Topic: Funding network security in the future - page 2. (Read 13357 times)

The "right" chain is the chain that is supported by the exchange that is willing to swap your coins for other things of value. Any discrepancies between the exchanges are decided by the arbitrageurs with capital, not by eggheads with propaganda position papers.

That is the difference between the real financial systems and the long-cons trading baloney.

I've been thinking about "weak subjectivity" lately as a method of securing blockchains, after Vitalik started advocating it as a good form of consensus. It embraces a different security model than Bitcoin, requiring more trust. The Bitcoin wizards are very skeptical of this, saying the security model basically boils down to "just ask coinbase which chain is the real one." However it seems to me that in practice, weak subjectivity might end up approximating full trustlessness very closely. My argument is below. I'm very interested in getting critiques about how specifically this model is likely to be attacked.

For anyone not familiar with weak subjectivity, see Vitalik's explanation at https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/

The tl:dr version is that in this system, if you're not online for some period of time, say 4 months, you need to get a blockchain checkpoint from other people, because you won't be able to tell which one is valid on your own. For anyone who has been online since the genesis block, they don't need to trust anyone. Also, once you do get a checkpoint, you don't need to trust people further going forward (beyond your continued trust that you got the right checkpoint), unless you go offline for > 4 months in the future and come back. Given this, all new nodes need to use trust to get an initial checkpoint.

So the obvious argument against this is: "if new or returning nodes have to ask coinbase what the correct chain is, why don't we just use a fully centralized system operated by coinbase?"

However, it seems that no one who actually cares about security would put their trust in one entity, instead you'd want to ask a lot of entities which chain is correct. Let's imagine in the future Bitcoin has switched to a weak subjective security model, and I'm coming online after 4 months away. Here's who I would ask about the correct chain:

Peter Todd, Gavin Andressen, the Darkwallet guys, Coinbase, my friend who I used to work with who operates a full Bitcoin node, Bitstamp, the Electronic Frontier Foundation, Julian Assange, Greg Maxwell, Mike Hearn, Bram Cohen, Paul Sztorc, Nick Szabo, Robert Sams, Adam Back,  Matthew Green, Andrew Miller, Richard Gendal Brown, Bilaji Srinivasan, Naval Ravikant.

So that's 20 entities who I think would (a) have an opinion on which chain is real, and (b) be fairly likely to give me an honest answer.

Let's assume I ask all of these 20 sources, and they all tell me the same chain is the legit one. In that case, what should I think is the probability that they are all giving me the same wrong information? Since I have to trust them, there's some chance that they're all wrong. But under what realistic circumstances could this happen? And is that really significantly more likely than some hacker having taken over my computer in the current Bitcoin world, and feeding me info about about a false chain?

The general idea is that similar to how zero-knowledge proofs work (where you can keep asking questions until the probability that the proover doesn't have a real solution is arbitrarily small), in a world of weak subjectivity I can keep asking different sources and investigating their trustworthiness until the probability that they're all lying to me is extremely small (The analogy isn't perfect because people lying to me about checkpoints aren't fully independent events). Because anyone can run a full node, there's not some easy set of people for governments or other censors to go after if they want to suppress info about the real chain.

My intuition though is that asking the 20 sources above is millions of times less likely to result in me getting a wrong checkpoint than asking just Coinbase, and that this probability is so close to 0 as to be negligible.

Can someone who is more skeptical of weak subjectivity describe a concrete scenario in which someone like me taking steps like I outline above would fail to get the right chain?
 

Random thought with no regard to the technicalities, a percentage demurrage, deferred by contributing hashpower. Using a spitball of current figures, seems like it "costs" about 20GH to maintain 1 coin, divvying up total hash by coins issued. However, we'd then get a problem that you'd maybe have to mine direct to the wallet where all your coins are to validate the lack of demurrage for those coins. Unless it could work on a sort of merged or sidechained antidemurrage credit, so mine how you like and xfer the credits to where your coins are. Haven't done full evaluation and not sure what the calc will look like 25 years hence or whenever the real problem starts, but something of the order of 5% demurrage per annum seems to fit. Then if coin owner does not mine, or possibly buy credits off those that mine and sell instantly, that demurred coin gets tacked onto block reward.

I don't know if it will need to be as high as 5% by that time maybe not even necessary until much later, presuming cost to maintain giver %age of network hash (constant share of blocks) remains roughly consistant, then mining a single coin block with a $25000 coin value makes it look a lot more profitable than todays ~$10,000 block value.... and I've seen blocks now that have almost an extra coin in tx fees.

This may of course have an effect, seen as either desirable or undesirable, that it eventually returns all "lost" coins to circulation. Okay, most of all of them, damn Xeno.


edit: derp, I realise I more or less looped the calc there, turns out "cost to maintain current level of service" as it were is pretty close to current block reward, when calculated with current typical ASIC efficiencies, current price, current hashrate etc.... we will be expecting that to self tune for many years yet.

So the competitors in mining would lose nothing by colluding, but could significantly gain, absent consumer boycotting.
Perhaps instead of fighting market forces, mining collusion should be encouraged. If the collusion is detrimental to it's consumers, then the consumers have plenty of other places to go.
Instead of decentralization of Bitcoin, we could think of decentralization in the broader sense of a currency marketplace.
That's pretty much the same as throwing in the towel, but at least it can be recognized that the death of individually decentralized currency isn't the death of decentralized currency marketplaces.

It's depressing to think about mining companies getting together to try to decide what the appropriate transaction fee should be. That's certainly not the vision I bet most of us had when we first learned about Bitcoin.

Usually the smallest member's actions won't be decisive though, so I think a small miner would always want to join the cartel if possible even if they worried about being kicked out, because it's very profitable and their alternative is 0 profit.

The cartel might kick miners out, although it carries a risk that an outside coalition could become stronger than them. Let's say the coalition started with 55% of all hashpower. Outside miners stop mining, the cartel reduces their hashing to 8% of capacity, and they kick some people out until they control only 50% of total hashpower instead of 55%. So now 50% of total hashpower is outside the cartel and making no money, but this 50% knows that if they could just organize themselves and either make an investment in more mining equipment or recruit some miners away from the existing cartel, they could take control and earn 100% of mining rewards. This would be a disaster for the cartel, so I don't think they'd want to kick too many people out.

The "new cartel" could also set a policy of never kicking anyone out. Maybe miners wouldn't believe them, but if they did it'd give small miners in the existing cartel who worried about being kicked out an incentive to switch.

I think the fact that pools don't control their hash power makes the cartel situation better for the Bitcoin community -- by ensuring that the cartel policy is roughly what the majority of miners want (otherwise they'd form a new cartel).


What I mean is that an attacker might have an idea to do a double spend by mining just one block, putting a transaction to a merchant only in their block (not broadcasting it to anyone else) and taking advantage of merchants who wait for only one confirmation. When this block gets orphaned, their transaction to the merchant will be rolled back, assuming the cartel doesn't harvest transactions from orphaned blocks even if they have no fees.


Consider the case where someone wants to pull off an attack but they have no hashpower now. So they buy enough hashpower so they have 30% of total hashpower. Then they do their attack. Mining is only barely profitable in the long run -- mining equipment is priced at a level where you likely need to mine for a super long time to make back your investment. So after the attack the attacker needs to mine honestly for a year or so to be truly costless (and still, there's a lot of risk that their forecast of the future hashrate was off, and they'll lose a lot of money).

I think the traditional argument against this is that such attacks would undermine faith in the network and lower the BTC price, so if an attacker had enough hashpower to pull off a 51% attack, then by causing the BTC price to drop they'd be significantly reducing their future revenue, likely more than offsetting any benefit from their attack.



Correct -- all mining profits will be competed away to 0 in the long run (absent a cartel), since mining is close to perfect competition. But odolvlobo's argument can be recast to say that an attack would be "costless" instead of profitable, since if an attacker could use his mining investment to mine he at least would come out somewhat near breaking even (again assuming his attack didn't wreak too much havoc).

Mining isn't even profitable right now. Competition drives down profit margins as it increases efficiency. I wouldn't worry too much about that. There's no way for mining to be perpetually profitable.

As long as you're referring to profits and not revenue, that is...

My point is not to point out the particular attack that was described. The point is that as long as mining is profitable there are attacks or exploits that are not protected by the cost of mining, now or in the future.

As the hashing power drops, the cartel has an incentive to kick members.  That means that the smallest member has an incentive to not join in the first place.

One of the issues is that mining pools don't actually control all of their hashing power.  If they annoy the community, they could lose support.


The 6 block confirm system would pretty much eliminate that anyway.  The cartel's chain is unlikely to fall 6 blocks behind.

Wait... no... that example is only valid for the "attacker takes over existing mining pools" case, where formerly honest miners are co-opted to be evil (or gang up in a cartel to be evil).

If somebody collects as much hashing power as the rest of the network combined and then suddenly attacks, then yes, indeed, difficulty stays the same, the attacker gets all the mining rewards, and there are twice as many stale blocks as before.  Attacker gets 6 block rewards per hour.

If they were to mine honestly, blocks would be created twice as fast until difficulty adjusted, so they'd get 6 block rewards per hour for a week (same as if they decide to attack). Then difficulty would double, and they'd get only 3 per hour.

I did a brief analysis over 2 years ago in my long-term mining prognosis post (from the signature):

https://bitcointalksearch.org/topic/long-term-mining-prognosis-91101

Because it is effectively a reductio ad absurdum of the whole^* Bitcoin concept you are not likely to get much response or discussion about the idea.

Edit: ^(*) Not really the whole, but mostly the might-makes-right aspect of the current proof-of-work.

If the attacker had 51% of the hash power, they could get 100% of the mining rewards though right? Because whenever anyone else mined a block, the attacker can always overtake that chain with one in which they mine every block.

odolvlobo seems to be asking about a strange sort of 51% attack. The typical kind that gets talked about is that you have some pre-existing coins and you use your large hashrate to double spend those coins. The attack being suggested is to simply grab all the mining rewards and spend those.

On its surface this sounds like a good "attack" because you basically can mine coins at half the cost that honest miners were paying to mine. If I had 51% of all hashpower and was wondering whether to carry out this kind of attack, I'd worry that my actions would tank the BTC price once people realized that one miner controlled all mining, and that I would have to settle for a much lower price for my mining rewards.

This situation is basically the "mining cartel" that Cubic Earth was posting about. Right now Discus Fish, GHash.IO, KnCMiner, and BTCGuild have over 51% of hashrate. Suppose they have 55% so they could form a private agreement to only build on each other's blocks. Now they are getting 100% of block rewards instead of 55%, almost doubling their revenue and maybe increasing their profits by 10x. Miners in other pools will then want to switch to one of these pools, because they are the only pools that make any money. These pools will not want to let in more people (technically, more hash power) though, because they don't need more people to control the network. Why split the mining rewards with more people when you don't have to? The cartel would want to stay just big enough to not jeopardize their control of the network.

As miners outside of the cartel realized the futility of competing with the cartel, they'd stop mining, meaning the cartel would be free to lower their own hash rate to further increase their profits.

Eventually, the cartel may be able to lower their hash rate to almost nothing (and therefore earn huge profits). In this case network security would not be provided by actual hashing, but by the knowledge that if anyone tried to attack the network, the cartel would then turn on their full hash rate capability until the attacking chain was overtaken. Maybe the cartel would mine at 100% for brief spurts just to assure the community of their power. In this situation people would realize it was futile to attack the network, so they wouldn't try.

Note that merchants would know to not trust any non-cartel-mined block, so an attacker couldn't even get a temporary window of opportunity to profit.

Anyone know if this cartel situation has been analyzed in more depth anywhere?

You are wrong.

Example that should make it clear:

Honest miner with 50% hash power:  will mine 6 blocks every two hours (on average). Rest of the network will mine the other 6 blocks.

Attacking miner with 50% hash power: will mine 6 blocks every four hours (on average), because they refuse to build on anybody else's blocks.

Result: if the attacker is the longest chain, they'll get half as many BTC as honest mining (if they are unlucky and are not the longest chain, they'll get zero).

If they could keep up the attack for a full month until difficulty adjusts then they'll start making what they would have been making if they were honest.

51% attacks will always be a problem for consensus systems of any sort.

Please correct me if I'm wrong, but isn't this an issue right now? Assuming that mining is profitable (i.e. mining revenue is greater than cost), a 51% attack would essentially cost nothing because the attacker would receive all the mining revenue (which exceeds his cost because we assume that mining is profitable). This is independent of subsidy in relation to transaction fees.

If the security in the main chain is much weaker than on the sidechain, 51% attackers on the main chain can steal "frozen" coins, causing even more dilution on the sidechain whenever they do so. So people would want the main chain to be roughly as secure as the sidechain.

I didn't notice this thread was resurrected.

Miners who want to complete an assurance contract with their own funds can only reliably do that if they keep their own pledge private. But then they're not getting all the money for the mining, they only get 10 BTC instead of the 50 BTC others are targeting or whatever. So they can't hash as fast, because they have less money to do it, so they're less likely to find a block and those other pledges they were trying to claim for themselves end up being taken by other miners. They end up with nothing.

Still, if it doesn't work out like that, there are other ways to set things up as pointed out up thread: you can delay the ability to claim the raised funds by a number of blocks using a kind of height-relative lock time and then you can't keep pledges private any more or control who gets to claim them. I would worry more about the nature of trying to raise funds for a continuous good - I'm not aware of any other examples of assurance contracts being used in such a way, and that feels like a more fundamental open problem than people playing games with the protocol.

Anyway, by the time this is a real issue, perhaps nobody will care about PoW based block chains. I'd be disappointed if this was the last idea humanity ever had for solutions to the byzantine generals problem.  So it's fun to speculate about but I'm in Gavin's camp - when the time comes to jump this hurdle, people will find a way.

This. A topic often overlooked when discussing Bitcoin economics is called "free entry".

Free Entry can be defined as being able to bring a good or service to a marketplace as soon as they establish production of the good or service, impeded only by the costs of the capital.

Decentralization is a function of free entry and low capital requirements. Torrents are highly decentralized, for example, because participants can freely enter the market and the capital requirements are trivial.

Unarguably, there is actually a Natural Monopoly condition that exists in mining, because centralized mining is always economically superior than decentralized mining even when all of the competitors have equivalent overhead per hash/s, as I mentioned earlier.

RaisingRemoving the block size limit causes a race toward maximum transactions, and lowest fees necessary to run the network. In this way, raising capital requirements and damaging decentralization.

Hash-power atrophy, which would occur regardless of the block-size problem (And which is the topic at hand), actually helps with decentralization because it also lowers capital requirements. Is it really a safe assumption that bidding for block-space will "sufficiently" cover hashing costs?

So if the goal is to keep running nodes a trivial endeavor, then maybe this is a problem we don't want to fix? Maybe we want to be running a million USB miners rather than a handful of mining facilities?

Since the block-chain size is already not trivial (By some definitions), perhaps the block size is not too low, it's actually too high.

I don't know. It seems like to really address the problem, there would have to be a clear objective about what Bitcoin wants to achieve and what sacrifices it's willing to make to get there. If the Bitcoin protocol is going to compete with Visa credit cards, then we can simply throw the decentralization idea out the window in favor of Free Entry, and then the developers need to contend with the Natural Monopoly problem.

+1 Meni. Great point well made.  I think this is a good analysis and description.  Of course it could be wrong, but I think its definitely a good framework to think about these issues.

This is not as simple as the classic tragedy of the commons problem, because we also need to consider the impact of faster conformation times on the system.  If one miner defects and includes transactions with lower fees, then users with low fee transactions will still need to wait longer for conformations, therefore many users could maintain the high fee level.  If a cartel is large enough, it is not clear to me at this stage, if this race to the bottom will occur or not.  However I think Meni’s comments are a very useful illustrative example of a framework to think about the problem, with some sensible assumptions and conclusions, even if some people don’t completely agree with the mining cartel logic.

Remember a competitive mining market with many miners is desirable any way, for other reasons.  The more competitive mining is the more likely a defection from the cartel is.

The sidechain is still a completely different blockchain, which means that the security extended to the holders of the coins on the sidechain does not need to apply to the coins on the Bitcoin main chain. Even if you use merge mining, there is still more security in being on the chain that is the primary financial backer of the mining - IE Bitcoin is substantially safer from a 51% than Namecoin, even though Namecoin technically has ~50% of the hashrate of Bitcoin. The amount of financial loss a miner will accept when switching away from Namecoin, or mining a specific fork of Namecoin, is much less than if the miner were to do the same to Bitcoin. Tactics like bribery could be much more effective in attacking Namecoin because most Namecoin miners mostly only care about the Bitcoin chain. They aren't invested in the long term health of Namecoin. Similarly, if in the distant future some sidechain has 10x the funds going into mining than the Bitcoin mainchain, paranoid entities are likely to strongly prefer holding their funds in that chain, even at the cost of some dilution to their holdings (as long as the dilution is minimal enough - obviously there's a gradient).

Ok, my main argument was that the tragedy of the commons wasn't a suitable analogy because the economic factors are different and you can' t really make a square peg fit a round hole by saying that the consumers are selling a 'willingness to pay resource' to the suppliers.
 The fact of the matter is that in reality the tragedy of the commons often doesn't occur and in these situations people will self-regulate and act in their long term self interests and common grazing actually has happened historically very successfully. So even though it isn' t a suitable analogy in economic terms it might help in supporting my prediction of what would actually happen.


This is a very dissimilar situation, because the game producer has a monopoly on the right to sell the game. If anyone off the street had a right to sell the game, you would see the price fall to almost zero.