Pages:
Author

Topic: Why not 10 coins per block and a block every 2 minutes? - page 2. (Read 5966 times)

sr. member
Activity: 322
Merit: 251
FirstBits: 168Bc
I still haven't seen a mathematically founded answer to a question I've been asking for ages:

What percent of 0/unconfirmed transactions become orphaned, are fraudulent or otherwise never make it to 6/confirmed?

If that percentage is lower than current merchant service company fees, we're still a point-of-sale winner when accepted at 0/unconfirmed and that much IS instant.

0/unconfirmed are transactions the network potentially does not know about. I've created numerous that have never gone to 1/unconfirmed, and the network has NO RECORD of them. Would you settle for stats from 1/unconfirmed to 6/confirmed? In an earlier thread, Kjj said:

The block explorer reorg log is showing 15 reorgs in the last 8538 blocks.  We generally assume that about half the forks lead to a reorganization in a given node*, so that is about 30 forks.  That is about one fork per 284 blocks, which is close to my estimate of 300 blocks per fork.

So, I would expect a two block fork every 90 thousand blocks or so, maybe every 80 thousand using the block explorer data.  That is every year and a half, by the way.  A three block fork should show up under honest circumstances about once every 450 to 500 years.

A shorter block time target would probably lead to more frequent forks, measured in blocks per fork, but it isn't obvious what the function would be.  Halving the block time target, for example, would lead to probably more than double the forks per year.  It could probably be simulated, but hasn't that I know of.

* The best predictor of which block will win in a fork is the fraction of the network seeing that block.  If we assume that the distribution is more or less random, they should both average out to around 50%.
legendary
Activity: 1708
Merit: 1010
But just getting blocks in doesn't cause any damage, you have to be able to overwrite prior blocks, which isn't possible with less than 50% of the total network hashing power, and still isn't terriblely likey at 51%.

Of course it's possible to do it with less than 50%, it's just less likely.


No, it's not.  Not if we are talking about the same thing.  It is not possible to reverse a confirmation of a transaction, and thus double spend, without 50% or more of the total network hashing ability.  That is shown in Satoshi's white paper.
hero member
Activity: 742
Merit: 500
I still haven't seen a mathematically founded answer to a question I've been asking for ages:

What percent of 0/unconfirmed transactions become orphaned, are fraudulent or otherwise never make it to 6/confirmed?

If that percentage is lower than current merchant service company fees, we're still a point-of-sale winner when accepted at 0/unconfirmed and that much IS instant.
bji
member
Activity: 112
Merit: 10
But just getting blocks in doesn't cause any damage, you have to be able to overwrite prior blocks, which isn't possible with less than 50% of the total network hashing power, and still isn't terriblely likey at 51%.

Of course it's possible to do it with less than 50%, it's just less likely.
legendary
Activity: 1708
Merit: 1010
I know that with 51% hash power the attacker will always succeed eventually.  Anything over 50% gives statistical certitude that the attacker will eventually succeed.  It's really a question of how long it is likely to take and how much effort an attacker would be willing to expend with such a small advantage to eventually succeed.

For a brief time I was thinking about how to compute the chance of computing 2, or 3, or N blocks before the rest of the network can compute 1.  I am not entirely sure how to do the math, but I think it would be very interesting if someone does.
its possible to abuse the network with less than 50%. you can abuse the network with .0001% of the hashing power, the question is only how successful you will be at trying to abuse the network. with even as low as 30% you could still occasionally get blocks in succession and cause damage. but if you want to be able to cause damage more often you will need more power, closer to 70% is my gut feeling.

But just getting blocks in doesn't cause any damage, you have to be able to overwrite prior blocks, which isn't possible with less than 50% of the total network hashing power, and still isn't terriblely likey at 51%.  Thus, you are correct guessing that 70% is a more realistic number.  In order to assault the blockchain in real time, the attacker would have to be able to seriously dominate the entire honest network.  However, if the attacker were building a chain in secret, he could possibily build one in secret that overwrites a prior block to reverse a transaction wherein the attacker previously spent funds.  But this kind of attack is damage limited to the person who was dealing with the attacker, and he would still need enough of a majority to build and release his chain before any new checkpoints have been added.
sr. member
Activity: 350
Merit: 251
I know that with 51% hash power the attacker will always succeed eventually.  Anything over 50% gives statistical certitude that the attacker will eventually succeed.  It's really a question of how long it is likely to take and how much effort an attacker would be willing to expend with such a small advantage to eventually succeed.

For a brief time I was thinking about how to compute the chance of computing 2, or 3, or N blocks before the rest of the network can compute 1.  I am not entirely sure how to do the math, but I think it would be very interesting if someone does.
its possible to abuse the network with less than 50%. you can abuse the network with .0001% of the hashing power, the question is only how successful you will be at trying to abuse the network. with even as low as 30% you could still occasionally get blocks in succession and cause damage. but if you want to be able to cause damage more often you will need more power, closer to 70% is my gut feeling.
bji
member
Activity: 112
Merit: 10
You are calculating the chance that any single attack of many attacks will succeed. I am discussing the chance that an attacker will win a single attack by chasing the block chain. I'm claiming that a 51% hash power attacker can always win (with unlimited time and resources) while a 49% hash power attacker, if he doesn't win immediately will have diminishing chances as time goes on (even with unlimited time and resources).

I know that with 51% hash power the attacker will always succeed eventually.  Anything over 50% gives statistical certitude that the attacker will eventually succeed.  It's really a question of how long it is likely to take and how much effort an attacker would be willing to expend with such a small advantage to eventually succeed.

For a brief time I was thinking about how to compute the chance of computing 2, or 3, or N blocks before the rest of the network can compute 1.  I am not entirely sure how to do the math, but I think it would be very interesting if someone does.
sr. member
Activity: 322
Merit: 251
FirstBits: 168Bc
As long as everyone faces the same risk of wasting computational time, I dont't see why tho
is matters to miners.

Because the greater the waste ratio the greater the advantage to the previous awarded miner, which is an advantage to a malicious miner. The waste due to latency is expected to increase as the network grows and we really do not have a huge margin. Increases in waste proportionally increases the likelihood that any block/transaction is invalid. And waste is ... wasteful.
legendary
Activity: 1050
Merit: 1003
The short answer is that the percentage of wasted computational time increases exponentially as the average block finding time decreases.  This is particularly not good for miners.

The reason computational power is wasted is because a new block is not sent to the entire network instantaneously; it goes out to some nodes, who send it out to more nodes, etc., and eventually hopefully the entire network gets it.  Until the entire network does get it, there are still lots of miners wasting time wasting computations on blocks that will no longer be the longest chain and will thus be invalid.  Ten minutes seems to be a good trade-off between computational waste and speed of getting that first confirmation on a transaction.

Note that expressing the certainty of a transaction is based on computing time, however, not raw number of blocks.  When we currently wait for six blocks before saying a transaction is confirmed, what we really mean is that we're waiting for one hour (on average).  With two minute blocks we'd wait for 30 blocks before saying a transaction is confirmed, because 6 blocks times 2 minutes each is only 12 minutes, which simply isn't long enough to wait (it's not "enough" computing power and would be reversible a lot more easily than a whole hour's worth of computation would be).

As long as everyone faces the same risk of wasting computational time, I dont't see why tho
is matters to miners.
kjj
legendary
Activity: 1302
Merit: 1026
sr. member
Activity: 322
Merit: 251
FirstBits: 168Bc
With 51% hash power, a peer has 51% chance of producing a block before anyone else does.
The chance of producing two blocks before anyone else does is .51^2, or 26%.

With 40% hash power, the same calculation (0.4^2) is 16%.

Thus with 51% hash power your odds of being able to produce two blocks before anyone else produces one is only 10% better than with only 40% hash power.  Of course you are continually attempting to produce two blocks so your chances of producing two blocks before any one else can be expressed as a function of the number of blocks that you've been trying to do this for.

I'm happy to see numbers thrown down and I think you make your point well. This is my third attempt at rebuttal rewrite.

As soon as the attacker wins a block he can broadcast his alternate chain. The honest nodes should accept the winning chain. If the attacker times his attack well (releases double-spend on the network immediately after the previous block) he has a 51% chance of winning the first block. If he looses, then he can continue without broadcasting.

I'm not sure how to calculate his chance of completing the first block and winning the second block before the honest nodes win the second block, but let's say he has 26% chance (I think it is sig. higher). If he fails to win that block, then he must continue without broadcasting until he catches up and wins the third block with (I don't know) 13% chance. Even if the attacker waits an entire block to launch his attack, he can just hash away (at 51% power) until he catches and surpasses the honest network. If he has unlimited time and resources, I believe he is guaranteed to win eventually.

I am tempted to agree with your calculations for the 51% hash power attack, but I can not agree with the 40% on pure intuition, unless you are calculating each block discreetly (the chance that he wins any one of six rather than an entire chain of six). If the 40% hash power attacker has a 65% chance of winning a six block chain then the honest network with 60% hash power could have only had a 35% chance of winning the same block chain. That can't be right.


Edit #4: We're talking past each other...

produced two deviant blocks in a row to immediately add to the top of the block chain

You are calculating the chance that any single attack of many attacks will succeed. I am discussing the chance that an attacker will win a single attack by chasing the block chain. I'm claiming that a 51% hash power attacker can always win (with unlimited time and resources) while a 49% hash power attacker, if he doesn't win immediately will have diminishing chances as time goes on (even with unlimited time and resources).
bji
member
Activity: 112
Merit: 10
I imagine a malicious node (or clustered nodes) with majority power has better than not chance of beating the network by definition. If he does not broadcast the first winning block, but waits for two winning blocks, then the network will rightly accept his block chain. If he does not win after two blocks, then he does not broadcast at all. Because of statistical deviation, the network will be rightly concerned, but I don't think there's much the network can do about it in the short term.

But if his "lead" is so tenuous that it's only 51% then he's taking a big gamble by devoting so much hashing power to trying to produce two valid blocks before anyone else produces one.

Anyway 51% isn't a magic number if this is what a cheater is trying to do.  You can with 40% hashing power try to do the same thing.  You'll have less chance of getting your two block lead than the 51% guy but not a huge amount less.

EDIT:

Allow me to elaborate, and see if my math is correct.

With 51% hash power, a peer has 51% chance of producing a block before anyone else does.
The chance of producing two blocks before anyone else does is .51^2, or 26%.

With 40% hash power, the same calculation (0.4^2) is 16%.

Thus with 51% hash power your odds of being able to produce two blocks before anyone else produces one is only 10% better than with only 40% hash power.  Of course you are continually attempting to produce two blocks so your chances of producing two blocks before any one else can be expressed as a function of the number of blocks that you've been trying to do this for.

123456
51%26%45.3%59.5%70%77.9%83.6%
40%16%29.5%40.8%50.3%58.2%64.9%

I calculated the above table for each hash power H as:

f(n) = 1 - ((1 - H^2)^n)

The table shows that after 6 rounds, or approximately 1 hour at 10 minute average block generation intervals, someone with 51% hashing power has an 83.6% chance of having successfully produced two deviant blocks in a row to immediately add to the top of the block chain.  Someone with 40% hashing power will have a 64.9% chance after 6 rounds of succeeding similarly.  The difference of success after 6 rounds is only 18.7%, so I don't see why just having 40% hashing power would prohibit someone who wanted to cheat in this way from making the attempt (they'll just have to try a little longer, that's all; they'll need e.g. 14 rounds for 90% chance of having succeded whereas the 51% cheater only needs 8 rounds for 90% chance of having succeeded).

Someone with 75% hashing power would only need 3 rounds for 90% chance of success.

Of course, all of the above is predicated on announcing the deviant blocks as soon as they are discovered so that everyone else accepts them into the chain everyone starts over again with computing the next block.

The chance of computing 2 blocks in the same time that it takes someone else to compute 1 is more difficult to calculate.  I think it may require integration.  I'll have to think about it a bit ...
sr. member
Activity: 322
Merit: 251
FirstBits: 168Bc
I imagine a malicious node (or clustered nodes) with majority power has better than not chance of beating the network by definition. If he does not broadcast the first winning block, but waits for two winning blocks, then the network will rightly accept his block chain. If he does not win after two blocks, then he does not broadcast at all. Because of statistical deviation, the network will be rightly concerned, but I don't think there's much the network can do about it in the short term.

Satoshi posits that any would be malicious but typically greedy node has a greater incentive to mine legitimately than to try to double spend. However, this incentive does not apply to a truly malicious node who wishes to see the entire bitcoin economy collapse at any cost. With the economy well under 1 B USD, I think this attack is still quite plausible.


And 99% would be better still. But 51% is fine enough. Maybe it fails sometimes, but you'll likely win most of the time. Wait for a new block, inject transaction, immediately crank out a block, maybe TWO before broadcasting your longer chain to the network. With 51% hashing power you're statistically guaranteed to beat the network most attempts. You'll know soon enough if you've lost.

With 51% hashing power it would take quite a while to get 6 blocks ahead of the competition.  Plenty of time for your fraud to be discovered and for the network to take action against you.  You need considerably more hashing power to have a reasonable chance of forcing blocks through at a rate fast enough that the network cannot react.

bji
member
Activity: 112
Merit: 10
And 99% would be better still. But 51% is fine enough. Maybe it fails sometimes, but you'll likely win most of the time. Wait for a new block, inject transaction, immediately crank out a block, maybe TWO before broadcasting your longer chain to the network. With 51% hashing power you're statistically guaranteed to beat the network most attempts. You'll know soon enough if you've lost.

With 51% hashing power it would take quite a while to get 6 blocks ahead of the competition.  Plenty of time for your fraud to be discovered and for the network to take action against you.  You need considerably more hashing power to have a reasonable chance of forcing blocks through at a rate fast enough that the network cannot react.
legendary
Activity: 1708
Merit: 1010
Would you expect miners will at least try to connect to the majority of big miners/pools? I do, because it will cut down on their wasted cycles the faster they hear about new blocks generated and each miner will want the network to begin hashing away at his newly awarded coins/fees. It should be in all miners best interest to connect to each other very tightly.

They already do.  I'd bet dollars to doughnuts that at least half of the top ten pools have direct links to each other.  However, in a future that Bitcoin is wildly successful, single hop peer connections to those major miners (whether they continue to be user pools, or Wal-Mart's own datacenter) will be valuable enough to companies that serve mom & pop stores, smaller retail chains, and business associations that the major miners could stand to charge connection fees to those groups.  When that happens, the clients of those 2nd tier mining/POS companies will have lower average latency than the end user, and thus would be better protected from casual theft/fraud attempts, but the average network latency for the average end user/Android client could be terrible.  It's not unreasonable to expect there to be five hops or more from the largest miner to the average droid wallet in another two years.  Since blocks can be expected to be much larger on average as well, the CPU times and transmission times for each hop are going to start to tally up.  The average is over 2 seconds now, and the network is relatively small and low volume.  Imagine 500 times the nodes, 100+ times the transaction volume and an average block size of 700 Kilobytes.  The end to end network latency could easily push 2 minutes.
sr. member
Activity: 350
Merit: 251
What difference would it make, EVERYONE would be wasting 10%, just like everyone is wasting 1% now. so why would it matter. if it bothers you that the network would be less secure, then wait 10 minutes or 2 blocks or however long you like.
sr. member
Activity: 322
Merit: 251
FirstBits: 168Bc
Given constant latency, waste increases EXPONENTIALLY as block generation time decreases until waste is greater than effect. Splitting DOES matter. Forget about the general users. Focus on the MINERS and the problems of latency and splitting will become clear.

Suppose splits represent 0.5% of blocks today and wasted cycles during latency 1%. If you divide the block generation time in half to 5 minutes, waste become 3%. 2:30 minutes 6%, 1:15 minutes 12%, 37.5 seconds 24%, 20 second blocks 50% waste, 10 second blocks 100% wasted cycles. The numbers might be off, but that's the general gist of the problem.

Now does a user care about waste? No not directly. Does he need confirmations? Not in most cases. Does the network care about waste? Absolutely. Does waste make the network less robust and insecure? YES.

your throwing in a bunch of irrelevant information, nobody said anything about blocks more often than every 2 minutes. i doubt it would ever go below 5. i even doubt it ever gets changed to begin with.

Dude. What is the TITLE of this thread?

2 minutes means that at CURRENT network size about 10% of hashing power is wasted. It means that your 1/unconfirmed block is 10% likely to be invalid. As MoonShadow convincingly argues latency is likely to INCREASE not decrease. And no, I don't suggest we change the algorithm either. I'm just trying to point out why lowering it should not be considered at all. If you speed up confirmations but those confirmations are more likely invalid, they are no confirmation at all. 1% error is still pretty high!

you also don't take into account for newer network equipment that would increase data throughput and lower overall latency.

worst case physical limit latency = 0.07 s = 20000 km Earth semi-circumference / 300000 km/s speed of light
typical point to point latency today 0.1 s
average bitcoin node latency 2.11 s

How much do you hope the bitcoin network will grow?
sr. member
Activity: 350
Merit: 251
Given constant latency, waste increases EXPONENTIALLY as block generation time decreases until waste is greater than effect. Splitting DOES matter. Forget about the general users. Focus on the MINERS and the problems of latency and splitting will become clear.

Suppose splits represent 0.5% of blocks today and wasted cycles during latency 1%. If you divide the block generation time in half to 5 minutes, waste become 3%. 2:30 minutes 6%, 1:15 minutes 12%, 37.5 seconds 24%, 20 second blocks 50% waste, 10 second blocks 100% wasted cycles. The numbers might be off, but that's the general gist of the problem.

Now does a user care about waste? No not directly. Does he need confirmations? Not in most cases. Does the network care about waste? Absolutely. Does waste make the network less robust and insecure? YES.

your throwing in a bunch of irrelevant information, nobody said anything about blocks more often than every 2 minutes. i doubt it would ever go below 5. i even doubt it ever gets changed to begin with.

you also don't take into account for newer network equipment that would increase data throughput and lower overall latency.
sr. member
Activity: 322
Merit: 251
FirstBits: 168Bc
This topic has forked into at least three... all fairly divergent from the OP. I'll inject my double-comment here.

Having them both accepted into the block chain would require "51%" (which itself is not even likely to guarantee success; you'd need something more, like maybe 75%, to have a chance of consistently beating everyone else)

And 99% would be better still. But 51% is fine enough. Maybe it fails sometimes, but you'll likely win most of the time. Wait for a new block, inject transaction, immediately crank out a block, maybe TWO before broadcasting your longer chain to the network. With 51% hashing power you're statistically guaranteed to beat the network most attempts. You'll know soon enough if you've lost.

all you need is for the recipient to accept your transaction at face value without waiting for it to be confirmed multiple times in the bitcoin block chain.  And I'm saying that vendors will not accept this risk, so proposals that expect vendors to just accept that transactions will make it into the block chain "eventually" are dead before they even get started.

Topic #2: That depends on the sale. It's similar to concerns over counterfeit fiat. If a child comes into the shop and text/SMS's 0.001 BTC for a gum drop, I'll accept without a blink. If someone is buying my car, I might invite him in for a coffee and wait for ten confirmations.

Topic #4: I've done a few trades on OTC and always look to the blockexplorer and send the transaction/address link to the counterparty. If a 0/confirmation floating transaction ticker service was provided (juiced directly into the mining circle), I'd accept small transactions as soon as it was seen by the network. That is of course, until splits and double-spending attacks were the norm. By then, I expect we'll have dozens of auxiliary services nullifying all of these concerns.
legendary
Activity: 1708
Merit: 1010
I should have been more explict in my double-spend attack comment.  The reason that I said that decreasing the average block interval could increase the risks of a double spend attack is because at some latency level blockchain splits become the norm.  Under these conditions, it's possible for an unscrupulous person to have his client hacked in such a manner that, for every honest spending transaction he engages in, another dishonest transaction is produced that spends those same coins back to another of his own addresses is produced 20 seconds later and sent to a random but topographicly distant node.  As long as latency is significantly below the average block interval, this would never matter.  And if many people started to do this as a matter of course, the present node permits the savvy user to monitor transactions, and if a double spend attempt is seen within the average latency time, both transactions are rejected by such nodes.

Yet, if the latency crosses that afore mentioned point, and blockchain splits become the norm, it then becomes possible for that unscrupulous user to time the release of his second transaction so that, even though it's practically impossible for the second one to gain the majority of nodes before the first one does, the possibilty exists that a multi-block chain split could permit the honest transaction to be confirmed for one or more blocks without destroying the dishonest transaction.  There then remains a (still fairly remote) possiblity that the honest transaction, even confirmed, isn't in the majority blockchain and is reversed once the block split is repaired by normal operations.  If that is the case, then the dishonest transaction has a better than even chance of becoming the transaction accepted into the permanent chain.  This would mean that opprotunisticly dishonest clients would exist that run in an honest manner so long as there was no blockchain split, but anytime that they detected a blockchain split (yes, they are detectable, most of the time) this kind of opprotunistic attack would be seen.
Pages:
Jump to: