Topic: Feather-forks: enforcing a blacklist with sub-50% hash power (Read 9915 times)

This paper may be relevant to the topic http://people.cs.uchicago.edu/~teutsch/papers/repurposing_miners.pdf. The paper discusses an attack when miners in the network are rational. The paper shows that "a mining pool which controls at least 38.2% of the network’s total computational power can, with modest financial capacity, gain mining advantage over honest mining".

yep and even worst nothing prevent him from adding to it to remove the bounty from everyone if they win as he had done with the first transaction. this until he get the block himself. possible if he have some hash also and many rational are competing.

One funny consequence of this example is that if you offer a really large fee... instead of having your transaction confirm more quickly, it may actually end up taking longer as it keeps ending up in orphaned chains as miners keep fighting over it!

That is interesting, but unlikely to be possible. the transaction will eventually enter the chain else he need to make and sustain a 51% attack

The biggest problem for the attacker is that the block making it longer (mined by rational pool ) is likely to have the orphan transaction and another bounty is needed to orphan this one so every one block need to be orphan, else it just delay the transaction for some blocks as the transaction is just delayed to enter the chain. By doing this it's not invalidate so the attacker need to repeat to keep it from going in and this will be costly.

so if you can't make the 2-3 first example you can't create a chilling effect or even get rational pool software install. even if he can get the rational pool software install: only pool that disclose the block they found would be possible target. miner and rational pool that don't disclose block can change address so only this mining block is in that address and then send to exchange to make it untraceable so chilling is not working on them.

In fact running the rational pool software would be usable to make a double spend with a parallel chain. if enough bounty is put to keep rational pool on the chain and if he has like 20% and the rational pool 33% so he can add his 20% to keep just behind until he reach the confirm required then make an effective 51%. he can then make a 6-10-20 blocks fork just behind the normal chain and then orphan it when it's needed. so running this kind of rational pool software would just make sure your coin is just going to loose value. So no gain to run this as at the end you will loose.

 

Awesome insight!

I think d'aniel deserves a title, like "king of thought experiments".

He also helped me a lot with the thought experiments for my own project, and then he altruistically turned over the 3BTC bounty I paid him to gmaxwell.

On second thought, there's a pretty strong asymmetry here working against the attacker.  Suppose he has an organized opponent with an interest in breaking his censorship.  The opponent has accumulated a block of blacklisted transactions which he is willing to pay cU₀ to have included in a block (see OP for definitions).  A failed attempt to mine this block costs him roughly U₀.  But during this attempt, he'd be incrementing a bounty in response to the attacker's, up to cU₀.  If unsuccessful, he loses U₀, but the attacker spends more than cU₀ (the second tie-breaker block also costs money).  To recoup his previous cost, the opponent waits until the value to him of having this block mined has grown by another U₀.  Then he tries again.  The idea is that the opponent would just wait until c is large enough that he is confident his attacker will eventually be wiped out by this repeated attack, then mount it.  If he develops a reputation for success in thwarting the attacker, the chilling effect would then begin to work in the opposite direction, against the attacker.

You can't necessarily tell who actually wins a block. Many pools publicly take credit for the blocks they mine, but RationalPool might deliberately obscure it as a way of preventing its members from being discriminated against.

Couldn't miners just turn around and find methods of determining who is doing "feather-forks" and refuse to build on their chain? Given enough miners adding this protection, other miners won't be tempted to do this?

If there were some (hard forking) rule change to address this, I wonder if the network would collectively even agree to it if, for example, it's in response to "legitimate" government censorship.  I bet established businesses trying to stay in said governments' good books would put up some resistance.

Oh well, I ruled out Bitcoin ushering in crypto-anarchy a while ago anyway

Exactly. The amount of bounties that need to be paid would pale in comparison of censoring power they could create.

This would require the same kind of double spend preparation from the winner that the attacker made, before even knowing about the first bounty, but perhaps rational^TM miners would prepare such double spend bounties at all times just in case.  Seems more realistic that it's the attacker that just broadcasts another prepared bounty after seeing the winner's block (assuming rational^TM miners have decided to overcome the double spend broadcast censorship).

Regarding the long-term repeatability of the attack, I suppose if the attacker was high enough profile with deep enough pockets, they could create a chilling effect without actually having to continually pay bounties in repeating the attack; miners wouldn't dare disobey because they know they'd be made examples of and have their blocks orphaned.

The winner might issue a new smaller bounty to keep others on his branch, and he also has the chance to mine the next himself as usual.

The attack could be repeated and is final to coin base transactions.

Then wouldn't the miners who didn't win the bounty just ignore the winner's chain, since they can just work on the honest chain which is just as long, and avoid fucking up Bitcoin?

Sorry if this is getting annoying

If the malicious miner dislikes one transaction in the highest block, just one-up it will only delay, rather than foil his "enemy"'s attempt to send payments, because which transactions get to be included in the blocks afterwards in his alternative chain will still be decided by hashing power, if the malicious miner is willing to spend enough to incentivize all rational miners at every turn to make his enemy unable to send anything, then with such resource he probably should just buy enough hashing power to 51% attack the whole network.

Actually one does not even have to be a miner to launch this attack:

The attacker rolls a Bitcoin holding again and again to new addresses of his own. Once he discovers a block he dislikes, he broadcasts a double spend of his previous roll to a trivially redeemable address.

If the transaction has the sufficient size rational miner will be attracted to create an branch rooted where the transaction was still valid and attempt to re-org to cash in the offered bounty.

Added: He would have to send the double spend to miner directly since ordinary nodes would drop, broadcasting would only work by chance.

I guess then he'd have to be including such a transaction in every block, just in case, but that's only a couple bucks a day.  OTOH, he'd also have to be able to mine a parallel block pretty much on demand.  He's unlikely to be able to do that.  And this is impossible to repeat indefinitely, so his blacklisted transaction will eventually make it in the chain, will it not?

It could stop them if the transaction is only valid in the orphan. For that the source of the bounty would have to be spent in the disliked trunk. The miner could prepare the attack by broadcasting a spends to his own address. If one of those is included in the block he dislikes, then he has a bounty to offer that is only valid in his branch by spending the source again to a trivial to redeem address in his block.

If he broadcasts this transaction, then what's stopping the rest of the miners from just including it in their chain, and claiming the bounty in the same block?

It seems to me that mining on the trunk could be even brought to a temporary halt by creating a new orphan block deeper in the chain with a sufficient bounty trivially claimable.

Rational miner would mine on that orphan and leave enough bounty to incentivize the next until the orphan branch catches up with the trunk triggering a re-org that benefits those participated in the attack.

It is above my knowledge of game theory to attempt to formulate, but suspect that with only "rational" miner there is a sufficient bounty to trigger any depth of re-org (within the same difficulty cycle).

Assume a miner dislikes something in the highest block, and is willing to spend on suppressing it.  He mines a parallel block also embedding a transaction sending a bounty to a trivial to redeem script.  All rational miner including him will be incentivized to mine on top of his alternative and claim the bounty for themselves. Only an altruistic miner would remain on the original or include a mempool transaction claiming the bounty.

Added: An unsuccessful attempt to suppress the highest block does not even cost anything, since if not successful the bounty transaction will not be existent in UTXO. A trivial to redeem transaction included by the miner practically adds to the fee offered for the block building on it.