Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1SbML3-0007zm-LF for bitcoin-development@lists.sourceforge.net; Mon, 04 Jun 2012 01:44:09 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of coinlab.com designates 209.85.214.175 as permitted sender) client-ip=209.85.214.175; envelope-from=peter@coinlab.com; helo=mail-ob0-f175.google.com; Received: from mail-ob0-f175.google.com ([209.85.214.175]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-MD5:128) (Exim 4.76) id 1SbML2-00046P-Gg for bitcoin-development@lists.sourceforge.net; Mon, 04 Jun 2012 01:44:09 +0000 Received: by obhx4 with SMTP id x4so7888111obh.34 for ; Sun, 03 Jun 2012 18:44:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=x76WxmxlZKa7765b/cLar1zTx0FizQWt8M5kH7qSqQ8=; b=iCBzb/vx39ioRHA2/UPOBFujVpffgIz3bcvNHAakfMuO1nbpbui8JNXWM5s7IHk1Xy AXz6KOIlKmmRQ7ztmawxB78Hc0izgiBHbpCrSx9zLnJv3liyBA0/FsHWWMBrg8Mul++d Vvk8dXVAYfx/agkoHejZ6wQC4YEz7WlHaMlyt3z+0DYk+GQ14E+evxb+n4qmcqrxGMyJ 6irysD5+JphzfZoKWIqlwHXsS5SiQZwNXgwHmnfZvOy6XkecK/Cq3Bbl/ty/N1JlONbj PXmRoGxfQ8fgk6tYkzidep5Z7A5anq+PVljDL4tcdNZe9LtlDJeZsfvXOp1huXy1m/NV DvMw== Received: by 10.60.14.41 with SMTP id m9mr10213586oec.57.1338774242881; Sun, 03 Jun 2012 18:44:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.182.41.200 with HTTP; Sun, 3 Jun 2012 18:43:42 -0700 (PDT) In-Reply-To: <201206030052.17128.luke@dashjr.org> References: <201206030052.17128.luke@dashjr.org> From: Peter Vessenes Date: Sun, 3 Jun 2012 21:43:42 -0400 Message-ID: To: Luke-Jr Content-Type: multipart/alternative; boundary=e89a8fb1fac02e72aa04c19babec X-Gm-Message-State: ALoCoQlRrC/1snxKDowJsT3bzXJaxdb1w5h3pZpAF9vtsQnkNQmer5z3Ai7tLkvJVqq8KP2hwrTO X-Spam-Score: -0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1SbML2-00046P-Gg Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Defeating the block withholding attack X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2012 01:44:09 -0000 --e89a8fb1fac02e72aa04c19babec Content-Type: text/plain; charset=ISO-8859-1 On Sat, Jun 2, 2012 at 8:52 PM, Luke-Jr wrote: > Analysis, comments, constructive criticism, etc welcome for the following: > > ==Background== > At present, an attacker can harm a pool by intentionally NOT submitting > shares > that are also valid blocks. All pools are vulnerable to this attack, > whether > centralized or decentralized and regardless of reward system used. The > attack's effectiveness is proportional to ratio of the attacker's hashrate > to > the rest of the pool. > > I'm unclear on the economics of this attack; we spent a bit of time talking about it a few months ago at CoinLab and decided not to worry about it for right now. Does it have asymmetric payoff for an attacker, that is, over time does it pay them more to spend their hashes attacking than just mining? My gut is that it pays less well than mining, meaning I think this is likely a small problem in the aggregate, and certainly not something we should try and fork the blockchain for until there's real pain. Consider, for instance, whether it pays better than just mining bitcoins and spending those on 'bonuses' for getting users to switch from a pool you hate. Watson, I don't believe the attack signature you mention is a factor here, since the pool controls the merkle, only that pool will benefit from block submission. The nonce / coinbase combo is worthless otherwise, and so this attack is just in brief "get lucky, but don't submit." So, can anyone enlighten me as to some actual estimates of badness for this attack? Peter --e89a8fb1fac02e72aa04c19babec Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

On Sat, Jun 2, 2012 at 8:52 PM, Luke-Jr = <= luke@dashjr.org> wrote:
Analysis, comments, constructive criticism, etc welcome for the following:<= br>
=3D=3DBackground=3D=3D
At present, an attacker can harm a pool by intentionally NOT submitting sha= res
that are also valid blocks. All pools are vulnerable to this attack, whethe= r
centralized or decentralized and regardless of reward system used. The
attack's effectiveness is proportional to ratio of the attacker's h= ashrate to
the rest of the pool.


I'm uncle= ar on the economics of this attack; we spent a bit of time talking about it= a few months ago at CoinLab and decided not to worry about it for right no= w.

Does it have asymmetric payoff for an attacker, that is= , over time does it pay them more to spend their hashes attacking than just= mining?=A0

My gut is that it pays less well than = mining, meaning I think this is likely a small problem in the aggregate, an= d certainly not something we should try and fork the blockchain for until t= here's real pain.

Consider, for instance, whether it pays better than jus= t mining bitcoins and spending those on 'bonuses' for getting users= to switch from a pool you hate.
=A0
Watson, I don'= t believe the attack signature you mention is a factor here, since the pool= controls the merkle, only that pool will benefit from block submission. Th= e nonce / coinbase combo is worthless otherwise, and so this attack is just= in brief "get lucky, but don't submit."

So, can anyone enlighten me as to some actual estimates= of badness for this attack?

Peter
--e89a8fb1fac02e72aa04c19babec--