Pages:
Author

Topic: Join me in the biggest mining pool boycott Bitcoin has ever seen (Read 13204 times)

donator
Activity: 2058
Merit: 1054
It does not prove there even is a tree. At each depth of the branch, the miner can make up a completely random hash to concatenate with the deeper hash.  Like I said, block withholding is possible without this...

Right and my point is that today every single pool in existence is subject to a much easier withholding attack called "don't submit any hashes which solve the block" and not a single pool in existence provides any enhanced payout based on the tx value of the block so there is absolutely no additional revenue for such an attack.

So I don't really see using GBT as being ANY WORSE that what pools are doing right now.  The major difference becomes that the miners are in control of tx selection.
For the 3rd time, yes, block withholding is equally possible with classical pools and with unverified GBT. Block withholding is not the problem because it is difficult to monetize it, hence, few will attempt it. The first time I mentioned block withholding here, was in the sentence "this could be used for more than just a variant of block withholding".

The real problem - which is perhaps difficult to see now because it will fully manifest later on, when coinbase is negligible and tx fees (which are ever-changing) are significant, and reward methods will adapt accordingly - is faking the total tx fee. To prevent pool hopping, reward methods will be more similar to PPS, with the payment for each share depending on the total tx fee of the block it tries to become. If the pool doesn't verify the miner's tx set, the miner can report a higher total tx fee than there actually are in the block, tricking the pool into paying more than his work is worth. This attack is profitable, and hence, everyone will do it if the pool allows it.

And of course, to prevent this attack, GBT pools should verify the tx set, hence increasing bandwidth.

As mentioned, I think the problem should be solved with SCIP. I gave my own version of why GBT without verifying tx set is bad, if not now then in the future; slush should explain why he believes the whole tx set needs to be verified.

I would point out this isn't something I came up with.  The use of a merkle branch to validate a specific tx without the full tx set is already used in merged mining, p2pool, and SPV clients.
Again - it verifies that the tx exists in the Merkle tree with the given root, assuming the Merkle tree exists. It does not prove that a Merkle tree exists. This distinction is of no importance in some other use cases you mentioned, but it is important here.
donator
Activity: 1218
Merit: 1079
Gerald Davis
It has been already answered by me and Meni.
...
Thanks god you're not running the pool. You would be financially ruined in few hours

No it hasn't. The full tx set is not required for shares which don't solve the block.  Sure a miner could make up a bogus tx set and submit shares but the miner doesn't save any work and doesn't benefit the miner in anyway.  To avoid getting caught the miner would need to never submit any shares which produce a block.  In essence this is just a more complicated form of block witholding.  In the miner wants to withhold blocks it is far easier to just do that.

The pool needs to verify the coinbase is part of the tx set otherwise the miner could submit non-pool work but this doesn't require the full tx set.  That is the whole point of using merkle trees.  How would I be financial ruined by only performing the "a" & "b" validations below.  How would I incur losses which are greater than an attacker just withholding blocks?  Please be specific.

Quote
But pool must do the same validation for every submitted share.

For non-block shares only two things need to be verified
a) the blockheader = no different than stratum or getwork
b) the coinbase to verify it is part of the merkle set = only the merkle branch is needed.

Any pool is already doing "a",  if the miner supplies the tx set the only additional verification needed would be "b", and that doesn't require the full tx set, it doesn't require the computation of the full merkle tree and you still haven't explained why it would be this massive overhead.  I would point out this isn't something I came up with.  The use of a merkle branch to validate a specific tx without the full tx set is already used in merged mining, p2pool, and SPV clients.
legendary
Activity: 1386
Merit: 1097
The full tx set is not necessary for non-block shares.

Thanks god you're not running the pool. You would be financially ruined in few hours Wink. Just kidding :-)).

Quote
Please describe why it is significantly worse performance wise. 

It has been already answered by me and Meni. With Stratum, server choose set of transactions willing to include to block. Do full validation like finding outputs to spend, check limits of script and so on. Then it prepares merkle tree and everything stores *internally* to its memory, under so-called "job id". Then server broadcast merkle branch (part of merkle tree) to *all* connected miners, with proper job id. Once miner submits share with given job id, pool just takes precalculated and already verified data from its memory, do sha(sha(header)) and checks if the share is valid and/or winning.

When the pool offer miners to pick their own transactions, then the story is completely different. Pool still *must* check all shares like in Stratum, because it credits the miner by small portion of bitcoins (in PPS, for simplicity). But pool must do the same validation for every submitted share. The same work which is done once per 30 seconds for all connected miners in pool.

Of course there's some space for shortcuts, like validating proof of work for every share, but do the full validation only for few shares. I was not thinking about this too much, but I bet it will open Pandora box with some side channel attacks to the pool, like pool hopping in proportional pools.

Actually I think that ratio 1:10 for Stratum vs full share validation was rather conservative.
donator
Activity: 1218
Merit: 1079
Gerald Davis
So I don't really see using GBT as being ANY WORSE that what pools are doing right now.  The major difference becomes that the miners are in control of tx selection.

Apples and oranges. Nobody said GBT is worse security-wise. Just performance-wise.

Well actually Meni did.   I am glad you agree that GBT is not worse security-wise.   I don't see how it is significantly worse performance wise.  The full tx set is not necessary for non-block shares.  The pool can ensure the miner isn't not working for himself using the merkle branch and the blockheader.  Please describe why it is significantly worse performance wise.  There is some overhead but that overhead can be offset by the pool just requiring higher difficulty shares when the miner selects the tx set and in return the risk of centralization is significantly reduced.
legendary
Activity: 1386
Merit: 1097
So I don't really see using GBT as being ANY WORSE that what pools are doing right now.  The major difference becomes that the miners are in control of tx selection.

Apples and oranges. Nobody said GBT is worse security-wise. Just performance-wise. There's big difference if the pool needs 10 servers or 100 servers around the world, because of change in share validation process.
donator
Activity: 1218
Merit: 1079
Gerald Davis
It does not prove there even is a tree. At each depth of the branch, the miner can make up a completely random hash to concatenate with the deeper hash.  Like I said, block withholding is possible without this...

Right and my point is that today every single pool in existence is subject to a much easier withholding attack called "don't submit any hashes which solve the block" and not a single pool in existence provides any enhanced payout based on the tx value of the block so there is absolutely no additional revenue for such an attack.

So I don't really see using GBT as being ANY WORSE that what pools are doing right now.  The major difference becomes that the miners are in control of tx selection.
donator
Activity: 2058
Merit: 1054
The pool knows that the miner did work, and that the work cannot reward anyone else. But without requesting the full tx set, it doesn't know there actually is a tx set which hashes to the given Merkle root. The miner could be making the whole thing up.

The miner can't make anything up.  That is the whole point of the merkle branch.  It allows cryptographic verification that a particular tx (in this case the coinbase) is part of the merkle tree without needing the full tree.  Sure the miner could select a set of txs with low or no txs fees but compared to the ability for a miner to simply withold all blocks it is a negligible threat.  

Today without using GBT block withholding is a significant risk.  The risk isn't increased by using GBT.  
No.

If there is a Merkle tree of valid txs, the Merkle branch proves that the tx at its leaf is a part of the tree.

It does not prove there even is a tree. At each depth of the branch, the miner can make up a completely random hash to concatenate with the deeper hash.

Like I said, block withholding is possible without this but it's difficult to make money from block withholding. With what we have here, the miner can solicit from the pool more payment than he's due (I'm assuming an evolved reward method), that is, an actually profitable attack.
donator
Activity: 1218
Merit: 1079
Gerald Davis
Today without using GBT block withholding is a significant risk.  The risk isn't increased by using GBT. 

Block withholding has nothing to do with used protocol. Such attack can be used for getwork/GBT/Stratum.

That was my point. Huh
legendary
Activity: 1386
Merit: 1097
Today without using GBT block withholding is a significant risk.  The risk isn't increased by using GBT. 

Block withholding has nothing to do with used protocol. Such attack can be used for getwork/GBT/Stratum.
donator
Activity: 1218
Merit: 1079
Gerald Davis
The pool knows that the miner did work, and that the work cannot reward anyone else. But without requesting the full tx set, it doesn't know there actually is a tx set which hashes to the given Merkle root. The miner could be making the whole thing up.

The pool can verify the coinbase tx is part of the merkle tree by the merkle branch without need for the full tree.  Sure the miner could select a set of txs with low or no txs fees but compared to the ability for a miner to simply withold all blocks it is a negligible threat.  

Today without using GBT block withholding is a significant risk.  The risk isn't increased by using GBT.  
donator
Activity: 2058
Merit: 1054
Thanks for the correction.  Why would it be expensive in terms of bandwidth?  For shares which don't solve a block the tx set isn't needed...
...but it still needs to do full validation of that share.
As opposed to any other share?
The pool knows that the miner did work, and that the work cannot reward anyone else. But without requesting the full tx set, it doesn't know there actually is a tx set which hashes to the given Merkle root. The miner could be making the whole thing up.

When tx fees are meaningful, this could be used for more than just a variant of block withholding. The miner can misreport the total tx fees in the block he offered, and obtain more payment than his work is actually worth.

This can be solved with SCIP.

Since smart miners are essential for Multi-PPS, I discussed it in that thread as well.
donator
Activity: 1218
Merit: 1079
Gerald Davis
As opposed to any other share?

If you mean Stratum shares, then the difference is that Stratum job is prepared by pool itself, so there's no need to validate everything for every share. Just sha256(sha256(header)) is enough. But things are different once every miner can pick completely different transactions to hash...

It is still the same sha256(sha256(header)).  The only additional step is verifying the coinbase tx is part of the merkle tree.  If that is what you mean by "full validation" then ok but it isn't a significant overhead and the pool could simply require higher difficulty shares to compensate.
legendary
Activity: 1386
Merit: 1097
As opposed to any other share?

If you mean Stratum shares, then the difference is that Stratum job is prepared by pool itself, so there's no need to validate everything for every share. Just sha256(sha256(header)) is enough. But things are different once every miner can pick completely different transactions to hash...
donator
Activity: 1218
Merit: 1079
Gerald Davis
Thanks for the correction.  Why would it be expensive in terms of bandwidth?  For shares which don't solve a block the tx set isn't needed...

...but it still needs to do full validation of that share.

As opposed to any other share?
legendary
Activity: 1386
Merit: 1097
Thanks for the correction.  Why would it be expensive in terms of bandwidth?  For shares which don't solve a block the tx set isn't needed...

...but it still needs to do full validation of that share.
donator
Activity: 1218
Merit: 1079
Gerald Davis
Correction, Eligius doesn't allow it either. NO pool supports that. Just because pools support GBT doesn't mean they're actively allowing miners to contribute their own transaction list. That would be ridiculously expensive in bandwidth.

Thanks for the correction.  Why would it be expensive in terms of bandwidth?  For shares which don't solve a block the tx set isn't needed.  The merkle root, and merkle branch is sufficient to verify the attempted share has the correct coinbase tx.   Shares that do solve a block are rare enough to be a rounding error on bandwidth requirements.
-ck
legendary
Activity: 4088
Merit: 1631
Ruu \o/
is this possible? That would be interesting. that way i can benefit from all the features of Ghash without giving them my power to vote/doublespend. In fact, everyone should do this, so they can vote individually and prevent doublespending, while still enjoying the benefits of your favorite pool.

In theory yes but it requires
a) The pool support a mechanism where the miner not the pool handles tx selection (getblocktemplate is one possible solution but others could be defined).
b) The miner has a local bitcoind running to independently select transactions.
c) The mining software supports the system.

If you mean as of right now? The answer is no.  GHASH (and AFAIK all other major pools except Eligius) support no mechanism where the miner can independently select the tx set for the next block.
Correction, Eligius doesn't allow it either. NO pool supports that. Just because pools support GBT doesn't mean they're actively allowing miners to contribute their own transaction list. That would be ridiculously expensive in bandwidth.
donator
Activity: 1218
Merit: 1079
Gerald Davis
is this possible? That would be interesting. that way i can benefit from all the features of Ghash without giving them my power to vote/doublespend. In fact, everyone should do this, so they can vote individually and prevent doublespending, while still enjoying the benefits of your favorite pool.

In theory yes but it requires
a) The pool support a mechanism where the miner not the pool handles tx selection (getblocktemplate is one possible solution but others could be defined).
b) The miner has a local bitcoind running to independently select transactions.
c) The mining software supports the system.

If you mean as of right now? The answer is no.  GHASH (and AFAIK all other major pools except Eligius) support no mechanism where the miner can independently select the tx set for the next block.
legendary
Activity: 1106
Merit: 1005

from one of the comments:

Quote
Some of p2pool's suggested advantages are a bit exaggerated. The recent P2SH woes are a non-issue since miners who want to vote can simply go to a pool that votes as they want. The more generic concentration of power problem can alternatively be solved with smart miners (miners who generate blocks themselves or from an independent party, and submit shares with Merkle branches of the generation transaction which are accepted if it credits the pool).

Because of these reasons, I believe the future will be small PPS pools which act as a proxy to p2pool (with or without the use of independent block-issuing nodes). These will have low fees, no variance, as many features as the pool operator wants to implement, and will not be highly centralized. Until we see more of these I don't think there's much justification for p2pool going mainstream.


is this possible? That would be interesting. that way i can benefit from all the features of Ghash without giving them my power to vote/doublespend. In fact, everyone should do this, so they can vote individually and prevent doublespending, while still enjoying the benefits of your favorite pool.
newbie
Activity: 1
Merit: 0
Now is the time to start thinking about the future of Bitcoin. We're currently in a situation where the developers of Bitcoin are attempting to enable a new feature called multisig which is a massive technological improvement to the Bitcoin protocol.



For the developers to be able to safely go forward with these changes they need 55% of the processing power in the network and Deepbit holds more than 30%. It's important to understand that this issue is undermining the whole idea behind Bitcoin. This massive centralization is a threat to all future development of Bitcoin. It's not about 51% attacks anymore, this is much more significant. One pool operator, namely Tycho, holds all the cards as far as any major development of the Bitcoin protocol is concerned.


For more information on this I recommend these following threads. Read what P2SH is about. Move to a smaller pool and consult your mining pool operator on what he thinks about the multisig implementations. The other option is to move to p2pool and vote for yourself, directly. Or at least pressure your current pool operator to offer different servers for different votes so you have a choice.

https://bitcointalksearch.org/topic/bip-16-17-in-laymans-terms-61125
https://bitcointalksearch.org/topic/miners-dont-even-know-they-can-vote-on-p2sh-60829
https://bitcointalksearch.org/topic/mining-pools-and-voting-on-the-future-of-bitcoin-60981

Hi Technomage,

I am a BitCoin novice user and only started micro mining a couple of weeks ago. But what you say is very sound. Facts and the true are always clear but some people try to hide from the majority or obfuscate them for their own selfish ends.

The bottom line is that if there are only a few large mining pools, these operators can hold us to blackmail and as you say, make the decisions on the development of the BitCoin protocol to suit their own ends.
Thank you for raising awareness on this vital issue. I think the long there danger of creating a few big mining pools doesn't ever appear on most small time miner's radars. They go with what is easy and what their friends have done. It's not feasible for me to implement P2SH mining at this time as I have under 10 GH/s processing power. I think I read the minimum recommended hashing power for implementing P2SH is 40 GH/s

Keep up the good work!

Best wishes,
Zephyr

Pages:
Jump to: