Topic: My Response to Ben Laurie’s ‘Last Word’ on Bitcoin (Read 7424 times)

wow! I found out about this paper quite late... It was forwarded to me by a friend...

This is basically my response to that friend to which I arrived rather hastily and independently i.e. before reading this thread or any comments on the article.

For whatever it worth.


"

Interesting, I had a quick read. He maybe a smart and credible guy,
but he does not get it, IMO.

His points on snapshots are rather irrelevant so I'll ignore it.

Than, first of all, he is trying to solve a non-problem and fails to
see that issue he is trying to solve is not a bug but a feature.

There is no problem with energy consumption, it is a very low price to
pay for getting rid of all the middlemen leaching a few percent from
every money transfer. Moreover, energy spent by miners on securing the
bloc chain is rather negligible in comparison to energy spent on other
ways to do money, when you consider, for example energy, required to
haul all the cash and gold in armoured trucks, smelting gold bullions,
coining coins, smelting metal for the bank vaults and so on...

Second of all, his "efficient solution" is very weak. Essentially, he
is proposing to replace voting weighted by pure computational power
(surely not very energy efficient way) to voting weighted by a number
of clients plugged into the network, without proposing any viable way
(since it is impossible) to ensure that this number of clients is not
faked. Therefore, he is effectively shifting proof-of-work concept
from doing lots of sha-256 calculations to opening lots of ports on
lots of IP's simultaneously. This could solve a problem of quick
propagations and wide distribution of information, but surely not a
problem of "double spending". Total epic fail!

He also has completely missed economic part of the system where
initial bitcoin inflation serves the purpose of subsidy to enable
quick growth of the network and making it secure from 50% attacks.

Busted... And bitcoin heavy hitters did not get to this yet, it is just me.


"

Did I get something badly wrong there?

Yup, you're right, I (or someone else) might have to do so secretly. I don't agree the 10 year timespan is reasonable, but I'm sure we'd never come to an agreement on that. I'm signing out (http://forum.bitcoin.org/index.php?topic=26738.0), this is my last post in this thread.

The 10 year timespan is reasonable because the the coins don't become worthless after 10 years (at 6.25BTC/block), just twice more prone to a theoretical attack that is still very hard to pull off. There's plenty of time to fix the system and change the block rules for example to impose a minimal fee, thus making the "mine for fee model" sustainable.

Maintaining that bitcoins will be worth still 15$ in 6 years time (when the bonus drops to 12.5) is not actually "keeping all other things equal". It implies a major source of liquidity on the market in order to displace those miners that are currently cashing out. So I think a revenue lower bound of 1500$/hour is highly probable for the mining revenue in the next 10 years. On the other hand most of the buyers are currently motivated by hype and speculative mania, and they will be long gone if the price stays rock solid for years. This is why extrapolation for the next decades are useless, the pyramid monetary scheme will long destroy it before double spend becomes a major threat.


Frauding a few bitcoins, once discovered, is irrefutable evidence that someone has gained ownership of the 50% hashrate underpinning the security of the system. Since that someone can launch a devastating attack at any moment, aimed not at double spending but at disruption, and the same someone can rewrite history to assign ownership of all coins to himself, informationally efficient markets will drive the price very low to counteract that possibility.


That does not mean your trades are not subject to the law of the country where they are performed. Since bitcoins have a fair market value they are taxable and fraud will attract criminal responsibility. People have been indicted for stealing WoW gold. If you barter for a house with bitcoins and fail to deliver them the contract is void, and if you do it with intent you are committing fraud. Intent can easily be proven with your ECDSA signature on two transactions with the same source.

Then we have a Bitcoin that will work (or not due to other reasons) for the next decade. I wouldn't be satisfied with that and I think as soon as people realize that Bitcoin is not 'for ever', they will not accept it for one decade either.


If all other things equal, block bonus will be about 12.6 (0.1 fees) * 15$ (current rate) = 189$ per block after the next decade. And if all things equal, it will be 0.1 (fees) * 15$ = 1.5$ per block in normal Bitcoin operation, after the coin generation phase.


If Bitcoin would be well accepted and a solid economy would depend on it, frauding a few Bitcoins wouldn't stop that. Either there's not going to be a solid Bitcoin economy or it will be feasible to double-spend some coins often enough to get one's investment back (and more).


I don't see the need to do so secretly, isn't Bitcoin supposed to be 'not backed by law or goverment'? I'd not be committing fraud, I'd just be playing by the rules of the game!

Firstly I don't find any relevance in speculating what will happen in a few decades from now. The block bonus will stay above 12.5 BTC for the next decade, and it's entirely possible that bitcoin will run it's course during this decade and fail for unrelated reasons. This is the internet after all. I've expressed my doubts that the "mine for fee" model is sound from a game-theoretical perspective: it seems the users are incentivized to pay a fee as small as possible (maybe 1 satoshi) since there's no way miners can differentiate on the market.

For the purpose of our discussion, in the foreseeable future and without massive growth of the number of transactions, the main motivation of the miners is the block bonus. At current prices the block bonus is over 500$/block and all other things equal it should maintain that $ value even if it drops to 12.5BTC: the miners that don't hoard are the main source of liquidity and if they inject less BTC the price will rise proportionally. So in order to rent 50% of the network you need to pay at least 1500$/h

Secondly, you assume you will be able to amass this hashing power surreptitiously and use it repeatedly without being detected. That's not realistic. Honest miners are unlikely to rent you the hashpower since it's obvious why you needed it. Furthermore, if the average player is small, you will incur a high price in contacting many of them, and you will need to pay way above market rates to attract them. You will need to advertise and attract further suspicion upon yourself. It seems highly unlikely that your criminal endeavor reach the same economy of scale and efficiency the open network has. You will either build your own hardware, a capital intensive task, or buy it off the black market at very high prices in order to maintain discretion, from a handful of players (Large conspiracies inevitably fail). An hour of 50% hashpower will then cost maybe 150.000$, not 1500$

Assuming you finally get to 50%, using it for a whole day will quickly attract the suspicion of the community. It's not reasonable to expect to use it more than a few times without crashing the bitcoin price and halting most bitcoin trades. You can't double spend a few bitcoins many times, you need to double spend many bitcoins a few times in order to recover your fixed costs, and before your attack tanks the exchange rate due to panic.


Assuming you manage to do all of the above and successfully double spend 1 million $ in BTC, the fraud becomes apparent quickly. If you buy a large house you will get caught and be indicted, I have no doubt about that. You need to launder the money quickly and maintain anonymity to pull a double spend. I believe it's much more effective to simply short the market and attack the network directly, assuming you have 50% hash rate (borrow BTC and sell out, then buy back in at pennies, no need be anonymous, just make sure the attack can't be traced back to you).

posted by misterbigg:

LOL

Much of what gets posted on this forum is a clear example of what happens when people assume they are right, and that anyone who contradicts them must be an ignorant savage.     


Frank

I agree, that would be a stupid 'attack', at least not a very profitable one. In the paper it serves the purpose of proving that, even though not profitable, it is possible, and therefore undermining the principle of Bitcoin's block-chain as consensus. At least, as long as not 50% of total existing computer power is used 'in an honest way'.


Have a look at the example above, I projected current bitcoin statistics to the moment there's no coin generation anymore. I dare you (or anyone) to alter some input values, like bitcoin value, transaction value, whatever, and I'll try to show such a scheme is still lucrative.

One more question, what do you mean by: "as to not get caught"?

I was referring to the specific attack described in the paper, rewriting history from block one and assigning to yourself all bitcoins, which is clearly a stupid way to steal bitcoins - they instantly become worthless.
Regarding merely double spending your bitcoins that's even less of a concern: you still need to amass millions of dollars worth of hardware and millions dollars worth of bitcoins - so that you can double spend them a few times and recover your hardware costs. It also means you need to find a trading partner willing to sell you millions of dollars worth of merchandise for bitcoins, and do so in an anonymous fashion preferably over the internet so as to not get caught. Good luck with that plan.

The temporary mining revenue of 50 BTC/block and later 25 or 12.5 BTC will be worth much more if the bitcoin network is regularly used for multi-million dollar transactions as opposed to buying a few grams of hash or an alpaca sock.

This is all reason why profit-oriented attackers are implausible, or at least their profit will be derived from the failure of bitcoins: speculators, governments, banks etc.

There would be an incentive, by double-spending coins and making a profit that way, see example above.


About 99.8% of the hashing power of the network is currently paid for by temporal rewards of 50 bitcoins per block.

The Bitcoin eligible voters are not "the majority of computing power in existence" because computing power is not a fungible, homogeneous substance. You can easily see a 10^4 performance ratio on specialized versus commodity hardware (ASIC vs CPU), so that the Bitcoin network becomes impervious to attack if it makes up only 0.01% of the "computing power of the world" as expressed in transistors*Hz. Rather, Bitcoin, like most other currencies  in the world, is up against any adversary more financially powerful than it's backers (the miners). So if you are willing to invest more than the compounded mining profit, you can take the majority vote and influence consensus, by expanding the computing power of the world in the form of efficient mining machines.

It's pretty clear that rewriting the history is not equivalent with stealing everybody's money, rather it means destroying the system and making the coins worthless, so the likely attackers will not be profit-motivated by any definition of profit expressed in bitcoins. We could talk about governments, banks, competing currencies, lulz etc. It's only a matter of speculation if an attacker likely to act in such a manner exists. Furthermore, as the network expands the window of opportunity closes to exclude small scale lulz-motivated attackers, and allow only governments or large corporations. The hashing power of the network already surpasses what could be accomplished by ~10 million commodity PCs, excluding even the largest botnets as worthy attackers.

Not being able to make up one's mind on what a certain subject is or isn't kinda hints at how much of an expert one is in that subject.

Volunteers perhaps.

In any case, this is all such an extreme hypothetical, that it's not really worth exploring more IMO. We're debating how secure bitcoin will be in 20+ years IF the transaction volume is comparable to today's.

I think if we want to discuss it further, it would be best to do it by pm as this is somewhat off-topic.

Then who would be paying for that significantly increased network hashrate?

I do agree there's a risk that bitcoin value would plummet, therefore my premise 'a truly valuable bitcoin, with a value that can be depended on'. So either the example shows such a scheme would be profitable, or that bitcoin value can never be depended on.

I'm disputing your claim that an attack becomes more attractive as the value of bitcoin increases. I'm pointing out the extra cost of the attack would cancel out the extra reward.

You did clarify later on that by 'valuable', you meant a more a steady/dependable price, and not necessarily a higher market price, so I guess in light of this my response is not that applicable to your point, and we can move on..


I don't think the attack could be pulled off multiple times. Either the value of bitcoin would plummet, or the network hashrate would increase significantly prevent future such attacks. The attack can't be a recurring source of income.

In the example I overestimated the cost, so there's a break-even when hashing for 20 hours at 5$ / hour and a 100$ scam. My point would be that it can be profitable to gain 51% of hashing power, and the problem of creating consensus as stated in Ben Laurie's paper is far from hypothetical.

Don't know exactly what you mean here, maybe you are agreeing that all values are proportional to bitcoin value?

No, in my example I used only one transaction of 100$, which would not be conspicuous. And it would probably not attract any attention if a few more of those transactions were slipped in.

True, I did not take into account the initial acquisition value (which I would estimate at 10.000$ in the example above). I only took into account the depreciation of that hardware (and then added another $ per hour). I think that's not unreasonable and standard procedure in profit/loss calculations. The same trick could be pulled of multiple times with that very same hardware, or the hardware can be used for different purposes (e.g. video rendering) afterwards.

But the ratio of cost to transaction value stays the same regardless of what the value of bitcoin is, since the cost of pulling it off increases at the same rate as the transaction value does, as the value of bitcoin increases.


It would definitely be much easier to attack bitcoin if transaction volume doesn't increase by the time coin generation becomes negligible, but your calculation of cost doesn't take into account the large initial investment required to acquire a large amount of hashing power, which is not just purchasing the hardware, but getting the facility, putting in the man-hours to set it up, etc all of which have a huge fixed cost, and therefore the need to double spend for many blocks, to make back the cost of the investment.


So after all that effort in getting 23 GH/s, you only make $2,000?

You're welcome  |-)

I don't agree, as the cost of pulling it of is proportional to transaction fee cost, which is much lower than transaction value.

Let's look at the current state of bitcoin:

Rewards are 50 (temporally minted) + 0.10 (fees) bitcoins per block.

Resulting hashrate is 11326 (payed by temporally minted) + 23.6 (payed by fees) Ghash / second.

If nothing were to change in the value of bitcoins or transaction fees, I'd eventually have to produce 23.6 Ghash / second for a succesful attack. Which would cost me roughly 15 kW electricity (ca. 3$ per hour) and (very) roughly 1$ depreciation per hour of my hardware. Let's say it costs 5$ per hour all together.

I can then sustain an attack where I forge (double spend) say 100$ (which will not be conspicuous) for 20 hours (which should be more than enough to collect).

Thanks for conceding that.


But difficulty, and therefore cost of a double spend attack, is also proportional to bitcoin value, so the rise in the potential reward of a double spend attack, is canceled out by the rise in cost in pulling it off, as bitcoin value increases.

With that premise, that could very well be.


The whole double-spending scenario is proportional to bitcoin value. If value were to go up orders of magnitude, the number of blocks needed to get your investment back goes down the same order of magnitude.