Author

Topic: Zero-cost double-spending attacks via merged mining (Read 781 times)

hero member
Activity: 800
Merit: 1000
I dont believe the first scenario is possible either, however i'd need to look more into that. However when it requires mining the coin with itself, its no longer zero cost. many aux chains have extremely high difficulties. to be able to rent, or use machines with enough power to even find blocks at that diff is costly. This cost will greatly outrun any profits you can get from merged mining or from mining the coin as a master. This

a) proves that attack #1 is not zero cost
b) proves that doing such an attack is almost an impossibility

Ahmed
newbie
Activity: 40
Merit: 0
Hmm, you seem to be right about the second scenario.  But what about the first scenario?  That should still be possible, right?  Also it looks like this was discussed very briefly here: https://bitcointalksearch.org/topic/m.609496
hero member
Activity: 800
Merit: 1000
How is the second scenario possible. It isnt possible to merged mine 2 coins with the same chain ID which is the precise reason the attack has never happened

Ahmed
newbie
Activity: 40
Merit: 0
Let me clarify what it means to merge mine a coin with itself, since this is at the centre of the attack.

A merge mined block consists of a parent chain, and one or more auxiliary chains, both of which are covered by the same proof-of-work.  Normally, both/all chains correspond to different coins.  For example, you might have a bitcoin parent chain with a namecoin auxiliary chain and a ixcoin auxiliary chain.  But there's nothing to prevent you from having multiple chains belonging to the same coin.  So you could feasibly create a block with a namecoin parent chain and a namecoin auxiliary chain, or a block with a bitcoin parent chain and two namecoin auxiliary chains.  By merge mining this way, you can mine two chains at once from the same coin.  This allows an attacker to build a chain in secret, while still generating revenue mining on the public chain.
newbie
Activity: 40
Merit: 0
A double-spending attack can be attempted by an individual with much less than 51% of the network hash power, but it is not guaranteed to succeed, and the odds of success drop exponentially as the number of required confirmations increases. Additionally, after a failed double-spending attack, the attacker's mined blocks become worthless, and he loses the associated revenue. For this reason it is assumed that an attacker with much less than 51% of the network hash power is expected to lose money by attempting to double-spend due to lost mining revenue.

It turns out that for coins that allow merged mining, an attacker can attempt a double-spending attack but retain any mining revenue even if the attack fails. Essentially, there is zero cost to the attacker to attempt an attack.

The attacker takes advantage of merged mining in order to intentionally fork the chain. One fork of the chain will contain the original spend, which will be broadcast to the network. The other fork will contain the double spend and will be kept private. The attacker creates the fork and mines both forks simultaneously by merge mining the coin with itself. The attacker continues to broadcast blocks built on top of the original spend. If the attacker successfully creates enough consecutive blocks for the receiver to consider the transaction "confirmed", then the attacker mines one more block on his private chain, and publishes the private chain, thereby completing the double-spend. If the network mines a block instead, the attacker discards his private chain, keeps his mining revenue from the blocks he published, and no one will ever be the wiser.

Should we be worried?  In a word, no.  Such an attack is very unlikely to succeed. If the attacker controls 30% of the network hash power, then according to Nakamoto's original paper a traditional double-spending attack on 5 confirmations will succeed with 17.7% odds. However, with the attack proposed here, the odds are less than 0.1%. The difference is because in my scenario the attacker must mine 6 consecutive blocks without the rest of the network mining any.

Edit:
The attack can be combined with selfish mining to improve the odds to about the same (or potentially better) as a traditional 51% attack, while remaining mostly cost-free.  If the attacker employs selfish mining, he now has 2 private chains.  He publishes blocks from the "original" private chain whenever the network solves a block, hoping for his block to disperse faster through the network.  Then he publishes the "double spend" branch once it is long enough as before.  There is some risk of lost mining revenue if he loses the block-propagation race, but even if he fails to make enough blocks to succeed in double spending, he keeps the mining revenue from the remaining published blocks.
Jump to: