Pages:
Author

Topic: Feather-forks: enforcing a blacklist with sub-50% hash power (Read 9939 times)

newbie
Activity: 6
Merit: 0
This paper may be relevant to the topic http://people.cs.uchicago.edu/~teutsch/papers/repurposing_miners.pdf. The paper discusses an attack when miners in the network are rational. The paper shows that "a mining pool which controls at least 38.2% of the network’s total computational power can, with modest financial capacity, gain mining advantage over honest mining".
sr. member
Activity: 336
Merit: 250
Quote
One funny consequence of this example is that if you offer a really large fee... instead of having your transaction confirm more quickly, it may actually end up taking longer as it keeps ending up in orphaned chains as miners keep fighting over it!

yep and even worst nothing prevent him from adding to it to remove the bounty from everyone if they win as he had done with the first transaction. this until he get the block himself. possible if he have some hash also and many rational are competing.
legendary
Activity: 1008
Merit: 1000

4. A related natural occurrence
Consider the scenario where some user broadcasts a transaction with an anomalously large fee, U₁. Let's say that the chance of winning the next block is α, your proportion of the total power (in hashes/second), and that the typical reward for a block is U₀. Then the expected utility of cooperation (strategy C₀) is (something like):
       E[C₀] = αU₀
In order to earn the enormous reward U₁ (strategy C₁) you'd have to win TWO blocks before the rest of the network wins one:
       E[C₁] = α²U₁
So, in the case that U₁/U₀ ≥ α⁻¹, a rational miner with hashpower α will defect, even if all others cooperate. The larger your share of the hash power, the lower the breakpoint for a prize be to be worth contending over.

Example: Suppose the (fictional) RationalMiningPool accounts for about 33% of the hashpower. A software glitch at MyPHPWebWallet.com results in a submitted transaction with a fee exceeding 75 btc (the typical block reward is only 25 btc). RationalMiningPool does not find the first winning block to include this fee; however, it decides to keep fighting for the big prize, since the chance of finding the next two consecutive solutions is decent and the high value makes it worthwhile.



One funny consequence of this example is that if you offer a really large fee... instead of having your transaction confirm more quickly, it may actually end up taking longer as it keeps ending up in orphaned chains as miners keep fighting over it!
sr. member
Activity: 336
Merit: 250
That is interesting, but unlikely to be possible. the transaction will eventually enter the chain else he need to make and sustain a 51% attack

The biggest problem for the attacker is that the block making it longer (mined by rational pool ) is likely to have the orphan transaction and another bounty is needed to orphan this one so every one block need to be orphan, else it just delay the transaction for some blocks as the transaction is just delayed to enter the chain. By doing this it's not invalidate so the attacker need to repeat to keep it from going in and this will be costly.

so if you can't make the 2-3 first example you can't create a chilling effect or even get rational pool software install. even if he can get the rational pool software install: only pool that disclose the block they found would be possible target. miner and rational pool that don't disclose block can change address so only this mining block is in that address and then send to exchange to make it untraceable so chilling is not working on them.

In fact running the rational pool software would be usable to make a double spend with a parallel chain. if enough bounty is put to keep rational pool on the chain and if he has like 20% and the rational pool 33% so he can add his 20% to keep just behind until he reach the confirm required then make an effective 51%. he can then make a 6-10-20 blocks fork just behind the normal chain and then orphan it when it's needed. so running this kind of rational pool software would just make sure your coin is just going to loose value. So no gain to run this as at the end you will loose.

 
legendary
Activity: 1260
Merit: 1031
Rational Exuberance

On second thought, there's a pretty strong asymmetry here working against the attacker.  Suppose he has an organized opponent with an interest in breaking his censorship.  The opponent has accumulated a block of blacklisted transactions which he is willing to pay cU0 to have included in a block (see OP for definitions).  A failed attempt to mine this block costs him roughly U0.  But during this attempt, he'd be incrementing a bounty in response to the attacker's, up to cU0.  If unsuccessful, he loses U0, but the attacker spends more than cU0 (the second tie-breaker block also costs money).  To recoup his previous cost, the opponent waits until the value to him of having this block mined has grown by another U0.  Then he tries again.  The idea is that the opponent would just wait until c is large enough that he is confident his attacker will eventually be wiped out by this repeated attack, then mount it.  If he develops a reputation for success in thwarting the attacker, the chilling effect would then begin to work in the opposite direction, against the attacker.

Awesome insight!

I think d'aniel deserves a title, like "king of thought experiments".

He also helped me a lot with the thought experiments for my own project, and then he altruistically turned over the 3BTC bounty I paid him to gmaxwell.
sr. member
Activity: 461
Merit: 251
I suppose if the attacker was high enough profile with deep enough pockets, they could create a chilling effect without actually having to continually pay bounties in repeating the attack; miners wouldn't dare disobey because they know they'd be made examples of and have their blocks orphaned.

Exactly. The amount of bounties that need to be paid would pale in comparison of censoring power they could create.
On second thought, there's a pretty strong asymmetry here working against the attacker.  Suppose he has an organized opponent with an interest in breaking his censorship.  The opponent has accumulated a block of blacklisted transactions which he is willing to pay cU0 to have included in a block (see OP for definitions).  A failed attempt to mine this block costs him roughly U0.  But during this attempt, he'd be incrementing a bounty in response to the attacker's, up to cU0.  If unsuccessful, he loses U0, but the attacker spends more than cU0 (the second tie-breaker block also costs money).  To recoup his previous cost, the opponent waits until the value to him of having this block mined has grown by another U0.  Then he tries again.  The idea is that the opponent would just wait until c is large enough that he is confident his attacker will eventually be wiped out by this repeated attack, then mount it.  If he develops a reputation for success in thwarting the attacker, the chilling effect would then begin to work in the opposite direction, against the attacker.
full member
Activity: 126
Merit: 110
Andrew Miller
Couldn't miners just turn around and find methods of determining who is doing "feather-forks" and refuse to build on their chain? Given enough miners adding this protection, other miners won't be tempted to do this?
You can't necessarily tell who actually wins a block. Many pools publicly take credit for the blocks they mine, but RationalPool might deliberately obscure it as a way of preventing its members from being discriminated against.
hero member
Activity: 994
Merit: 507
Couldn't miners just turn around and find methods of determining who is doing "feather-forks" and refuse to build on their chain? Given enough miners adding this protection, other miners won't be tempted to do this?
sr. member
Activity: 461
Merit: 251
Exactly. The amount of bounties that need to be paid would pale in comparison of censoring power they could create.
If there were some (hard forking) rule change to address this, I wonder if the network would collectively even agree to it if, for example, it's in response to "legitimate" government censorship.  I bet established businesses trying to stay in said governments' good books would put up some resistance.

Oh well, I ruled out Bitcoin ushering in crypto-anarchy a while ago anyway Tongue
hero member
Activity: 836
Merit: 1030
bits of proof
I suppose if the attacker was high enough profile with deep enough pockets, they could create a chilling effect without actually having to continually pay bounties in repeating the attack; miners wouldn't dare disobey because they know they'd be made examples of and have their blocks orphaned.

Exactly. The amount of bounties that need to be paid would pale in comparison of censoring power they could create.
sr. member
Activity: 461
Merit: 251
The winner might issue a new smaller bounty to keep others on his branch, and he also has the chance to mine the next himself as usual.
This would require the same kind of double spend preparation from the winner that the attacker made, before even knowing about the first bounty, but perhaps rationalTM miners would prepare such double spend bounties at all times just in case.  Seems more realistic that it's the attacker that just broadcasts another prepared bounty after seeing the winner's block (assuming rationalTM miners have decided to overcome the double spend broadcast censorship).

Regarding the long-term repeatability of the attack, I suppose if the attacker was high enough profile with deep enough pockets, they could create a chilling effect without actually having to continually pay bounties in repeating the attack; miners wouldn't dare disobey because they know they'd be made examples of and have their blocks orphaned.
hero member
Activity: 836
Merit: 1030
bits of proof
Actually one does not even have to be a miner to launch this attack:

The attacker rolls a Bitcoin holding again and again to new addresses of his own. Once he discovers a block he dislikes, he broadcasts a double spend of his previous roll to a trivially redeemable address.

If the transaction has the sufficient size rational miner will be attracted to create an branch rooted where the transaction was still valid and attempt to re-org to cash in the offered bounty.
Then wouldn't the miners who didn't win the bounty just ignore the winner's chain, since they can just work on the honest chain which is just as long, and avoid fucking up Bitcoin?

Sorry if this is getting annoying Smiley

The winner might issue a new smaller bounty to keep others on his branch, and he also has the chance to mine the next himself as usual.

If the malicious miner dislikes one transaction in the highest block, just one-up it will only delay, rather than foil his "enemy"'s attempt to send payments, because which transactions get to be included in the blocks afterwards...
The attack could be repeated and is final to coin base transactions.
sr. member
Activity: 461
Merit: 251
Actually one does not even have to be a miner to launch this attack:

The attacker rolls a Bitcoin holding again and again to new addresses of his own. Once he discovers a block he dislikes, he broadcasts a double spend of his previous roll to a trivially redeemable address.

If the transaction has the sufficient size rational miner will be attracted to create an branch rooted where the transaction was still valid and attempt to re-org to cash in the offered bounty.
Then wouldn't the miners who didn't win the bounty just ignore the winner's chain, since they can just work on the honest chain which is just as long, and avoid fucking up Bitcoin?

Sorry if this is getting annoying Smiley
hero member
Activity: 784
Merit: 1000
Assume a miner dislikes something in the highest block, and is willing to spend on suppressing it.  He mines a parallel block also embedding a transaction sending a bounty to a trivial to redeem script.  All rational miner including him will be incentivized to mine on top of his alternative and claim the bounty for themselves. Only an altruistic miner would remain on the original or include a mempool transaction claiming the bounty.

Added: An unsuccessful attempt to suppress the highest block does not even cost anything, since if not successful the bounty transaction will not be existent in UTXO. A trivial to redeem transaction included by the miner practically adds to the fee offered for the block building on it.



If the malicious miner dislikes one transaction in the highest block, just one-up it will only delay, rather than foil his "enemy"'s attempt to send payments, because which transactions get to be included in the blocks afterwards in his alternative chain will still be decided by hashing power, if the malicious miner is willing to spend enough to incentivize all rational miners at every turn to make his enemy unable to send anything, then with such resource he probably should just buy enough hashing power to 51% attack the whole network.
hero member
Activity: 836
Merit: 1030
bits of proof
Actually one does not even have to be a miner to launch this attack:

The attacker rolls a Bitcoin holding again and again to new addresses of his own. Once he discovers a block he dislikes, he broadcasts a double spend of his previous roll to a trivially redeemable address.

If the transaction has the sufficient size rational miner will be attracted to create an branch rooted where the transaction was still valid and attempt to re-org to cash in the offered bounty.

Added: He would have to send the double spend to miner directly since ordinary nodes would drop, broadcasting would only work by chance.
sr. member
Activity: 461
Merit: 251
It could stop them if the transaction is only valid in the orphan. For that the source of the bounty would have to be spent in the disliked trunk. The miner could prepare the attack by broadcasting a spends to his own address. If one of those is included in the block he dislikes, then he has a bounty to offer that is only valid in his branch by spending the source again to a trivial to redeem address in his block.
I guess then he'd have to be including such a transaction in every block, just in case, but that's only a couple bucks a day.  OTOH, he'd also have to be able to mine a parallel block pretty much on demand.  He's unlikely to be able to do that.  And this is impossible to repeat indefinitely, so his blacklisted transaction will eventually make it in the chain, will it not?
hero member
Activity: 836
Merit: 1030
bits of proof
Assume a miner dislikes something in the highest block, and is willing to spend on suppressing it.  He mines a parallel block also embedding a transaction sending a bounty to a trivial to redeem script.  All rational miner including him will be incentivized to mine on top of his alternative and claim the bounty for themselves. Only an altruistic miner would remain on the original or include a mempool transaction claiming the bounty.
If he broadcasts this transaction, then what's stopping the rest of the miners from just including it in their chain, and claiming the bounty in the same block?
It could stop them if the transaction is only valid in the orphan. For that the source of the bounty would have to be spent in the disliked trunk. The miner could prepare the attack by broadcasting a spends to his own address. If one of those is included in the block he dislikes, then he has a bounty to offer that is only valid in his branch by spending the source again to a trivial to redeem address in his block.
sr. member
Activity: 461
Merit: 251
Assume a miner dislikes something in the highest block, and is willing to spend on suppressing it.  He mines a parallel block also embedding a transaction sending a bounty to a trivial to redeem script.  All rational miner including him will be incentivized to mine on top of his alternative and claim the bounty for themselves. Only an altruistic miner would remain on the original or include a mempool transaction claiming the bounty.
If he broadcasts this transaction, then what's stopping the rest of the miners from just including it in their chain, and claiming the bounty in the same block?
hero member
Activity: 836
Merit: 1030
bits of proof
It seems to me that mining on the trunk could be even brought to a temporary halt by creating a new orphan block deeper in the chain with a sufficient bounty trivially claimable.

Rational miner would mine on that orphan and leave enough bounty to incentivize the next until the orphan branch catches up with the trunk triggering a re-org that benefits those participated in the attack.

It is above my knowledge of game theory to attempt to formulate, but suspect that with only "rational" miner there is a sufficient bounty to trigger any depth of re-org (within the same difficulty cycle).
hero member
Activity: 836
Merit: 1030
bits of proof
Assume a miner dislikes something in the highest block, and is willing to spend on suppressing it.  He mines a parallel block also embedding a transaction sending a bounty to a trivial to redeem script.  All rational miner including him will be incentivized to mine on top of his alternative and claim the bounty for themselves. Only an altruistic miner would remain on the original or include a mempool transaction claiming the bounty.

Added: An unsuccessful attempt to suppress the highest block does not even cost anything, since if not successful the bounty transaction will not be existent in UTXO. A trivial to redeem transaction included by the miner practically adds to the fee offered for the block building on it.

Pages:
Jump to: