Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id A9535D01 for ; Mon, 21 Dec 2015 11:40:05 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-lf0-f52.google.com (mail-lf0-f52.google.com [209.85.215.52]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 14E51EC for ; Mon, 21 Dec 2015 11:40:04 +0000 (UTC) Received: by mail-lf0-f52.google.com with SMTP id y184so109069513lfc.1 for ; Mon, 21 Dec 2015 03:40:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=5rBMOj9iiqcoU9lzbGkw93FSFvTJPyMHmGUMKMy4p6U=; b=HDz9qm/PwzUHqU6aR90fXCf4gkru1OLPpRDc7zTWWDFaKUjm/jbkjgug178L7G7HnZ +E+39r49XnfKma9M4cdKmNqQwWkdVps2NLcIlB9y/nxFQjd/p2xzv4j7I8EEOMnElt8O HDAnGQjrTsIAmLlpGLrsd03P6FYV4p3mILHsWZ+eukGA+iqomxrGVhJvW367Aq1mzv1E xeJ7q82VXHUfhW7K8t5luxtK77exeiOLX+I7CkZcNBUq4wsZ2VNAGHUcC2oh6lm3WD0I YcwU9JPVyJ+YaWgNpsf2w/jcPIXs4bDu5AvkGlqbqug6eQNTlTrZTccpVKi7dS6RycPJ pr0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=5rBMOj9iiqcoU9lzbGkw93FSFvTJPyMHmGUMKMy4p6U=; b=DEXXGOTDrDein9fiArRdUbET54tTnujUDR8Ov03M2P7etpz7iz+IftBdc3qC/BUOqi IGKrJ0Na8I8ui4vqV8BaV84iXC5oWiqcMGkbchnIAgw/z+CD2uZjr2Qpcn/zISVHusOj leLMCTNiMeG+Es1hMfy4LSnCuj4WpgtD8zXo8KPkfUhOv7gSOC0itgGsDXxYcx4rz0vo 6qUVG9/eTDUyJhfS2lsqqJApZ3gad9wgv0cE+tDQtvbSd4j9Z50hogIFvQBe0nhXgeRM 2ZJRbx25jJXEHBrP0xgehMhCqO+VEXOVo6R933dUZd4UKoT9fr1A5TuTaqoqtqIdCbDu GJGg== X-Received: by 10.25.5.205 with SMTP id 196mr1426249lff.143.1450698001839; Mon, 21 Dec 2015 03:40:01 -0800 (PST) Received: from mail-lb0-f175.google.com (mail-lb0-f175.google.com. [209.85.217.175]) by smtp.gmail.com with ESMTPSA id a18sm4953613lfb.37.2015.12.21.03.40.00 for (version=TLSv1/SSLv3 cipher=OTHER); Mon, 21 Dec 2015 03:40:00 -0800 (PST) Received: by mail-lb0-f175.google.com with SMTP id oh2so13561211lbb.3 for ; Mon, 21 Dec 2015 03:40:00 -0800 (PST) X-Gm-Message-State: ALoCoQnRGQWHj1WiUHDt2r+7dPp6v+AoF1YgqwLgvnE2PCb60j3Y7dRub2F2F/tReZ/TWnEloNjPY7JLPD4bAQgLfvny+1BL3g== X-Received: by 10.112.134.66 with SMTP id pi2mr6073722lbb.83.1450698000431; Mon, 21 Dec 2015 03:40:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.112.157.199 with HTTP; Mon, 21 Dec 2015 03:39:40 -0800 (PST) In-Reply-To: References: <20151219184240.GB12893@muck> <219f125cee6ca68fd27016642e38fdf1@xbt.hk> <20151220132842.GA25481@muck> From: Jannes Faber Date: Mon, 21 Dec 2015 12:39:40 +0100 X-Gmail-Original-Message-ID: Message-ID: To: Bitcoin Dev Content-Type: multipart/alternative; boundary=047d7b3a8bf0fe1c57052766f2db X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Mon, 21 Dec 2015 13:41:41 +0000 Subject: Re: [bitcoin-dev] We need to fix the block withholding attack X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2015 11:40:05 -0000 --047d7b3a8bf0fe1c57052766f2db Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable If you're saying a block withholding attack is a nice weapon to have to dissuade large pools, isn't that easily defeated by large pools simply masquerading as multiple small pools? As, for all we know, ghash may have done? If you don't know who to attack there's no point in having the weapon. While that weapon is still dangerous in the hands of others that are indiscriminate, like the solo miners example of Peter Todd. Sorry if i misunderstood your point. -- Jannes On 20 December 2015 at 18:00, Emin G=C3=BCn Sirer < bitcoin-dev@lists.linuxfoundation.org> wrote: > On Sun, Dec 20, 2015 at 8:28 AM, Peter Todd wrote: > >> There are a number of techniques that can be used to detect block >> withholding attacks that you are not aware of. These techniques usually >> have the characteristic that if known they can be avoided, so obviously >> those who know about them are highly reluctant to reveal what exactly >> they are. I personally know about some of them and have been asked to >> keep that information secret, which I will. >> > > Indeed, there are lots of weak measures that one could employ against > an uninformed attacker. As I mentioned before, these are unlikely to be > effective against a savvy attacker, and this is a good thing. > > >> In the context of KYC, this techniques would likely hold up in court, >> which means that if this stuff becomes a more serious problem it's >> perfectly viable for large, well-resourced, pools to prevent block >> withholding attacks, in part by removing anonymity of hashing power. >> This would not be a positive development for the ecosystem. >> > > KYC has a particular financial-regulation connotation in Bitcoin circles, > of which I'm sure you're aware, and which you're using as a spectre. > You don't mean government-regulated-KYC a la FINCEN and Bitcoin > exchanges like Coinbase, you are just referring to a pool operator > demanding to know that its customer is not coming from its competitors' > data centers. > > And your prediction doesn't seem well-motivated or properly justified. > There are tons of conditionals in your prediction, starting with the > premise > that every single open pool would implement some notion of identity > checking. I don't believe that will happen. Instead, we will have the > bigger > pools become more suspicious of signing up new hash power, which is a > good thing. And we will have small groups of people who have some reason > for trusting each other (e.g. they know each other from IRC, conferences, > etc) band together into small pools. These are fantastic outcomes for > decentralization. > > Secondly, DRM tech can also easily be used to prevent block withholding >> attacks by attesting to the honest of the hashing power. This is being >> discussed in the industry, and again, this isn't a positive development >> for the ecosystem. >> > > DRM is a terrible application. Once again, I see that you're trying to us= e > those > three letters as a spectre as well, knowing that most people hate DRM, bu= t > keep in mind that DRM is just an application -- it's like pointing to > Adobe Flash > to taint all browser plugins. > > The tech behind DRM is called "attestation," and it provides a technical > capability not possible by any other means. In essence, attestation can > ensure that > a remote node is indeed running the code that it purports to be running. > Since > most problems in computer security and distributed systems stem from not > knowing what protocol the attacker is going to follow, attestation is the > only > technology we have that lets us step around this limitation. > > It can ensure, for instance, > - that a node purporting to be Bitcoin Core (vLatest) is indeed running > an > unadulterated, latest version of Bitcoin Core > - that a node claiming that it does not harvest IP addresses from SPV > clients indeed does not harvest IP addresses. > - that a cloud hashing outfit that rented out X terahashes to a user di= d > indeed rent out X terahashes to that particular user, > - that a miner operating on behalf of some pool P will not misbehave an= d > discard perfectly good blocks > and so forth. All of these would be great for the ecosystem. Just getting > rid > of the cloudhashing scams would put an end to a lot of heartache. > > > Keep in mind that when an open pool gets big, like GHash did and >> > two other pools did before them, the only thing at our disposal used >> > to be to yell at people about centralization until they left the big >> > pools and reformed into smaller groups. Not only was such yelling >> > kind of desperate looking, it wasn't incredibly effective, either. >> > We had no protocol mechanisms that put pressure on big pools to >> > stop signing up people. Ittay's discovery changed that: pools that >> > get to be very big by indiscriminately signing up miners are likely to >> > be infiltrated and their profitability will drop. And Peter's post is >> > evidence that this is, indeed, happening as predicted. This is a >> > good outcome, it puts pressure on the big pools to not grow. >> >> GHash.io was not a pure pool - they owned and operated a significant >> amount of physical hashing power, and it's not at all clear that their % >> of the network actually went down following that 51% debacle. >> > > Right, it's not clear at all that yelling at people has much effect. As > much > fun as I had going to that meeting with GHash in London to ask them to > back down off of the 51% boundary, I am pretty sure that yelling at large > open pools will not scale. We needed better mechanisms for keeping pools > in check. > > And Miner's Dilemma (MD) attacks are clearly quite effective. This is a > time when we should count our blessings, not work actively to render > them inoperable. > > Currently a significant % of the hashing power - possibly a majority - >> is in the form of large hashing installations whose owners individually, >> and definitely in trusting groups, have enough hashing power to solo >> mine. Eyal's results indicate those miners have incentives to attack >> pools, and additionally they have the incentive of killing off pools to >> make it difficult for new competition to get established, yet they >> themselves are not vulnerable to that attack. >> > > There are indeed solo miners out there who can attack the big open > pools. The loss of the biggest open pools would not be a bad outcome. > Pools >25% pose a danger, and the home miner doesn't need a pool > >25% for protection against variance. > > > Peter, you allude to a specific suggestion from Luke-Jr. Can you >> > please describe what it is? >> >> Basically you have the pool pick a secret k for each share, and commit >> to H(k) in the share. Additionally the share commits to a target divider >> D. The PoW validity rule is then changed from H(block header) < T, to be >> H(block header) < T * D && H(H(block header) + k) < max_int / D >> > > Thanks, this requires a change to the Bitcoin PoW. Good luck with that! > > Once again, this suggestion would make the GHash-at-51% situation > possible again. Working extra hard to re-enable those painful days > sounds like a terrible idea. > > - egs > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > --047d7b3a8bf0fe1c57052766f2db Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

If you're saying a block withholding at= tack is a nice=20 weapon to have to dissuade large pools, isn't that easily defeated by= =20 large pools simply masquerading as multiple small pools? As, for all we=20 know, ghash may have done?

If you don't know who to attack there's no point in = having=20 the weapon. While that weapon is still dangerous in the hands of others=20 that are indiscriminate, like the solo miners example of Peter Todd.

Sorry if i misunderstood your point.


--
Ja= nnes

On 20 December 2015 at 18:00, Emin G=C3=BCn = Sirer <bitcoin-dev@lists.linuxfoundation.org> wrote:
On Sun, Dec 20= , 2015 at 8:28 AM, Peter Todd <pete@petertodd.org> wrote:
There are a number of techniques that can = be used to detect block
withholding attacks that you are not aware of. These techniques usually
have the characteristic that if known they can be avoided, so obviously
those who know about them are highly reluctant to reveal what exactly
they are. I personally know about some of them and have been asked to
keep that information secret, which I will.

=
Indeed, there are lots of weak measures that one could employ a= gainst=C2=A0
an uninformed attacker. As I mentioned before, these= are unlikely to be
effective against a savvy attacker, and this = is a good thing.
=C2=A0
In the context of KYC, this techniques would likely hold up in court,
which means that if this stuff becomes a more serious problem it's
perfectly viable for large, well-resourced, pools to prevent block
withholding attacks, in part by removing anonymity of hashing power.
This would not be a positive development for the ecosystem.

KYC has a particular financial-regulation conno= tation in Bitcoin circles,=C2=A0
of which I'm sure you're= aware, and which you're using as a spectre.=C2=A0
You don= 9;t mean government-regulated-KYC a la FINCEN and Bitcoin
exchang= es like Coinbase, you are just referring to a pool operator
deman= ding to know that its customer is not coming from its competitors'
data centers.

And your prediction doesn'= t seem well-motivated or properly justified.=C2=A0
There are tons= of conditionals in your prediction, starting with the premise
that every single open pool would implement some notion of identity=C2=A0=
checking. I don't believe that will happen. Instead, we will= have the bigger
pools become more suspicious of signing up new h= ash power, which is a
good thing. And we will have small groups o= f people who have some reason
for trusting each other (e.g. they = know each other from IRC, conferences,=C2=A0
etc) band together i= nto small pools. These are fantastic outcomes for
decentralizatio= n.

Seco= ndly, DRM tech can also easily be used to prevent block withholding
attacks by attesting to the honest of the hashing power. This is being
discussed in the industry, and again, this isn't a positive development=
for the ecosystem.

DRM is a terr= ible application. Once again, I see that you're trying to use those
three letters as a spectre as well, knowing that most people hate DR= M, but=C2=A0
keep in mind that DRM is just an application -- it&#= 39;s like pointing to Adobe Flash
to taint all browser plugins.

The tech behind DRM is called "attestation,&qu= ot; and it provides a technical=C2=A0
capability not possible by = any other means. In essence, attestation can ensure that
a remote= node is indeed running the code that it purports to be running. Since=C2= =A0
most problems in computer security and distributed systems st= em from not
knowing what protocol the attacker is going to follow= , attestation is the only=C2=A0
technology we have that lets us s= tep around this limitation.=C2=A0

It can ensure, f= or instance,=C2=A0
=C2=A0 - that a node purporting to be Bitcoin = Core (vLatest) is indeed running an
unadulterated, latest version= of Bitcoin Core=C2=A0
=C2=A0 - that a node claiming that it does= not harvest IP addresses from SPV=C2=A0
clients indeed does not = harvest IP addresses.
=C2=A0 - that a cloud hashing outfit that r= ented out X terahashes to a user did=C2=A0
indeed rent out X = terahashes to that particular user,=C2=A0
=C2=A0 - that a miner o= perating on behalf of some pool P will not misbehave and
discard = perfectly good blocks
and so forth. All of these would be great f= or the ecosystem. Just getting rid
of the cloudhashing scams woul= d put an end to a lot of heartache.

> Keep in mind that when an open pool gets big, like GHash did and
> two other pools did before them, the only thing at our disposal used > to be to yell at people about centralization until they left the big > pools and reformed into smaller groups. Not only was such yelling
> kind of desperate looking, it wasn't incredibly effective, either.=
> We had no protocol mechanisms that put pressure on big pools to
> stop signing up people. Ittay's discovery changed that: pools that=
> get to be very big by indiscriminately signing up miners are likely to=
> be infiltrated and their profitability will drop. And Peter's post= is
> evidence that this is, indeed, happening as predicted. This is a
> good outcome, it puts pressure on the big pools to not grow.

GHash.io was not a pure pool - they owned and operated a significant=
amount of physical hashing power, and it's not at all clear that their = %
of the network actually went down following that 51% debacle.

Right, it's not clear at all that yelling= at people has much effect. As much
fun as I had going to that me= eting with GHash in London to ask them to
back down off of the 51= % boundary, I am pretty sure that yelling at large
open pools wil= l not scale. We needed better mechanisms for keeping pools
in che= ck.

And Miner's Dilemma (MD) attacks are clear= ly quite effective. This is a
time when we should count our bless= ings, not work actively to render
them inoperable.

Currently a significant % of the hashing power - possibly a majority -
is in the form of large hashing installations whose owners individually, and definitely in trusting groups, have enough hashing power to solo
mine. Eyal's results indicate those miners have incentives to attack pools, and additionally they have the incentive of killing off pools to
make it difficult for new competition to get established, yet they
themselves are not vulnerable to that attack.

There are indeed solo miners out there who can attack the big= open
pools. The loss of the biggest open pools would not be a ba= d outcome.
Pools >25% pose a danger, and the home miner doesn&= #39;t need a pool=C2=A0
>25% for protection against variance.= =C2=A0

= > Peter, you allude to a specific suggestion from Luke-Jr. Can you
> please describe what it is?

Basically you have the pool pick a secret k for each share, and comm= it
to H(k) in the share. Additionally the share commits to a target divider D. The PoW validity rule is then changed from H(block header) < T, to be=
H(block header) < T * D && H(H(block header) + k) < max_int /= D

Thanks, this requires a chang= e to the Bitcoin PoW. Good luck with that!=C2=A0

O= nce again, this suggestion would make the GHash-at-51% situation=C2=A0
possible again. Working extra hard to re-enable those painful days=C2= =A0
sounds like a terrible idea.=C2=A0

-= egs


_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.= linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev


--047d7b3a8bf0fe1c57052766f2db--