Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1SbeTR-0002yb-Bz for bitcoin-development@lists.sourceforge.net; Mon, 04 Jun 2012 21:06:01 +0000 X-ACL-Warn: Received: from zinan.dashjr.org ([173.242.112.54]) by sog-mx-2.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1SbeTQ-00007M-61 for bitcoin-development@lists.sourceforge.net; Mon, 04 Jun 2012 21:06:01 +0000 Received: from ishibashi.localnet (unknown [97.96.85.141]) (Authenticated sender: luke-jr) by zinan.dashjr.org (Postfix) with ESMTPSA id 83F5756055E; Mon, 4 Jun 2012 21:05:54 +0000 (UTC) From: "Luke-Jr" To: Mike Koss Date: Mon, 4 Jun 2012 21:05:25 +0000 User-Agent: KMail/1.13.7 (Linux/3.2.12-gentoonestfix-intelwr; KDE/4.8.1; x86_64; ; ) References: <201206030052.17128.luke@dashjr.org> <201206040204.57503.luke@dashjr.org> In-Reply-To: X-PGP-Key-Fingerprint: E463 A93F 5F31 17EE DE6C 7316 BD02 9424 21F4 889F X-PGP-Key-ID: BD02942421F4889F X-PGP-Keyserver: hkp://pgp.mit.edu MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <201206042105.27064.luke@dashjr.org> X-Spam-Score: -0.0 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain X-Headers-End: 1SbeTQ-00007M-61 Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Defeating the block withholding attack X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2012 21:06:01 -0000 On Monday, June 04, 2012 8:49:48 PM Mike Koss wrote: > As I understand the attack, the attacker gets compensated for the shares > they earn, but the pool will be denied any valid blocks found. The > attacker DOES NOT have access to the Bitcoins earned in the unreported > block (only the mining pool has access to the Coinbase address and > transactions in the block). With decentralized pools, the attacker does have access to the block, and can potentially submit it to the Bitcoin network directly bypassing the pool if it benefits them to do so. > So it's a zero-net-cost attack for the attacker (but no chance of making a > profit) to hurt the pool operator. Because of the above, there is a possibility an attacker can make a profit. > The only way to detect such an attack now is to look for "unlucky" miners; > at the current difficulty, you can't detect this cheat until many millions > of shares have been earned w/o a qualifying block. Since an attacker can > also create many fake identities, they can avoid detection indefinitely by > abandoning each account after a million earned shares. There are other modes of detection, but nobody has bothered to implement them since attackers can easily do a simple workaround in an arms race. > I don't understand your proposal for fixing this. You would have to come > up with a scheme where: > > - The miner can detect a qualifying hash to earn a share. > - Not be able to tell if the hash is for a valid block. With my proposal, miners can find shares, but won't know if it's a valid block until the subsequent block is also found (that subsequent block might not end up being a real block in the big picture). > The way I would do this is to have a secret part (not shared with the > miners) of a block that is part of the merkle hash, which is also used in a > secondary hash. Difficulty is then divide into two parts: the first, > solved by the miner (earning a "share" - e.g., 1 in 4 Billion hashes). And > a second, solved by the pool (1 in Difficulty shares). A valid block would > have to exhibit a valid Share Hash AND a valid Pool Hash in order to be > accepted. This only works for centralized pools, which are contrary to the health of the Bitcoin network. Decentralized pools cannot have a secret.