Topic: the Block Discarding Attack / shellfish mining - page 2. (Read 28646 times)

The ideology underpinning Bitcoin is that:

1. The monetary supply should be fixed, neither inflating nor shrinking (too much)
2. The inflation schedule is chosen first, and the technology conforms to it. Here we would have a technological consideration affecting the monetary base.

Unless the operator owns a substantial amount of his pool's hashing power, but that starts to blur the lines of whether you call them a pool or a large solo miner with hangers on.

Puts the efficacy of the Discard/Selfish attack into even more questionable territory, as only large solo miners can hope to pull it off. And they also need to hope they can beat all odds of throwing away more good block solutions to honest miners than they can possibly build privately forked blocks onto.

This is an attack against your own mining success. If an attacker succeeded, they can only do so with multiple failed attempts, and the failed attempts can only add up to an overall net loss of mining rewards. The practicalities of Discard/Selfish attack are self-inhibiting; the honest miners will gain more than they lose as a consequence of how frequently they can solve a block that the attacker is withholding.

Why not?


Seems fairly consistent with the deflationary ideology underpinning Bitcoin.

Maybe this could be prevented in the future with homomorphic encryption, though I agree that it would be easy to register just a simple worker on all pools and then you know when they found blocks.

Could one then "wage war" against a pool by trying to fork their blocks? On the other hand, if you then create a fork, you also need to tell everybody else about it, so they actually do claim the forking reward or your work was in vain. You cannot even assume that the others will propagate the fork to miners you don't know until the first one that knows about the fork claims a reward as they will not want to tell each other... and then the reward was taken anyways.

100 blocks (or rather a number slightly smaller than this) might be a good time frame, as it is anyways not possible to spend anything from new blocks for this amount of time. I'm not too sure how reorganization events would be handled then though, especially with a split close to 50:50, where 2 chains compete over a longer period of time and dead forks suddenly become alive again.

He knows. His ability to access the internet is poor and thus it can take some time for him to fix the typos and respond to comments.

The pool operator doesn't have to share that he found a block... But if he wants to carry out the attack as described, he needs to start mining on top of the block he just found. To do that he needs to submit to all of his miners a header that builds on the newly found block. So a pool-based attacker does need to share the hidden blocks with his miners.

I think that's a good point, we may need to tweak the whistleblowing reward to be balanced against the difficulty ratio.

In fact if we do rollover transaction fees, the whistleblowing reward actually can be very small.

I don't see how that's a problem.

It's deducted from the reward of the block that has an orphan brother. That's actually the main point, disincentivizing creating forks.

It's a pity that the OP thinks that "shellfish" is more interesting (seriously OP - could you edit your title as it just looks plain silly).

By the way, the strategy was called "selfish" mining, in the sense of being selfish or acting in only one's own interest potentially on the expense of others.

No, that is not the case - the only people that know that a winning nonce has been found are the pool operator and the person that mined this winning share. As there are a LOT of miners in a pool, it is highly unlikely that this is detectable by the miners themselves, unless they collude and check their nonces. The pool then can choose to reveal the block ("honest" miners are advised to do this as soon as possible to as many high hashrate miners as possible, sorted by hash rate - blockchain.info and other highly connected peers might only be useful to reach parts of the network you don't have a low latency, high bandwidth connection with). There is no way for a miner to know that a block was found or that the merkle root just changed because the pool server included another transaction.

Difficulty can have changed by up to a 4 times increase in the past 10 blocks...

Also this give a strong disincentive to communicate forks you know about to others, to reap the rewards. Also: Where does the reward come from?


Next time, I hope anyone bothering to write a paper first presents their findings here or with selected highly knowledgeable developers/members before doing the actual work of compiling something based on wrong or weak premises.

If Bitcoin really worked like they assumed in their paper, the attack really would work. It doesn't however and I hope your unpublished (but hopefully already discussed in private with several members here...) attack also takes into account how the actual Bitcoin network and it's miners are connected instead of assuming that sibyl attacks are easily possible.

That should work but it's a deeper change. (I suggested something similar in https://bitcointalksearch.org/topic/rollover-transaction-fees-80387).

You are right. I read again and obviously my initial reading was not careful enough.
That said there are 2 blocks in a fork with the same height if both blocks have 50% invalidated and 50% moved there won't be a loss of value at height+1. I'm not sure if it's what Lear describes.
In my opinion loss of value is a problem only if the loss changes the total amount of final BTC in existence. If the solution means that at a given height there wouldn't be any change of total coins created then I don't see a problem.

If destruction is taboo, then you could always divide the destroyed coins across say the next 100 blocks as fees. It should be as good as destroying them for incentive purposes (if it isn't you have a 51% attacker and are surely already fucked).

Sounds like a reasonable assessment.

Very much looking forward to hearing about your work on proof of stake. If you ever have anything to circulate for comments, please let me know.
I am not trying to publish anything, so don't be concerned on that front. It's not a useful kind of publication for someone in the economics field.

I meant value destroyed, it looks like Lear is suggesting the whistleblower will get half and the original block finder will get nothing, which means half is destroyed.

The protocol says that coinbase needs to mature for 100 blocks before it can be spent, so there is no problem with changing the recipient before this time.

My understanding is that half the coins from the "forked block" would change hands so they won't really be destroyed (or maybe you don't write about value destroyed but actual txouts being destroyed?).

There are problems though:

• you'll probably have to invalidate all previous outputs (there's not always only one the block can distribute the reward to multiple addresses) of the previous blocks and recreate new ones, I'm not familiar with the bitcoin code enough to be certain but I think it can be a very invasive change (new opcodes? new logic for getblocktemplate?): quite risky
• some dust will be lost as some outputs wouldn't be multiple of 2 satoshis

These are only difficulties which can be overcome, the solution seems to make sense.

Edit: the dust being lost can be solved by giving one satoshi more one side of the split, so that's not really a problem.

I can confirm that Lear has discussed with me the results of his research a day before the paper by Eyal and Sirer was published.

If I understand this correctly, some coins will be destroyed in the process, which is not what we want.

Professional shellfish with delivery, always on time !

You can't say "reward" for orphan blocks: you get the reward only for the blocks in the main chain.

Suppose Attacker and Network are in race. 1) If Attacker already has the second block in his sleeve (without the evidence of the fork) he publishes it and wins the race, taking full reward for both blocks. By the rule of cummulative work, everybody switches to that branch. 2) If Network finds the second block first -- Attacker gets nothing irrespectively of the evidence's presence in that block.

Hmmmm, shellfish. Now I'm hungry.

Thanks for sharing this! I'm almost certain that some of the news circulated about bitcoin is only made to take advantage of the volatility and thus making it easier for them to outwit regular traders.

Isn't this the same attack discovered by Cornell students? http://arxiv.org/pdf/1311.0243v1.pdf

Seems interesting. So basically we have to worry about a 25% attack now?