hashrate.   So if 4 cores are "off" then that means millions of nonces will never even be attempted.  Most ASICs also work on dynamic load so as the hardware error rate and/or temp rise it shuts off the cores.   So the same nonces won't be covered all the time.

Still it goes way beyond just which nonces are checked.  Both the ASICs and the mining software queue work.  So what happens when a miner has 30 seconds worth of work queued up and you send him the "test work".  Are you going to hold the block for 30 seconds which would mean a >7% orphan rate?  What happens if due to latency the miner returns the proper solution but only after you have broadcast the block?  If he cheating or just slow or just had a lot queued up, or poor connectivity?   How are you going to avoid the attacker just sharing info between workers to detect the "test work" and always return those with 100% success?  

Also don't take this is as exhaustive I just don't feel like covering every possible scenario.  The only way to prevent these types of attacks is for the pool to know something the miner doesn't.  The current block hashing protocol doesn't make that possible.
hero member
Activity: 756
Merit: 501
Can someone explain to me how is "block withholding attack" different from the "false negative" type of hardware fault? I mean in the observable symptoms, not in the intent.

The last time I looked into the miners source codes (late FPGA era,early bitfuries) I've only seen the "false positives" counted as "hardware errors": nonce comes up as gold, but software re-check shows that it isn't.

I haven't seen any published source code that does the opposite check for "false negatives": chip should find a golden nonce but hadn't.

From the skimming of the available hardware documentation I see that only Spondoolies has a BIST operation that allows to cheaply test for false negative. By "cheaply" I mean "cheaper than doing a regular, full scan".

Obviously this test has to be hardware specific, because e.g. bitfuries only test 768/1024 of the available nonce space. This would have to be even more complex to account for failed sub-engines in the multi-engine chips.

I think that Stratum Mining protocol can be extended to allow the client to send to the pool server the maps of the "blind spots" in the nonce space. Then the pool can sensibly proctor the tests meant to discover withholding attacks.


You are correct that there isn't any observable difference between the 2 types of problems.  And in practice, I think it's extremely unlikely that someone with hardware that has catastrophic levels of false negative errors is unaware of the issue, so the intent is likely equivalent as well.

When you have people of very questionable competence designing silicon on crash schedules it's inevitable that serious hardware defects are going to be in play.  And with the money involved, if there is a way to externalize the cost of failure to pool participants people are going to choose that over eating the loss themselves.

I think it's an absolute must that stratum allow pools to send test jobs to validate hardware integrity in a blind way that allows detection of malicious withholding as well.  Without that, I expect the days of public pools are numbered, and with them all hope of even modest decentralization will go as well.
legendary
Activity: 2128
Merit: 1073
Can someone explain to me how is "block withholding attack" different from the "false negative" type of hardware fault? I mean in the observable symptoms, not in the intent.

The last time I looked into the miners source codes (late FPGA era,early bitfuries) I've only seen the "false positives" counted as "hardware errors": nonce comes up as gold, but software re-check shows that it isn't.

I haven't seen any published source code that does the opposite check for "false negatives": chip should find a golden nonce but hadn't.

From the skimming of the available hardware documentation I see that only Spondoolies has a BIST operation that allows to cheaply test for false negative. By "cheaply" I mean "cheaper than doing a regular, full scan".

Obviously this test has to be hardware specific, because e.g. bitfuries only test 768/1024 of the available nonce space. This would have to be even more complex to account for failed sub-engines in the multi-engine chips.

I think that Stratum Mining protocol can be extended to allow the client to send to the pool server the maps of the "blind spots" in the nonce space. Then the pool can sensibly proctor the tests meant to discover withholding attacks.
legendary
Activity: 1512
Merit: 1057
SpacePirate.io
Mining doesn't lend itself to solo mining unless you have mega hashpower, but the larger a pool is the more risk you expose yourself and the bitcoin network to. P2pool is the obvious next step, but if that gets large enough then it's not much different to solo mining at lower diff. Clusters of smaller p2pools that feed into larger p2pool like set ups are the next obvious step.

However the number of miners is diminishing, and the amount of hashpower with each mining group (like KnC's farms) gets larger by the minute, and they'll probably all just run their own solo operations with time. Pooled mining as we currently know it may end up just being an interesting blip on the history of bitcoin mining.

100% in agreement... Mining will collapse at the feet of the large farms unless the community pulls together as a large diversified pool or pools withing a large pool. Until then, we'll see large pools like BTCguild collapse.
donator
Activity: 1218
Merit: 1079
Gerald Davis
Well yes a hard fork would imply that all nodes would need to update not just for mining but for validating the new block version as well.   Solo miners wouldn't be affected.  There would still be two values in the new block header but they would know both.  No need to hide info from yourself.
legendary
Activity: 3586
Merit: 1098
Think for yourself
How about reading the linked proposal that meni spent a lot of time developing and writing up?

I was kind of trying to avoid that.

  Without a hard fork you are right there is no way to separate it, that is why a hard fork would be needed to support a method that prevents a miner from knowing if the hash solves a block.  It would change the blockheader such that a valid block is based on two different hash values and the miner only knows one.   The miner can compute the share difficulty, the pool can compute if it meets the difficulty for solving a block.  The pool withholds the second value from the miner which prevents the miner from knowing what the pool knows.

But I read the section you recommended, dyslexically, and with your above explanation I think I comprehend it now.

How would that impact solo mining?  I guess the bitcoind/qt would have to be reworked as well anyway.

Enough of my uninformed rambling.
Thanks,
Sam
donator
Activity: 1218
Merit: 1079
Gerald Davis
well then the game is over for public pool mining with no innovation here..  if there was already a solution there wouldn't be a problem

There is a very good solution but it will require a hard fork.

It seems to me that the solution you recommended earlier in this thread would allow a pool to withhold vital information about the hash's that a miner submits.  The miner wouldn't know if he really found a block or not or even know what difficulty of the share was.  So a miner would have no way to verify if a pool was above board or not or even know how much he was getting paid for his hash's.

That is not correct.  The miner would know the exact difficulty of the share just not if the share solves a block or not.

Checking a share difficulty IS checking if it meets or exceeds current difficulty.  I don't see how you could separate one from the other.  It would have to be same operation.

How about reading the linked proposal that meni spent a lot of time developing and writing up?  Without a hard fork you are right there is no way to separate it, that is why a hard fork would be needed to support a method that prevents a miner from knowing if the hash solves a block.  It would change the blockheader such that a valid block is based on two different hash values and the miner only knows one.   The miner can compute the share difficulty, the pool can compute if it meets the difficulty for solving a block.  The pool withholds the second value from the miner which prevents the miner from knowing what the pool knows.
donator
Activity: 1218
Merit: 1079
Gerald Davis
The other question of course:  Would that proposed solution even work with existing ASICs, since you're changing the block header fields that are going to be hashed?

Probably or it could be revised to fit.  The actual ASICs really have no concept of what they are hashing just that they are hashing a blob of data and checking the output of the hashed blob.  So the size of the blob (and the fact that the trailing 32 bits are the incrementing nonce) can't change but the header can be extended in 256 bit increments by making the midstate the result of two blocks (hashing definition not bitcoin definition) of inputs instead of one.

As far as will people support a hard fork?  I don't know but if convinced it is a legit threat non-miners may see little downside in supporting it and potential devaluation of their bitcoins if they don't.   If nothing else I find it interesting because "if" this ends up being the Bitcoin killer, well there is already a solution for the altcoin that replaces bitcoin.
legendary
Activity: 3586
Merit: 1098
Think for yourself
well then the game is over for public pool mining with no innovation here..  if there was already a solution there wouldn't be a problem

There is a very good solution but it will require a hard fork.

It seems to me that the solution you recommended earlier in this thread would allow a pool to withhold vital information about the hash's that a miner submits.  The miner wouldn't know if he really found a block or not or even know what difficulty of the share was.  So a miner would have no way to verify if a pool was above board or not or even know how much he was getting paid for his hash's.

That is not correct.  The miner would know the exact difficulty of the share just not if the share solves a block or not.

Checking a share difficulty IS checking if it meets or exceeds current difficulty.  I don't see how you could separate one from the other.  It would have to be same operation.
legendary
Activity: 3586
Merit: 1098
Think for yourself
well then the game is over for public pool mining with no innovation here..  if there was already a solution there wouldn't be a problem

There is a very good solution but it will require a hard fork.

It seems to me that the solution you recommended earlier in this thread would allow a pool to withhold vital information about the hash's that a miner submits.  The miner wouldn't know if he really found a block or not or even know what difficulty of the share was.  So a miner would have no way to verify if a pool was above board or not or even know how much he was getting paid for his hash's.

The miner would know enough to know how many shares they submitted.  They would not know enough to know if they solved a block though.

Sooo... if you don't know if you've solved a block then you wouldn't know what the difficulty of the share you submitted is so you wouldn't know if you were getting paid correctly.

If you could tell what your share diff is without the pool telling you then you would know if its a block solver or not
donator
Activity: 1218
Merit: 1079
Gerald Davis
well then the game is over for public pool mining with no innovation here..  if there was already a solution there wouldn't be a problem

There is a very good solution but it will require a hard fork.

It seems to me that the solution you recommended earlier in this thread would allow a pool to withhold vital information about the hash's that a miner submits.  The miner wouldn't know if he really found a block or not or even know what difficulty of the share was.  So a miner would have no way to verify if a pool was above board or not or even know how much he was getting paid for his hash's.

That is not correct.  The miner would know the exact difficulty of the share just not if the share solves a block or not.
legendary
Activity: 1750
Merit: 1007
p2pool ftw.

M

p2pool is just as vulnerable to withholding.  Maybe even moreso, since you can't actually take actions (ban/freeze accounts) against somebody doing it.
legendary
Activity: 1750
Merit: 1007
well then the game is over for public pool mining with no innovation here..  if there was already a solution there wouldn't be a problem

There is a very good solution but it will require a hard fork.

It seems to me that the solution you recommended earlier in this thread would allow a pool to withhold vital information about the hash's that a miner submits.  The miner wouldn't know if he really found a block or not or even know what difficulty of the share was.  So a miner would have no way to verify if a pool was above board or not or even know how much he was getting paid for his hash's.

The miner would know enough to know how many shares they submitted.  They would not know enough to know if they solved a block though.

The other question of course:  Would that proposed solution even work with existing ASICs, since you're changing the block header fields that are going to be hashed?  Not that it matters...nobody is going to hard fork bitcoin in order to preserve pools.
legendary
Activity: 1540
Merit: 1001
well then the game is over for public pool mining with no innovation here..  if there was already a solution there wouldn't be a problem

There is a very good solution but it will require a hard fork.

game on then

actually let me be a little clearer.... if there is a solution being held back because of the aversion of a hard fork then why would miners endure it for months and just say luck is luck??

ya, trust is at a all time high in these parts

p2pool ftw.

M
legendary
Activity: 3586
Merit: 1098
Think for yourself
well then the game is over for public pool mining with no innovation here..  if there was already a solution there wouldn't be a problem

There is a very good solution but it will require a hard fork.

It seems to me that the solution you recommended earlier in this thread would allow a pool to withhold vital information about the hash's that a miner submits.  The miner wouldn't know if he really found a block or not or even know what difficulty of the share was.  So a miner would have no way to verify if a pool was above board or not or even know how much he was getting paid for his hash's.
sr. member
Activity: 462
Merit: 250
well then the game is over for public pool mining with no innovation here..  if there was already a solution there wouldn't be a problem

There is a very good solution but it will require a hard fork.

game on then

actually let me be a little clearer.... if there is a solution being held back because of the aversion of a hard fork then why would miners endure it for months and just say luck is luck??

ya, trust is at a all time high in these parts

donator
Activity: 1218
Merit: 1079
Gerald Davis
well then the game is over for public pool mining with no innovation here..  if there was already a solution there wouldn't be a problem

There is a very good solution but it will require a hard fork.
sr. member
Activity: 462
Merit: 250
well then the game is over for public pool mining with no innovation here..  if there was already a solution there wouldn't be a problem
donator
Activity: 1218
Merit: 1079
Gerald Davis
so if miners are not equal, perhaps pools should be segregated?  detection and enforcement would need to be worked out, but much more complex systems exist in this world

Not sure what you mean by equal.  There is no requirement to use all possible nonces.  It doesn't allow them to cheat or gain a disproportionate share of the reward.  It is also dynamic.  Two different ASIC chips from the same company many not cover the same portion of the nonce range.

I think this is a misunderstanding of  most users that you must check the entire nonce range to be doing as much "work" which is wrong. It's purely the number of nonces you check, even if they're from different work.

Very little hardware actually checks the full nonce range. Many abort work on the first nonce they find while others have a matrix of nonces they're likely to check and miss others (there is nothing invalid about doing this, nor is there any way to make this sort of practice find less blocks).

I agree ckolivas.  I assumed this was fairly common knowledge but I think you are right that there are some incorrect assumptions on what work it takes to complete a specific difficulty share/block.
-ck
legendary
Activity: 4088
Merit: 1631
Ruu \o/
so if miners are not equal, perhaps pools should be segregated?  detection and enforcement would need to be worked out, but much more complex systems exist in this world

Not sure what you mean by equal.  There is no requirement to use all possible nonces.  It doesn't allow them to cheat or gain a disproportionate share of the reward.  It is also dynamic.  Two different ASIC chips from the same company many not cover the same portion of the nonce range.

I think this is a misunderstanding of  most users that you must check the entire nonce range to be doing as much "work" which is wrong. It's purely the number of nonces you check, even if they're from different work.

Very little hardware actually checks the full nonce range. Many abort work on the first nonce they find while others have a matrix of nonces they're likely to check and miss others (there is nothing invalid about doing this, nor is there any way to make this sort of practice find less blocks).
donator
Activity: 1218
Merit: 1079
Gerald Davis
so if miners are not equal, perhaps pools should be segregated?  detection and enforcement would need to be worked out, but much more complex systems exist in this world

Not sure what you mean by equal.  There is no requirement to use all possible nonces.  It doesn't allow them to cheat or gain a disproportionate share of the reward.  It is also dynamic.  Two different ASIC chips from the same company many not cover the same portion of the nonce range.
sr. member
Activity: 462
Merit: 250
 Some ASIC chips don't attempt every value in nonce range.  If the winning solution uses a nonce of 0x18392740 and a particular ASIC is not checking that value the miner isn't going to return a solution.  You could send him the same work 1,000 times and he will NEVER return a solution.  


so if miners are not equal, perhaps pools should be segregated?  detection and enforcement would need to be worked out, but much more complex systems exist in this world
newbie
Activity: 26
Merit: 0
Well, like I said,  a forum post does not a system make.  

Nobody is confusing your post with a "system" but it is possible to that a proposal is flawed even at the conceptual level.  If you told me you were going to the moon by jumping high enough to break orbit, well I don't need to wait to see the engineering plans to tell you it isn't going to work.

Quote
but a sanity check of hardware is not an unheard of thing, and it's clearly needed now.

Your proposal isn't a sanity check, it is a ban randomly miners without any basis in the name of "doing something" and rack up even more losses due to orphans.

Once again.  It's a forum post with a high level approach.  Details need to be worked out.  If you want to write out the code, then I applaud you,  but I'm not interested in debating the finer points of the protocol.

Right now folks using btcguild are losing ~10 to 20% of their earnings to either malice or incompetence.   A sanity check that cost less 10/20% would be net positive.
donator
Activity: 1218
Merit: 1079
Gerald Davis
Well, like I said,  a forum post does not a system make.  

Nobody is confusing your post with a "system" but it is possible to that a proposal is flawed even at the conceptual level.  If you told me you were going to the moon by jumping high enough to break orbit, well I don't need to wait to see the engineering plans to tell you it isn't going to work.

Quote
but a sanity check of hardware is not an unheard of thing, and it's clearly needed now.

Your proposal isn't a sanity check, it is a ban randomly miners without any basis in the name of "doing something" and rack up even more losses due to orphans.
newbie
Activity: 26
Merit: 0
  Those miners wouldn't even have a way to know it is a solution to a block.

Well that is the point isn't it?

Clearly this would need to be flushed out and tested and instaban is simply rhetoric.    I'm not going to engineer the entire test here in a forum post,  but that's the top level pseudo code.  However any miner that fails the test should be considered suspect and perhaps subject to an additional test.   A miner with a 1% error rate would have a 1 in 1,000 chance of artificially failing 2 known good blocks.  Make it 3 tests and the odds raise to 1 in 100,000

You are still not getting it.  Some ASIC chips don't attempt every value in nonce range.  Some never do under any conditions, the multcore chips break the nonce range into "chunks" with a chunk going to each core.  They never have 100% of the cores active because nothing has 100% yield, some are turned on.  So if the nonce that solves the block is 7289372 and it is sent to core 2 but core 2 is disabled then that miners will NEVER return a solution for that work.

Of course you ignored the rest, how long do you wait? how much do you want to lose to orphans because you are waiting to publish a winning block and every second you delay the probability of another pool broadcasting a block and orphanning you increases.  What about a miners that due to latency returns the solution after you publish the winning block?

It isn't a viable system. 

Well, like I said,  a forum post does not a system make.   

This is a problem that has to be solved,  or pooled mining will die.   We aren't going to solve (or at least I'm not going to try) in this thread,   but a sanity check of hardware is not an unheard of thing, and it's clearly needed now.

Folks are not going to stick around while they watch 20% of their earnings evaporate.
donator
Activity: 1218
Merit: 1079
Gerald Davis
 Those miners wouldn't even have a way to know it is a solution to a block.

Well that is the point isn't it?

You misunderstand.  My point is that legit miner would NEVER find a solution for that particular unit of work.  It isn't due to fraud, it is due to the mechanics of mining.  So if a miner doesn't return a solution (in time) is it because he is withholding, is it because he legitimately found no solution, is it because due to queued up work he never even started working on that work until after you broadcasted the winning block (at which point he would flush all stale work)?

You don't know.  There is no way to know.

Quote
Clearly this would need to be flushed out and tested and instaban is simply rhetoric.    I'm not going to engineer the entire test here in a forum post,  but that's the top level pseudo code.

It doesn't work even at the top level code.  You are making incorrect assumptions about how much work is actually completed and returned.  The error rate wouldn't be 1% it would be more like 20%+.  Some ASIC chips don't attempt every value in nonce range.  If the winning solution uses a nonce of 0x18392740 and a particular ASIC is not checking that value the miner isn't going to return a solution.  You could send him the same work 1,000 times and he will NEVER return a solution.  

Redo your numbers with say 10% or 20%.  Also how long are you willing to wait to test all miners?  How much increased orphan losses are you willing to accept?  Is 100% luck with 20% orphan loss a good pool?

It is also trivial to bypass.  Attacker simply has more than one account and compares the work received between accounts.  Work is normally never duplicated so any duplicate work is a test.  Attacker returns 100% of test blocks and drops 100% of legit blocks.  Even at a smaller % tested the attacker can sniff the test blocks out with ease.  If you test 10% of users and attacker has hashpower spread across 30 accounts the probability that the test block won't be duplicated across his accounts is nil.
newbie
Activity: 26
Merit: 0
 Those miners wouldn't even have a way to know it is a solution to a block.

Well that is the point isn't it?

Clearly this would need to be flushed out and tested and instaban is simply rhetoric.    I'm not going to engineer the entire test here in a forum post,  but that's the top level pseudo code.  However any miner that fails the test should be considered suspect and perhaps subject to an additional test.   A miner with a 1% error rate would have a 1 in 1,000 chance of artificially failing 2 known good blocks.  Make it 3 tests and the odds raise to 1 in 100,000

All this aside.  It seems that pools now need a way to prove themselves reliable.   As much as I like BTCGuild, I have moved away because it is crystal clear that it is now tainted in some way that costs me money.
donator
Activity: 1218
Merit: 1079
Gerald Davis
I would think you could detect someone performing a block withholding attack on the pool through a simple test:

First identify your 'unluckiest' participants.  Then when a block is solved, immediately send the work unit for the block to those miners.  If they consistently fail to return the winning solution you know they are ripping you off.

There are a number of other attacks that could be detected with similar approaches.

What's troubling to me is the massive asymmetry of risks right now.  The miners on BTCguild have over $50M in hardware investments that is depreciating at 25% / month .  I'd be shocked if Micheal has $50k in total in hardware to run the pool.

My personal theory has been mentioned already:


Startup 42e1 spends $2M on design and masks to build out their $5M 2Ph/s mine only to discover that the design has a flaw that prevents it from finding nonces with difficulties over 4.2 billion.  It still hashes lots of results below that level, so instead of scrapping things they move all their machines off the internal pool to a big public pool.


There are many, many other reasons someone could be maliciously attacking a pool, and the stakes keep getting larger.  If you're operating a public pool and not actively developing defenses, you will be burned.

And personally if I was clearing $250k / month off my pool, I wouldn't care what little people think either, but I would pay somebody to care.

Actually,  You should send the the winning hash/nonce to ALL particpants.  Just that hash.  Every miner that doesn't return the winning block should instantly be blacklisted.

THis is very very minor tax,  but a huge payoff in preventing a withholding attack, or blocking bad hardware.

How long do you wait before you broadcast the block?  Every 6 seconds that passes there is a 1% chance that another pool solves a block and your block becomes orphaned.  The hardware error rate of miners is not zero.  You would rapidly blacklist yourself to a pool of zero.  What about miners who already have work queued up?  Are you going to wait multiple seconds and increase your orphan rate while still having false negatives and end up blacklisting good miners?  Some ASICs don't attempt every nonce.  Those miners wouldn't even have a way to know it is a solution to a block.
hero member
Activity: 560
Merit: 500
I would think you could detect someone performing a block withholding attack on the pool through a simple test:

First identify your 'unluckiest' participants.  Then when a block is solved, immediately send the work unit for the block to those miners.  If they consistently fail to return the winning solution you know they are ripping you off.

There are a number of other attacks that could be detected with similar approaches.

What's troubling to me is the massive asymmetry of risks right now.  The miners on BTCguild have over $50M in hardware investments that is depreciating at 25% / month .  I'd be shocked if Micheal has $50k in total in hardware to run the pool.

My personal theory has been mentioned already:


Startup 42e1 spends $2M on design and masks to build out their $5M 2Ph/s mine only to discover that the design has a flaw that prevents it from finding nonces with difficulties over 4.2 billion.  It still hashes lots of results below that level, so instead of scrapping things they move all their machines off the internal pool to a big public pool.


There are many, many other reasons someone could be maliciously attacking a pool, and the stakes keep getting larger.  If you're operating a public pool and not actively developing defenses, you will be burned.

And personally if I was clearing $250k / month off my pool, I wouldn't care what little people think either, but I would pay somebody to care.

Actually,  You should send the the winning hash/nonce to ALL particpants.  Just that hash.  Every miner that doesn't return the winning block should instantly be blacklisted.

THis is very very minor tax,  but a huge payoff in preventing a withholding attack, or blocking bad hardware.


It won't work. Our miners for example don't check all nonce range, and a lot of cgminer generated jobs get dropped. Also we use ntime-rolling differently from other pools. It's impossible to know what the miner will generate from stratum template.
newbie
Activity: 26
Merit: 0
I would think you could detect someone performing a block withholding attack on the pool through a simple test:

First identify your 'unluckiest' participants.  Then when a block is solved, immediately send the work unit for the block to those miners.  If they consistently fail to return the winning solution you know they are ripping you off.

There are a number of other attacks that could be detected with similar approaches.

What's troubling to me is the massive asymmetry of risks right now.  The miners on BTCguild have over $50M in hardware investments that is depreciating at 25% / month .  I'd be shocked if Micheal has $50k in total in hardware to run the pool.

My personal theory has been mentioned already:


Startup 42e1 spends $2M on design and masks to build out their $5M 2Ph/s mine only to discover that the design has a flaw that prevents it from finding nonces with difficulties over 4.2 billion.  It still hashes lots of results below that level, so instead of scrapping things they move all their machines off the internal pool to a big public pool.


There are many, many other reasons someone could be maliciously attacking a pool, and the stakes keep getting larger.  If you're operating a public pool and not actively developing defenses, you will be burned.

And personally if I was clearing $250k / month off my pool, I wouldn't care what little people think either, but I would pay somebody to care.

Actually,  You should send the the winning hash/nonce to ALL particpants.  Just that hash.  Every miner that doesn't return the winning block should instantly be blacklisted.

THis is very very minor tax,  but a huge payoff in preventing a withholding attack, or blocking bad hardware.
hero member
Activity: 560
Merit: 500
First and even second generation asics had no diff support within the chips whatsoever so they just produced a hash and it was up to the software to decide what to do with the result so it cannot be the hardware in the case of avalon 1/2, bfl etc. 3rd generation hardware almost all has diff support on chip or in firmware and that's the only place that the hardware itself could be responsible.

Not necessarily.  If there is a bug in the hashing engine itself it could be possible.  Think about the shift operations in SHA-256.  You could have an incorrect implementation that produced good hashes in the last 32 bits (all that is tested in 1st gen approaches) up until you roll into hashes with zeros all the way up to 64 plus bits.  Then think about what chips were famous for generating invalids at outrageous rates.  :-)

If something like this is going on the actual details of how it happens is likely to be vastly more complicated that what I am saying.  But with hardware implementations anything is possible.
No sorry you don't understand sha256. It's a 32 bit operation on a fixed length string in mining and has NO concept of difficulty or zeroes.

Your failure to understand me doesn't mean I don't understand SHA-256.  I've implemented it in both software and hardware and my comments are based upon failure modes I worried about in the hardware implementation.

Let's just sit back and see what the next few days reveal.

You can easily fix this in cg-miner/miner driver. Give lower difficulty (let's say 43 leading zeroes). Even on 5TH miner it will give you less then 1 win per second. Then drop unneeded results from HW. You will get all the shares, even if the HW doesn't know how to compare "high" zeroes. 
hero member
Activity: 756
Merit: 501
First and even second generation asics had no diff support within the chips whatsoever so they just produced a hash and it was up to the software to decide what to do with the result so it cannot be the hardware in the case of avalon 1/2, bfl etc. 3rd generation hardware almost all has diff support on chip or in firmware and that's the only place that the hardware itself could be responsible.

Not necessarily.  If there is a bug in the hashing engine itself it could be possible.  Think about the shift operations in SHA-256.  You could have an incorrect implementation that produced good hashes in the last 32 bits (all that is tested in 1st gen approaches) up until you roll into hashes with zeros all the way up to 64 plus bits.  Then think about what chips were famous for generating invalids at outrageous rates.  :-)

If something like this is going on the actual details of how it happens is likely to be vastly more complicated that what I am saying.  But with hardware implementations anything is possible.
No sorry you don't understand sha256. It's a 32 bit operation on a fixed length string in mining and has NO concept of difficulty or zeroes.

Your failure to understand me doesn't mean I don't understand SHA-256.  I've implemented it in both software and hardware and my comments are based upon failure modes I worried about in the hardware implementation.

Let's just sit back and see what the next few days reveal.
-ck
legendary
Activity: 4088
Merit: 1631
Ruu \o/
First and even second generation asics had no diff support within the chips whatsoever so they just produced a hash and it was up to the software to decide what to do with the result so it cannot be the hardware in the case of avalon 1/2, bfl etc. 3rd generation hardware almost all has diff support on chip or in firmware and that's the only place that the hardware itself could be responsible.

Not necessarily.  If there is a bug in the hashing engine itself it could be possible.  Think about the shift operations in SHA-256.  You could have an incorrect implementation that produced good hashes in the last 32 bits (all that is tested in 1st gen approaches) up until you roll into hashes with zeros all the way up to 64 plus bits.  Then think about what chips were famous for generating invalids at outrageous rates.  :-)

If something like this is going on the actual details of how it happens is likely to be vastly more complicated that what I am saying.  But with hardware implementations anything is possible.
No sorry you don't understand sha256. It's a 32 bit operation on a fixed length string in mining and has NO concept of difficulty or zeroes.
hero member
Activity: 756
Merit: 501
First and even second generation asics had no diff support within the chips whatsoever so they just produced a hash and it was up to the software to decide what to do with the result so it cannot be the hardware in the case of avalon 1/2, bfl etc. 3rd generation hardware almost all has diff support on chip or in firmware and that's the only place that the hardware itself could be responsible.

Not necessarily.  If there is a bug in the hashing engine itself it could be possible.  Think about the shift operations in SHA-256.  You could have an incorrect implementation that produced good hashes in the last 32 bits (all that is tested in 1st gen approaches) up until you roll into hashes with zeros all the way up to 64 plus bits.  Then think about what chips were famous for generating invalids at outrageous rates.  :-)

If something like this is going on the actual details of how it happens is likely to be vastly more complicated that what I am saying.  But with hardware implementations anything is possible.
-ck
legendary
Activity: 4088
Merit: 1631
Ruu \o/
First and even second generation asics had no diff support within the chips whatsoever so they just produced a hash and it was up to the software to decide what to do with the result so it cannot be the hardware in the case of avalon 1/2, bfl etc. 3rd generation hardware almost all has diff support on chip or in firmware and that's the only place that the hardware itself could be responsible.
hero member
Activity: 756
Merit: 501
Someone (meni or was it gmaxwell) proposed a solution to this any many other attacks against pools.  Going from memory (and likely butchering it) it involved sending blinded work to the miner such that the miner would know if a hash produced a valid share but not if it produced a valid block.  The pool using information kept from the miner could check all returned work and confirm which ones produced valid blocks.  Thus there would be no withholding attack possible (not even against PPS).  It would require a hard fork but I could see it spun as a security measure to prevent disruption of the vital proof of work component.  Maybe I can find the paper.

Found the paper (annoyingly it doesn't support copying, so I can't quote the relevant section).
https://bitcoil.co.il/pool_analysis.pdf
See Section 6.3.2 Oblivious Shares

A hard fork is definitely a bridge too far - there would be too many competing options to ever develop consensus on a solution that requires a hard fork.

I do think stratum is broken if it isn't possible for a pool to verify that the hardware it is connected to is functional and operating honestly.

Given what has been said today, I am thinking a certain first generation design known for having many bugs may be broken by current difficulty.  If so, the large users of that hardware had to be aware of the issue and choose to cheat others rather than deal with the problem.  They would have seen a degradation in solo-mining performance as the cliff approached since the probability of a share >1B is dramatically larger than the probability of finding a share between 1B and 4.2B.
legendary
Activity: 1750
Merit: 1007
Someone (meni or was it gmaxwell) proposed a solution to this any many other attacks against pools.  Going from memory (and likely butchering it) it involved sending blinded work to the miner such that the miner would know if a hash produced a valid share but not if it produced a valid block.  The pool using information kept from the miner could check all returned work and confirm which ones produced valid blocks.  Thus there would be no withholding attack possible (not even against PPS).  It would require a hard fork but I could see it spun as a security measure to prevent disruption of the vital proof of work component.  Maybe I can find the paper.

Yes, I remember something about it, I believe it was Meni.  The problem is, as you said, it would require a hardfork.  Even if we had proof that this type of attack was happening to explicitly kill off the ability for miners to pool together without incurring huge losses, it would ever be implemented.

If it becomes widespread, the obvious solution would be going to invitation based pooling where miners can be vetted before receiving payments.  The problem is this would completely kill the ability for small miners to join a pool since they would be too slow to prove that they were going to provide valid blocks.
donator
Activity: 1218
Merit: 1079
Gerald Davis
Someone (meni or was it gmaxwell) proposed a solution to this any many other attacks against pools.  Going from memory (and likely butchering it) it involved sending blinded work to the miner such that the miner would know if a hash produced a valid share but not if it produced a valid block.  The pool using information kept from the miner could check all returned work and confirm which ones produced valid blocks.  Thus there would be no withholding attack possible (not even against PPS).  It would require a hard fork but I could see it spun as a security measure to prevent disruption of the vital proof of work component.  Maybe I can find the paper.

Found the paper (annoyingly it doesn't support copying, so I can't quote the relevant section).
https://bitcoil.co.il/pool_analysis.pdf
See Section 6.3.2 Oblivious Shares
newbie
Activity: 35
Merit: 0
Unscrupulous commercial miners will destroy the public pools to eliminate competition from small players.

That would be counter productive as it would devalue bitcoin and destroy confidence in it.

That assumes that the goal of the commercial farms is to make a profit in bitcoin. That there is no ulterior motive for preserving the status quo commercial banking and money transferring systems, or for bringing their own crypto currency to the market. "See, bitcoin is broken, but here we have this massive farm and will use it to back up and secure bitcoin2."
legendary
Activity: 3586
Merit: 1098
Think for yourself
Unscrupulous commercial miners will destroy the public pools to eliminate competition from small players.

That would be counter productive as it would devalue bitcoin and destroy confidence in it.
hero member
Activity: 756
Merit: 501
Yes, fascinating that I deleted the posts that contributed nothing constructive, and decided to imply that I simply don't care, or am too lazy to do anything, and also include a dollar figure for income that was pulled directly out of your ass as well.


What you describe is not dissimilar to what I just said. However:
First identify your 'unluckiest' participants.  
Step one biggest problem already. Your miners need to have had more than 1 diff's change worth of shares to even begin calling them unlucky. So they need to submit 8 billion diff1 equivalent shares. The miners would need to be hundreds of terrahash before you even accumulate any significant data to even make this call, and then if they split their mining into multiple workers, you will never get 8billion shares like I said.

This.  Additionally, you can't send a "prove you're not evil" work packet to miners in stratum.  Every miner has a unique ExtraNonce1, so they will never overlap their hash results.

So what have you done to verify the pool isn't being exploited?

Doing nothing is pretty much the definition of not caring wouldn't you say?

On a more serious note, if you are unable to actively detect miners performing a block withholding attack on the pool, then Con is right, the era of public pools is over.  Unscrupulous commercial miners will destroy the public pools to eliminate competition from small players.
hero member
Activity: 756
Merit: 501
Yes, fascinating that I deleted the posts that contributed nothing constructive, and decided to imply that I simply don't care, or am too lazy to do anything, and also include a dollar figure for income that was pulled directly out of your ass as well.


What you describe is not dissimilar to what I just said. However:
First identify your 'unluckiest' participants. 
Step one biggest problem already. Your miners need to have had more than 1 diff's change worth of shares to even begin calling them unlucky. So they need to submit 8 billion diff1 equivalent shares. The miners would need to be hundreds of terrahash before you even accumulate any significant data to even make this call, and then if they split their mining into multiple workers, you will never get 8billion shares like I said.

This.  Additionally, you can't send a "prove you're not evil" work packet to miners in stratum.  Every miner has a unique ExtraNonce1, so they will never overlap their hash results.

So what have you done to verify the pool isn't being exploited?
hero member
Activity: 756
Merit: 501
What you describe is not dissimilar to what I just said. However:
First identify your 'unluckiest' participants.  
Step one biggest problem already. Your miners need to have had more than 1 diff's change worth of shares to even begin calling them unlucky. So they need to submit 8 billion diff1 equivalent shares. The miners would need to be hundreds of terrahash before you even accumulate any significant data to even make this call, and then if they split their mining into multiple workers, you will never get 8billion shares like I said.

This is true.  But wouldn't hundreds of users coming from the same IP block raise it's own set of flags?  I would expect that existing DDOS defenses would ban somebody trying that approach right away.

A pool might have a few IPs like that due to hosting providers but a few phone calls would validate those.  

legendary
Activity: 1750
Merit: 1007
Yes, fascinating that I deleted the posts that contributed nothing constructive, and decided to imply that I simply don't care, or am too lazy to do anything, and also include a dollar figure for income that was pulled directly out of your ass as well.


What you describe is not dissimilar to what I just said. However:
First identify your 'unluckiest' participants. 
Step one biggest problem already. Your miners need to have had more than 1 diff's change worth of shares to even begin calling them unlucky. So they need to submit 8 billion diff1 equivalent shares. The miners would need to be hundreds of terrahash before you even accumulate any significant data to even make this call, and then if they split their mining into multiple workers, you will never get 8billion shares like I said.

This.  Additionally, you can't send a "prove you're not evil" work packet to miners in stratum.  Every miner has a unique ExtraNonce1, so they will never overlap their hash results.
-ck
legendary
Activity: 4088
Merit: 1631
Ruu \o/
What you describe is not dissimilar to what I just said. However:
First identify your 'unluckiest' participants.  
Step one biggest problem already. Your miners need to have had more than 1 diff's change worth of shares to even begin calling them unlucky. So they need to submit 8 billion diff1 equivalent shares. The miners would need to be hundreds of terrahash before you even accumulate any significant data to even make this call, and then if they split their mining into multiple workers, you will never get 8billion shares like I said.
hero member
Activity: 756
Merit: 501
I would think you could detect someone performing a block withholding attack on the pool through a simple test:

First identify your 'unluckiest' participants.  Then when a block is solved, immediately send the work unit for the block to those miners.  If they consistently fail to return the winning solution you know they are ripping you off.

There are a number of other attacks that could be detected with similar approaches.

What's troubling to me is the massive asymmetry of risks right now.  The miners on BTCguild have over $50M in hardware investments that is depreciating at 25% / month .  I'd be shocked if Micheal has $50k in total in hardware to run the pool.

My personal theory has been mentioned already:


Startup 42e1 spends $2M on design and masks to build out their $5M 2Ph/s mine only to discover that the design has a flaw that prevents it from finding nonces with difficulties over 4.2 billion.  It still hashes lots of results below that level, so instead of scrapping things they move all their machines off the internal pool to a big public pool.


There are many, many other reasons someone could be maliciously attacking a pool, and the stakes keep getting larger.  If you're operating a public pool and not actively developing defenses, you will be burned.

And personally if I was clearing $250k / month off my pool, I wouldn't care what little people think either, but I would pay somebody to care.
-ck
legendary
Activity: 4088
Merit: 1631
Ruu \o/
If a pool is large enough, then one can mine on it even with PPLNS and execute a block withhold attack and take the small pay hit it amounts to for the sake of preventing network diff from rising (the risk is far greater with PPS). This is the only realistic attack that could be taking place on this large a pool. Pool ops are obliged to audit their larger miners. Even auditing miners cannot protect you from this though since all they need to do is spread their mining between many accounts or just keep creating accounts to never have a significant amount of shares to raise suspicion. [NOTE: I am not saying there is a problem with btcguild]. The only way to audit this is to actually send suspicious miners work that is guaranteed to be solved and see what they do.

It's the vexing question of what miners should do about pooled mining which has for more to be concerned about than this one issue that is currently troubling btcguild members.

Mining doesn't lend itself to solo mining unless you have mega hashpower, but the larger a pool is the more risk you expose yourself and the bitcoin network to. P2pool is the obvious next step, but if that gets large enough then it's not much different to solo mining at lower diff. Clusters of smaller p2pools that feed into larger p2pool like set ups are the next obvious step.

However the number of miners is diminishing, and the amount of hashpower with each mining group (like KnC's farms) gets larger by the minute, and they'll probably all just run their own solo operations with time. Pooled mining as we currently know it may end up just being an interesting blip on the history of bitcoin mining.
legendary
Activity: 1512
Merit: 1000
So it goes..   I tried to be the canary in the coal mine and then let the data over time speak for me but seems a few more months of this nonsense will have to pass for the sheep on that pool to get nervous

I was disappointed to see Entropy-uc quoted with the original and relevant posts deleted because I appreciate and respect his opinion, so I'm glad he's made this thread.

I've been watching and biting my nails, I saw the beginning of the poor streak coming so I switched everything to PPS and lo-and-behold, next day PPS is gone and all my equipment was forced back to PPLNS.  BTCGuild has been very good to me for the last two years so I've held on hoping, but I'm getting the itchy feeling it's time to move on.  I've never seen the luck this bad, especially not in terms of the 3M indicator.  

I don't believe that Eleuthria is acting maliciously, but I agree that something doesn't feel right.  There was a very definitive drop in the average, and block count has been absolutely atrocious since.  Believe me, you're not the only one that's noticed and been watching closer than usual.
sr. member
Activity: 462
Merit: 250
So it goes..   I tried to be the canary in the coal mine and then let the data over time speak for me but seems a few more months of this nonsense will have to pass for the sheep on that pool to get nervous

hero member
Activity: 756
Merit: 501
I thought these were pretty neutral points but apparently Michael has something to hide.

DPoS, I appreciate that you are genuinely concerned about this, but variance happens.

If you have any evidence beyond the de facto luck of the pool, I'd personally be delighted to see it, but claiming to be the only guy who can see the conspiracy while the math nerds politely nod and smile...

I say this without malice, but it reminds me of the scores of (to a person, bad) poker players I've met over the years who talk about how dealers screw them, how winners are just lucky, how they usually win when they sit in their lucky seat, how they never win with pocket aces, and a gillion other things that all come down to the reality that variance happens.

They don't understand it, and so the game must be rigged.

It's funny you mention poker.  I remember a friendly game once where I never seemed to get hands breaking the way you would expect from the odds.  So when the deal came around to me, I counted the deck.  There were only 46 cards in it!

Sometimes bad luck is bad luck.  But it never hurts to check.

Michael rakes ~$250k per month from this little game.  And his participants have been losing out on over $1.5M / month for the last 3+ months.  That calls for a LOT more diligence than a little hand waving about variance.  Bitcoin is a dirty business, with cheats and thieves always looking for a weakness to exploit.

I can think of half a dozen ways Michael could be testing for exploits that would explain the pools recent performance.  But he seems more interesting in collecting his rake and insulting anyone who asks reasonable questions.

It reminds me of how Deepbit disappeared from the pools list.  Tycho was too busy with hookers and blow to respond to his users, and in a year he went from the biggest pool, to non-existence.
[/quote]

It reminds me of how Deepbit disappeared from the pools list.

It's no wonder [Tycho], and others, have disappeared from these forums.  Let's accuse everyone else, with NO evidence, of malfeasance as well so that we have no responsible people left in the community.

Great idea.

No evidence of malfeasance?  Why use a $3 word when a 5 cent one will work?

Allowing your pool to leak $1.5M / month and disrespecting people who ask reasonable questions about the possibility that some actors could be cheating other participants in the pool isn't exactly malfeasance - it's simply a lack of diligence.

And I've seen no trend of losing responsible people in Bitcoin.   Tycho made his fortune and moved on, because he didn't care any more.  Michael seems quite happy taking in $250k per month and not addressing this issue.  If I were in his shoes I would be madly coding performance tests until I was 100% certain my pool wasn't being abused.  That would be the responsible thing to do.
[/quote]
Jump to: