Author

Topic: Selfish mining theory (Read 2063 times)

sr. member
Activity: 353
Merit: 250
Impossible
October 05, 2014, 06:55:35 AM
#16
This interesting idea.

No it's not. Did you even read the posts above?
hero member
Activity: 600
Merit: 511
October 05, 2014, 06:54:08 AM
#15
This interesting idea.
legendary
Activity: 3472
Merit: 4801
October 01, 2014, 08:27:07 AM
#14
What I am wondering is, even if it requires the same amount of power for a classical 51% attack and beyond, wouldn't lowering the difficulty and then cranking it up produce more bitcoins than expected?

The only way to lower difficulty is to produce less blocks (and therefore less bitcoins) in a given amount of time (or more specifically to take longer to produce 2016 blocks).  This puts the rest of the network ahead of you with more blocks and more bitcoins.

Then once difficulty is lower, (if you have enough has power) you can produce your blocks more quickly than the rest of the network, but you'll spend much of that time just getting caught up.  At best, you can maintain a small burst of very fast blocks, possibly exceeding the "one every ten minutes" average. However, when you reach the next 2016 block increment, the difficulty will automatically adjust for your increased speed and you will be back to producing one block every 10 minutes again.

In order to mine all the blocks AND maintain a block production rate that is higher than one every ten minutes, you have to start with more than 50% of the hash power, and then significantly increase your hash power every 2016 blocks.
donator
Activity: 714
Merit: 510
Preaching the gospel of Satoshi
September 30, 2014, 11:49:34 PM
#13
What I am wondering is, even if it requires the same amount of power for a classical 51% attack and beyond, wouldn't lowering the difficulty and then cranking it up produce more bitcoins than expected?
sr. member
Activity: 476
Merit: 250
September 30, 2014, 07:25:37 PM
#12
The deciding factor of which branch of the blockchain to select in a fork is to look at the total difficulty of all blocks summed up and select the chain with the highest total difficulty. In your proposed attack scheme, the attacker may generate a longer chain, counted by the number of blocks, but it will have a lower total difficulty than the chain the rest of the network is using and the attack will fail.
Unless after lowering it, the attacker cranks the hashrate up to match to the network's when he joins back.
In order for this to work, the total amount of work done on the blockchain must be greater then the total amount of work done on the blockchain that is not isolated, so there is no reason to lower the difficulty temporarily, as they would need to have the same number of "hashes" to make the total work greater 
legendary
Activity: 3472
Merit: 4801
September 30, 2014, 06:28:29 PM
#11
The deciding factor of which branch of the blockchain to select in a fork is to look at the total difficulty of all blocks summed up and select the chain with the highest total difficulty. In your proposed attack scheme, the attacker may generate a longer chain, counted by the number of blocks, but it will have a lower total difficulty than the chain the rest of the network is using and the attack will fail.
Unless after lowering it, the attacker cranks the hashrate up to match to the network's when he joins back.

That's called a majority hash power attack (or a "51% attack", or a "greater than 50% attack"), and if you have access to that much hash power, then there is no need to isolate your network and force a lower difficulty.

EDIT: It looks like BurtW gave you the same answer as me, but he did it faster.
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
September 30, 2014, 06:22:15 PM
#10
The deciding factor of which branch of the blockchain to select in a fork is to look at the total difficulty of all blocks summed up and select the chain with the highest total difficulty. In your proposed attack scheme, the attacker may generate a longer chain, counted by the number of blocks, but it will have a lower total difficulty than the chain the rest of the network is using and the attack will fail.
Unless after lowering it, the attacker cranks the hashrate up to match to the network's when he joins back.

Let me see if I understand what you are saying:

Make a bunch of low difficulty blocks
Crank back up to the network difficulty
Make a few blocks at the network difficulty

Can you see that the sum of that work will be less than the sum of the work done by the rest of the network while you were farting around = you lose?

Now if you can:

Match the network
Crank up to above the network
Produce a few blocks above the network

Then you can win, but we are just back to the tried and true 51% attack for the most part.

Go read:  https://bitcointalksearch.org/topic/potential-bug-in-bitcoin-long-range-attacks-596892

it discusses this it totally gory detail.
donator
Activity: 714
Merit: 510
Preaching the gospel of Satoshi
September 30, 2014, 06:18:43 PM
#9
The deciding factor of which branch of the blockchain to select in a fork is to look at the total difficulty of all blocks summed up and select the chain with the highest total difficulty. In your proposed attack scheme, the attacker may generate a longer chain, counted by the number of blocks, but it will have a lower total difficulty than the chain the rest of the network is using and the attack will fail.
Unless after lowering it, the attacker cranks the hashrate up to match to the network's when he joins back.
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
September 30, 2014, 06:12:12 PM
#8
I had forgotten about this thread:

https://bitcointalksearch.org/topic/potential-bug-in-bitcoin-long-range-attacks-596892

That was a great one to try to follow and understand.  One of those threads where I was hanging on by my fingernails trying to keep up - I like those.

OP:  go read that thread and report back.
legendary
Activity: 3472
Merit: 4801
September 30, 2014, 06:10:25 PM
#7
Hey Danny,

I wonder if the chain with the most work has actually ever been a chain with less blocks?  If that has ever happened it would have to be a pretty rare event.  Perhaps in the early days it may have happened more when the difficulty was very low.  Interesting esoteric question.

BurtW

It seems quite unlikely.

In order for it to happen, you'd have to have one of the following:

An attacker that is smart enough to segment off a portion of the network long enough for their sub-network to choose a significantly easier difficulty than the rest of the network, while dumb enough to think that their attack would work and to actually waste time trying it.

or

An attacker that is smart enough to change the source code in their miners to use the wrong difficulty setting, while dumb enough to think that their attack would work and to actually waste time trying it.

or

A sub-network with a substantial percentage of the total global hash power that naturally becomes isolated enough that it is unaware of the valid blocks from the rest of the network and is able to generate its own blocks frequently enough to convince the users that they are on the global consensus network.  This isolation would need to last long enough for the sub-network to calculate a substantially easier difficulty than the global consensus network (which would put it many blocks behind the consensus network). Then it would need a substantial amount of additional hash power added to the isolated network so that it can surpass it's block count deficit before the isolation is removed.

legendary
Activity: 3472
Merit: 4801
September 30, 2014, 05:33:59 PM
#6
It's a shame nobody ever thought to ask this question in the past.  Then we wouldn't have to try and figure out such a complicated concept today.

Just for fun, lets see what a quick Google search turns up?

Nodes (once again ALL NODE not just miners) use the longest (most work) VALID chain.

But then, what's the legitimate branch of the chain?
That is determined by what in Bitcoin terms would be "the most work".
- snip -

- snip -
This attack does not exist because Bitcoin chooses the chain with the most work, not the most blocks.

- snip -
bitcoin uses a cryptographic proof of work with a most-work-wins approach to double-spend resolution.
- snip -

- snip -
* Longest technically means the most work not necessarily the most blocks as Bitcoin selects as the primary chain the one with the highest collective difficulty.

- snip -
The Bitcoin client will accept the "longest chain", which is the chain with the most work behind it.
- snip -

- snip -
Client trusts the “longest” (most work) chain,
- snip -

- snip -
The bitcoin protocol specifies that in the case of a blockchain fork the winning chain is the one with the most work in it.
- snip -

Wow.  It's almost like there's an actual reason that the system is called "proof-of-work".  As if it's necessary to somehow provide cryptographic proof that your chain involved the most work in order to be considered to be the current consensus chain.
member
Activity: 88
Merit: 12
September 30, 2014, 01:14:25 PM
#5
As Rannasha said, it's not just which chain is longer, it's which chain represents more work. It used to be that the correct chain was the longer one, but I think that the rule was changed to the most work when someone considered the sort of attack that you're talking about.

This discussion on the stack exchange I think will make things clear. It's a little verbose, but a good read. http://bitcoin.stackexchange.com/questions/29742/strongest-vs-longest-chain-and-orphaned-blocks
hero member
Activity: 728
Merit: 500
September 29, 2014, 12:54:37 AM
#4
The deciding factor of which branch of the blockchain to select in a fork is to look at the total difficulty of all blocks summed up and select the chain with the highest total difficulty. In your proposed attack scheme, the attacker may generate a longer chain, counted by the number of blocks, but it will have a lower total difficulty than the chain the rest of the network is using and the attack will fail.
full member
Activity: 346
Merit: 102
September 28, 2014, 11:25:36 PM
#3
First issue you have to deal with is that there is a maximum amount the difficulty can go up in one adjustment and also a maximum amount it can go down in one adjustment.
What is the max that difficulty is able to go down in one difficulty change? I know that it can go up no more then 4X but am not sure about down? (is the limit to go down by 75% to match how much it can go up by)
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
September 28, 2014, 10:32:33 PM
#2
First issue you have to deal with is that there is a maximum amount the difficulty can go up in one adjustment and also a maximum amount it can go down in one adjustment.

The second thing is that after creating a long chain at the lower difficulty and then publishing it, the rest of the network will simply reject this "long chain" because it was created at the wrong difficulty - according to the rest of the network.

So all the effort will be wasted, the chain created this way is thrown out, Bitcoin is unaffected.
9kv
full member
Activity: 145
Merit: 100
Learning
September 28, 2014, 08:53:09 PM
#1
If someone controls a couple nodes (10 for example, shouldn't be hard to do that right?), and at some point he isolates those nodes from the other bitcoin nodes, that will lead to an isolated blockchain that only he have access to it, and if he mines on it at 1kh/s or whatever super slow hash rate, at the time of recalculating the difficulty, it'll drop down by huge amount considering there wouldn't be any new blocks found between the time he isolated the chain till the time of changing the target difficulty (maybe he waits for 2 recalculating events, or modify something to make the difficulty drop to lowest possible not sure how possible that is). After this new low difficulty, he uses high mining power to create blocks at very high speed since the difficulty has dropped (on his own blockchain), meanwhile the true blockchain will have generated blocks that aren't included in those isolated chains, but due to him having low difficulty he generated twice the amount of blocks (or maybe x1.5 for example) if he then releases those nodes and they start interacting with other nodes, will this "self generated" chain become the "true" chain? I mean since it's a longer chain wouldn't it be the "true" blockchain? and that person would have actually reversed some transactions, and also generated new blocks and took the reward for himself?

I got this theory while reading an article about selfish mining, but for selfish mining to work you'll need to have something around 25% hash rate? (can't remember the exact %)

Anyway, the idea was taken from selfish mining, but I added that attacker needs to have couple nodes under his control and he isolate them in order to massively reduce the target difficulty so he can generate blocks at ridiculous high speed to make up for the time he didn't generate blocks while isolated.
also I'm not sure if 10 nodes are enough? maybe he needs something like 1/3 of total number of nodes to make sure that his blockchain will be published to everyone?

That's all, if anyone can explain if it's possible or not or if you can provide links to articles that help me finding the answer I'll be really appreciated, hope I explained my theory in an easy way.
Jump to: