1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
|
Return-Path: <jannes.faber@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 386EBF8A
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 25 Dec 2015 16:11:25 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-lf0-f53.google.com (mail-lf0-f53.google.com
[209.85.215.53])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 36FB18C
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 25 Dec 2015 16:11:23 +0000 (UTC)
Received: by mail-lf0-f53.google.com with SMTP id y184so174276879lfc.1
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 25 Dec 2015 08:11:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:content-type; bh=gauQDyZASKDi49hJ3IXakL78q5Z2T+ymNCz47xLwHHU=;
b=Y29pp9xg9PVen9eM3OuEYAWjfEXDibyXO4cFniFjVrERe1kZ8TSeC0NvH2syALXzZf
0qJu6iBcMDrnWqsEKx/c6QVw/YjdYZo4Az/PlW9I4tbAL+TSvk96KfNRxTOvn+Ta4qF7
5UbbKHkLmLfZ7dFgOkAetE7wQzZAWC2YqkbpeoSQJly0dnRimclY9EnbYdo94ROQJ1rV
g2mh7EOHS5CTW1TnjyTvpZQCf518kGXiriJQpLLawrOEPjThMYoAw/jTEA09tcCrzRj2
AM/vGQbbkvQa4kw8xbKbMpZ0QsKHA03kDFbHqNtKBJy2iodrnNVUnxXSuih/wLkodO0a
VJAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:in-reply-to:references:date
:message-id:subject:from:to:content-type;
bh=gauQDyZASKDi49hJ3IXakL78q5Z2T+ymNCz47xLwHHU=;
b=fE/0coyXSC56sYd05i3KGF0hLT8AdeZ9/aIOBeETfPUFw0C70TxJUY7DTQsJti0J75
U8rY6qmRxxWfZqhrmxENEq1N4nmzf3qqQFnfEpveDOxeM1WhYBqQEngOdUJqjwMZW9U+
76woq3s+m/FmO5TwlAzDm71x8+mE8QvyK8KvfyNyz7EGn6/qKbtPRIUOmYxrzC/kY4F9
3Mp7Tcqo8i9C3sYUVom9Ghx3B2PPboIeM0mgYYg4+XwGYFI0fU6dYewKy+u5OSuvjk6R
KCBt7rCvUmKLbUW2h/HuOwzvwbCN89lqDGNfYtqqPso19qK+v9wzKLTSTgCY8BjIl3A0
T68Q==
X-Received: by 10.25.160.213 with SMTP id j204mr15849167lfe.85.1451059881172;
Fri, 25 Dec 2015 08:11:21 -0800 (PST)
Received: from mail-lb0-f176.google.com (mail-lb0-f176.google.com.
[209.85.217.176])
by smtp.gmail.com with ESMTPSA id ak1sm8083219lbc.2.2015.12.25.08.11.19
for <bitcoin-dev@lists.linuxfoundation.org>
(version=TLSv1/SSLv3 cipher=OTHER);
Fri, 25 Dec 2015 08:11:19 -0800 (PST)
Received: by mail-lb0-f176.google.com with SMTP id pv2so85014894lbb.1
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 25 Dec 2015 08:11:19 -0800 (PST)
X-Gm-Message-State: ALoCoQkofZWnXkdVKqd27iE1DHImZGCkBZT9nDwZuoBc6uUkd/m4Cv8TIDrFRe8XBLCwwMTOUBdIbAizxPX9xht3QeA8xt/aYA==
MIME-Version: 1.0
X-Received: by 10.112.198.131 with SMTP id jc3mr9745026lbc.118.1451059879396;
Fri, 25 Dec 2015 08:11:19 -0800 (PST)
Received: by 10.112.157.199 with HTTP; Fri, 25 Dec 2015 08:11:18 -0800 (PST)
Received: by 10.112.157.199 with HTTP; Fri, 25 Dec 2015 08:11:18 -0800 (PST)
In-Reply-To: <CABT1wW=r5DPG1e6XFe7NMHrquo1FzygPCdjEJ2QQnmGbqVMH2Q@mail.gmail.com>
References: <20151219184240.GB12893@muck>
<CAAcC9yvh2ma2dFhNDEKs7vfXyQF9L+T0YtRvOsJ15AbfVti=cw@mail.gmail.com>
<219f125cee6ca68fd27016642e38fdf1@xbt.hk>
<CAAcC9ys_t7X0WpQ8W3577M8GLiA5sPV2F1BJ9qZbnMkE-1j3+Q@mail.gmail.com>
<aff8da46a69bdd7ef92ca87725866a5c@xbt.hk>
<CAPkFh0vNECi1OmBwki+8NNAQbe6EG2FEE4RR5z=kYVLLDFHUXg@mail.gmail.com>
<20151220132842.GA25481@muck>
<CAPkFh0t-+WhZYVLyT_auLa87zAATNOH=CpU4S5H=n6S1wmZ-oQ@mail.gmail.com>
<CABeL=0jgv3G8qx6wM+ZfwN154qhQY-GJdXnABc-iWL=YDNmhag@mail.gmail.com>
<CABT1wW=r5DPG1e6XFe7NMHrquo1FzygPCdjEJ2QQnmGbqVMH2Q@mail.gmail.com>
Date: Fri, 25 Dec 2015 17:11:18 +0100
X-Gmail-Original-Message-ID: <CABeL=0h1w=WCGpLAchLk1mx67oKbcTcVnhZs-K5JdXe-9OcgAg@mail.gmail.com>
Message-ID: <CABeL=0h1w=WCGpLAchLk1mx67oKbcTcVnhZs-K5JdXe-9OcgAg@mail.gmail.com>
From: Jannes Faber <jannes.faber@gmail.com>
To: Ittay <ittay.eyal@cornell.edu>,
Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary=001a11c33f80a8eae60527bb34fc
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW
autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Fri, 25 Dec 2015 18:29:14 +0000
Subject: Re: [bitcoin-dev] We need to fix the block withholding attack
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Dec 2015 16:11:25 -0000
--001a11c33f80a8eae60527bb34fc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 25 Dec 2015 12:15 p.m., "Ittay" <ittay.eyal@cornell.edu> wrote:
> As for masquerading as multiple small pools -- that's a very good point,
with a surprising answer: it doesn't really matter. An attacker attacks all
parts of the open pool proportionally to their size, and the result is
basically identical to that of attacking a single large pool.
While true, that's only relevant to the indiscriminate attacker! The
vigilante attacker that wants to hurt only pools that are too large,
doesn't even know that there's a need to attack as all of them seem small.
That's what i was saying.
>
> On Mon, Dec 21, 2015 at 1:39 PM, Jannes Faber via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>> If you're saying a block withholding attack is a nice weapon to have to
dissuade large pools, isn't that easily defeated by large pools simply
masquerading as multiple small pools? As, for all we know, ghash may have
done?
>>
>> If you don't know who to attack there's no point in having the weapon.
While that weapon is still dangerous in the hands of others that are
indiscriminate, like the solo miners example of Peter Todd.
>>
>> Sorry if i misunderstood your point.
>>
>>
>> --
>> Jannes
>>
>> On 20 December 2015 at 18:00, Emin G=C3=BCn Sirer <
bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>
>>> On Sun, Dec 20, 2015 at 8:28 AM, Peter Todd <pete@petertodd.org> wrote:
>>>>
>>>> There are a number of techniques that can be used to detect block
>>>> withholding attacks that you are not aware of. These techniques usuall=
y
>>>> have the characteristic that if known they can be avoided, so obviousl=
y
>>>> those who know about them are highly reluctant to reveal what exactly
>>>> they are. I personally know about some of them and have been asked to
>>>> keep that information secret, which I will.
>>>
>>>
>>> Indeed, there are lots of weak measures that one could employ against
>>> an uninformed attacker. As I mentioned before, these are unlikely to be
>>> effective against a savvy attacker, and this is a good thing.
>>>
>>>>
>>>> In the context of KYC, this techniques would likely hold up in court,
>>>> which means that if this stuff becomes a more serious problem it's
>>>> perfectly viable for large, well-resourced, pools to prevent block
>>>> withholding attacks, in part by removing anonymity of hashing power.
>>>> This would not be a positive development for the ecosystem.
>>>
>>>
>>> KYC has a particular financial-regulation connotation in Bitcoin
circles,
>>> of which I'm sure you're aware, and which you're using as a spectre.
>>> You don't mean government-regulated-KYC a la FINCEN and Bitcoin
>>> exchanges like Coinbase, you are just referring to a pool operator
>>> demanding to know that its customer is not coming from its competitors'
>>> data centers.
>>>
>>> And your prediction doesn't seem well-motivated or properly justified.
>>> There are tons of conditionals in your prediction, starting with the
premise
>>> that every single open pool would implement some notion of identity
>>> checking. I don't believe that will happen. Instead, we will have the
bigger
>>> pools become more suspicious of signing up new hash power, which is a
>>> good thing. And we will have small groups of people who have some reaso=
n
>>> for trusting each other (e.g. they know each other from IRC,
conferences,
>>> etc) band together into small pools. These are fantastic outcomes for
>>> decentralization.
>>>
>>>> Secondly, DRM tech can also easily be used to prevent block withholdin=
g
>>>> attacks by attesting to the honest of the hashing power. This is being
>>>> discussed in the industry, and again, this isn't a positive developmen=
t
>>>> for the ecosystem.
>>>
>>>
>>> DRM is a terrible application. Once again, I see that you're trying to
use those
>>> three letters as a spectre as well, knowing that most people hate DRM,
but
>>> keep in mind that DRM is just an application -- it's like pointing to
Adobe Flash
>>> to taint all browser plugins.
>>>
>>> The tech behind DRM is called "attestation," and it provides a
technical
>>> capability not possible by any other means. In essence, attestation can
ensure that
>>> a remote node is indeed running the code that it purports to be
running. Since
>>> most problems in computer security and distributed systems stem from no=
t
>>> knowing what protocol the attacker is going to follow, attestation is
the only
>>> technology we have that lets us step around this limitation.
>>>
>>> It can ensure, for instance,
>>> - that a node purporting to be Bitcoin Core (vLatest) is indeed
running an
>>> unadulterated, latest version of Bitcoin Core
>>> - that a node claiming that it does not harvest IP addresses from SPV
>>> clients indeed does not harvest IP addresses.
>>> - that a cloud hashing outfit that rented out X terahashes to a user
did
>>> indeed rent out X terahashes to that particular user,
>>> - that a miner operating on behalf of some pool P will not misbehave
and
>>> discard perfectly good blocks
>>> and so forth. All of these would be great for the ecosystem. Just
getting rid
>>> of the cloudhashing scams would put an end to a lot of heartache.
>>>
>>>> > Keep in mind that when an open pool gets big, like GHash did and
>>>> > two other pools did before them, the only thing at our disposal used
>>>> > to be to yell at people about centralization until they left the big
>>>> > pools and reformed into smaller groups. Not only was such yelling
>>>> > kind of desperate looking, it wasn't incredibly effective, either.
>>>> > We had no protocol mechanisms that put pressure on big pools to
>>>> > stop signing up people. Ittay's discovery changed that: pools that
>>>> > get to be very big by indiscriminately signing up miners are likely
to
>>>> > be infiltrated and their profitability will drop. And Peter's post i=
s
>>>> > evidence that this is, indeed, happening as predicted. This is a
>>>> > good outcome, it puts pressure on the big pools to not grow.
>>>>
>>>> GHash.io was not a pure pool - they owned and operated a significant
>>>> amount of physical hashing power, and it's not at all clear that their
%
>>>> of the network actually went down following that 51% debacle.
>>>
>>>
>>> Right, it's not clear at all that yelling at people has much effect. As
much
>>> fun as I had going to that meeting with GHash in London to ask them to
>>> back down off of the 51% boundary, I am pretty sure that yelling at
large
>>> open pools will not scale. We needed better mechanisms for keeping pool=
s
>>> in check.
>>>
>>> And Miner's Dilemma (MD) attacks are clearly quite effective. This is a
>>> time when we should count our blessings, not work actively to render
>>> them inoperable.
>>>
>>>> Currently a significant % of the hashing power - possibly a majority -
>>>> is in the form of large hashing installations whose owners
individually,
>>>> and definitely in trusting groups, have enough hashing power to solo
>>>> mine. Eyal's results indicate those miners have incentives to attack
>>>> pools, and additionally they have the incentive of killing off pools t=
o
>>>> make it difficult for new competition to get established, yet they
>>>> themselves are not vulnerable to that attack.
>>>
>>>
>>> There are indeed solo miners out there who can attack the big open
>>> pools. The loss of the biggest open pools would not be a bad outcome.
>>> Pools >25% pose a danger, and the home miner doesn't need a pool
>>> >25% for protection against variance.
>>>
>>>> > Peter, you allude to a specific suggestion from Luke-Jr. Can you
>>>> > please describe what it is?
>>>>
>>>> Basically you have the pool pick a secret k for each share, and commit
>>>> to H(k) in the share. Additionally the share commits to a target
divider
>>>> D. The PoW validity rule is then changed from H(block header) < T, to
be
>>>> H(block header) < T * D && H(H(block header) + k) < max_int / D
>>>
>>>
>>> Thanks, this requires a change to the Bitcoin PoW. Good luck with that!
>>>
>>> Once again, this suggestion would make the GHash-at-51% situation
>>> possible again. Working extra hard to re-enable those painful days
>>> sounds like a terrible idea.
>>>
>>> - egs
>>>
>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>
>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
--001a11c33f80a8eae60527bb34fc
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<p dir=3D"ltr"><br>
On 25 Dec 2015 12:15 p.m., "Ittay" <<a href=3D"mailto:ittay.ey=
al@cornell.edu">ittay.eyal@cornell.edu</a>> wrote:</p>
<p dir=3D"ltr">> As for=C2=A0masquerading as multiple small pools -- tha=
t's a very good point, with a surprising answer: it doesn't really =
matter. An attacker attacks all parts of the open pool proportionally to th=
eir size, and the result is basically identical to that of attacking a sing=
le large pool.=C2=A0</p>
<p dir=3D"ltr">While true, that's only relevant to the indiscriminate a=
ttacker! The vigilante attacker that wants to hurt only pools that are too =
large, doesn't even know that there's a need to attack as all of th=
em seem small.</p>
<p dir=3D"ltr">That's what i was saying.</p>
<p dir=3D"ltr">><br>
> On Mon, Dec 21, 2015 at 1:39 PM, Jannes Faber via bitcoin-dev <<a h=
ref=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linu=
xfoundation.org</a>> wrote:<br>
>><br>
>> If you're saying a block withholding attack is a nice weapon t=
o have to dissuade large pools, isn't that easily defeated by large poo=
ls simply masquerading as multiple small pools? As, for all we know, ghash =
may have done?<br>
>><br>
>> If you don't know who to attack there's no point in having=
the weapon. While that weapon is still dangerous in the hands of others th=
at are indiscriminate, like the solo miners example of Peter Todd.<br>
>><br>
>> Sorry if i misunderstood your point.<br>
>><br>
>><br>
>> --<br>
>> Jannes<br>
>><br>
>> On 20 December 2015 at 18:00, Emin G=C3=BCn Sirer <<a href=3D"m=
ailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundat=
ion.org</a>> wrote:<br>
>>><br>
>>> On Sun, Dec 20, 2015 at 8:28 AM, Peter Todd <<a href=3D"mai=
lto:pete@petertodd.org">pete@petertodd.org</a>> wrote:<br>
>>>><br>
>>>> There are a number of techniques that can be used to detec=
t block<br>
>>>> withholding attacks that you are not aware of. These techn=
iques usually<br>
>>>> have the characteristic that if known they can be avoided,=
so obviously<br>
>>>> those who know about them are highly reluctant to reveal w=
hat exactly<br>
>>>> they are. I personally know about some of them and have be=
en asked to<br>
>>>> keep that information secret, which I will.<br>
>>><br>
>>><br>
>>> Indeed, there are lots of weak measures that one could employ =
against=C2=A0<br>
>>> an uninformed attacker. As I mentioned before, these are unlik=
ely to be<br>
>>> effective against a savvy attacker, and this is a good thing.<=
br>
>>> =C2=A0<br>
>>>><br>
>>>> In the context of KYC, this techniques would likely hold u=
p in court,<br>
>>>> which means that if this stuff becomes a more serious prob=
lem it's<br>
>>>> perfectly viable for large, well-resourced, pools to preve=
nt block<br>
>>>> withholding attacks, in part by removing anonymity of hash=
ing power.<br>
>>>> This would not be a positive development for the ecosystem=
.<br>
>>><br>
>>><br>
>>> KYC has a particular financial-regulation connotation in Bitco=
in circles,=C2=A0<br>
>>> of which I'm sure you're aware, and which you're u=
sing as a spectre.=C2=A0<br>
>>> You don't mean government-regulated-KYC a la FINCEN and Bi=
tcoin<br>
>>> exchanges like Coinbase, you are just referring to a pool oper=
ator<br>
>>> demanding to know that its customer is not coming from its com=
petitors'<br>
>>> data centers.<br>
>>><br>
>>> And your prediction doesn't seem well-motivated or properl=
y justified.=C2=A0<br>
>>> There are tons of conditionals in your prediction, starting wi=
th the premise<br>
>>> that every single open pool would implement some notion of ide=
ntity=C2=A0<br>
>>> checking. I don't believe that will happen. Instead, we wi=
ll have the bigger<br>
>>> pools become more suspicious of signing up new hash power, whi=
ch is a<br>
>>> good thing. And we will have small groups of people who have s=
ome reason<br>
>>> for trusting each other (e.g. they know each other from IRC, c=
onferences,=C2=A0<br>
>>> etc) band together into small pools. These are fantastic outco=
mes for<br>
>>> decentralization.<br>
>>><br>
>>>> Secondly, DRM tech can also easily be used to prevent bloc=
k withholding<br>
>>>> attacks by attesting to the honest of the hashing power. T=
his is being<br>
>>>> discussed in the industry, and again, this isn't a pos=
itive development<br>
>>>> for the ecosystem.<br>
>>><br>
>>><br>
>>> DRM is a terrible application. Once again, I see that you'=
re trying to use those<br>
>>> three letters as a spectre as well, knowing that most people h=
ate DRM, but=C2=A0<br>
>>> keep in mind that DRM is just an application -- it's like =
pointing to Adobe Flash<br>
>>> to taint all browser plugins.<br>
>>><br>
>>> The tech behind DRM is called "attestation," and it =
provides a technical=C2=A0<br>
>>> capability not possible by any other means. In essence, attest=
ation can ensure that<br>
>>> a remote node is indeed running the code that it purports to b=
e running. Since=C2=A0<br>
>>> most problems in computer security and distributed systems ste=
m from not<br>
>>> knowing what protocol the attacker is going to follow, attesta=
tion is the only=C2=A0<br>
>>> technology we have that lets us step around this limitation.=
=C2=A0<br>
>>><br>
>>> It can ensure, for instance,=C2=A0<br>
>>> =C2=A0 - that a node purporting to be Bitcoin Core (vLatest) i=
s indeed running an<br>
>>> unadulterated, latest version of Bitcoin Core=C2=A0<br>
>>> =C2=A0 - that a node claiming that it does not harvest IP addr=
esses from SPV=C2=A0<br>
>>> clients indeed does not harvest IP addresses.<br>
>>> =C2=A0 - that a cloud hashing outfit that rented out X terahas=
hes to a user did=C2=A0<br>
>>> indeed rent out X terahashes to that particular user,=C2=A0<br=
>
>>> =C2=A0 - that a miner operating on behalf of some pool P will =
not misbehave and<br>
>>> discard perfectly good blocks<br>
>>> and so forth. All of these would be great for the ecosystem. J=
ust getting rid<br>
>>> of the cloudhashing scams would put an end to a lot of heartac=
he.<br>
>>><br>
>>>> > Keep in mind that when an open pool gets big, like GH=
ash did and<br>
>>>> > two other pools did before them, the only thing at ou=
r disposal used<br>
>>>> > to be to yell at people about centralization until th=
ey left the big<br>
>>>> > pools and reformed into smaller groups. Not only was =
such yelling<br>
>>>> > kind of desperate looking, it wasn't incredibly e=
ffective, either.<br>
>>>> > We had no protocol mechanisms that put pressure on bi=
g pools to<br>
>>>> > stop signing up people. Ittay's discovery changed=
that: pools that<br>
>>>> > get to be very big by indiscriminately signing up min=
ers are likely to<br>
>>>> > be infiltrated and their profitability will drop. And=
Peter's post is<br>
>>>> > evidence that this is, indeed, happening as predicted=
. This is a<br>
>>>> > good outcome, it puts pressure on the big pools to no=
t grow.<br>
>>>><br>
>>>> GHash.io was not a pure pool - they owned and operated a s=
ignificant<br>
>>>> amount of physical hashing power, and it's not at all =
clear that their %<br>
>>>> of the network actually went down following that 51% debac=
le.<br>
>>><br>
>>><br>
>>> Right, it's not clear at all that yelling at people has mu=
ch effect. As much<br>
>>> fun as I had going to that meeting with GHash in London to ask=
them to<br>
>>> back down off of the 51% boundary, I am pretty sure that yelli=
ng at large<br>
>>> open pools will not scale. We needed better mechanisms for kee=
ping pools<br>
>>> in check.<br>
>>><br>
>>> And Miner's Dilemma (MD) attacks are clearly quite effecti=
ve. This is a<br>
>>> time when we should count our blessings, not work actively to =
render<br>
>>> them inoperable.<br>
>>><br>
>>>> Currently a significant % of the hashing power - possibly =
a majority -<br>
>>>> is in the form of large hashing installations whose owners=
individually,<br>
>>>> and definitely in trusting groups, have enough hashing pow=
er to solo<br>
>>>> mine. Eyal's results indicate those miners have incent=
ives to attack<br>
>>>> pools, and additionally they have the incentive of killing=
off pools to<br>
>>>> make it difficult for new competition to get established, =
yet they<br>
>>>> themselves are not vulnerable to that attack.<br>
>>><br>
>>><br>
>>> There are indeed solo miners out there who can attack the big =
open<br>
>>> pools. The loss of the biggest open pools would not be a bad o=
utcome.<br>
>>> Pools >25% pose a danger, and the home miner doesn't ne=
ed a pool=C2=A0<br>
>>> >25% for protection against variance.=C2=A0<br>
>>><br>
>>>> > Peter, you allude to a specific suggestion from Luke-=
Jr. Can you<br>
>>>> > please describe what it is?<br>
>>>><br>
>>>> Basically you have the pool pick a secret k for each share=
, and commit<br>
>>>> to H(k) in the share. Additionally the share commits to a =
target divider<br>
>>>> D. The PoW validity rule is then changed from H(block head=
er) < T, to be<br>
>>>> H(block header) < T * D && H(H(block header) + =
k) < max_int / D<br>
>>><br>
>>><br>
>>> Thanks, this requires a change to the Bitcoin PoW. Good luck w=
ith that!=C2=A0<br>
>>><br>
>>> Once again, this suggestion would make the GHash-at-51% situat=
ion=C2=A0<br>
>>> possible again. Working extra hard to re-enable those painful =
days=C2=A0<br>
>>> sounds like a terrible idea.=C2=A0<br>
>>><br>
>>> - egs<br>
>>><br>
>>><br>
>>> _______________________________________________<br>
>>> bitcoin-dev mailing list<br>
>>> <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitco=
in-dev@lists.linuxfoundation.org</a><br>
>>> <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/=
bitcoin-dev">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev=
</a><br>
>>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> bitcoin-dev mailing list<br>
>> <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-d=
ev@lists.linuxfoundation.org</a><br>
>> <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitc=
oin-dev">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a>=
<br>
>><br>
><br>
</p>
--001a11c33f80a8eae60527bb34fc--
|
