Double spend vulnerability due to withholding exceptionally difficult blocks?

[casascius]

I thought of a plausible double spend vulnerability...can anyone confirm or debunk?

While mining, occasionally you'll get a block whose difficulty value far exceeds the minimum threshold.  For example, not too long ago, I got a block that was "accepted, 000002xx" (poclbm) which if I calculate right, corresponds to a difficulty well above 5 million, while the threshold for acceptance at the time was something along the lines of seeing "accepted, 0001xxxx" or lower (the difficulty in the 55,000 range IIRC).

It's my understanding that block chains are accepted based on their total difficulty, not so much their length.

What would happen if I had a modified bitcoin client that was constantly trying to hash a block that spends all my BTC's to other addresses that I own, and then I ran my miners solely to create a block with an extraordinary large difficulty that vastly exceeded the minimum threshold.  (This presumably could take me weeks)

Once I was successful in generating such a block, if I were to hold onto that block for a while and not relay it to the network, I could probably have a window of several hours to do lots of spending before turning it loose and having it invalidate the chain and take back my money.

If I had pulled such a thing off at the time, the blocks I'd be invalidating would probably consist of lots of blocks of difficulty similar to 55,000, after only a couple hours, even the next ten or twenty new blocks are highly unlikely to add up to 5 million.  So, after I finished my spending spree, I'd publish my replacement block, which would invalidate several recent blocks and replace them with my transactions that spent all that BTC back to myself.

If I did such a thing, I could probably rip off merchants and exchangers who consider a transaction good after six or some other small number of confirmations.

Yea or nay?

If yea, an easy remedy would be to limit the "premium" of weight ascribed to blocks that have vastly greater difficulty than the minimum threshold for acceptance.

[1714777411]

1714777411

[1714777411]

1714777411

[1714777411]

1714777411

[1714777411]

1714777411

[theymos]

It's the target difficulty that is used in the "length" calculation, not individual block hashes.

[Mike Hearn]

Difficulty transitions are checked according to a shared global formula. You can't create a block that has some random difficulty you just made up. It has to match the difficulty calculated by the formula, which looks at how many blocks were solved in a two week time window.

[casascius]

Difficulty transitions are checked according to a shared global formula. You can't create a block that has some random difficulty you just made up. It has to match the difficulty calculated by the formula, which looks at how many blocks were solved in a two week time window.

I was not referring to changing the value in the target difficulty field of the block structure.  Rather, I was referring to the difficulty "value" of the hash itself, which is 2^32 divided by the second 32 bits of the hash, which is what needs to meet or exceed the target difficulty, and which just about always exceeds the target difficulty by some measure, sometimes small, sometimes big.

It's the target difficulty that is used in the "length" calculation, not individual block hashes.

This makes sense, and if that's how it's done, that means the issue pretty much doesn't exist.

[iya]

I was not referring to changing the value in the target difficulty field of the block structure.  Rather, I was referring to the difficulty "value" of the hash itself, which is 2^32 divided by the second 32 bits of the hash, which is what needs to meet or exceed the target difficulty, and which just about always exceeds the target difficulty by some measure, sometimes small, sometimes big.

It's just statistics. If you find a hash which is smaller than the required minimum, it's not unlikely that it is much smaller.
This doesn't mean that the block was harder – there is no such thing.

[casascius]

It's just statistics. If you find a hash which is smaller than the required minimum, it's not unlikely that it is much smaller.
This doesn't mean that the block was harder – there is no such thing.

It's not so much me thinking the block is "harder": If the block was given more weight in determining the longest chain just because it represented a greater apparent "proof of work", it would potentially enable a vicious double spend scenario.  To the extent the block is given no more weight than the minimum difficulty regardless of the has value as theymos said, the problem I suggested could exist, doesn't exist.

[Jim Hyslop]

It's just statistics. If you find a hash which is smaller than the required minimum, it's not unlikely that it is much smaller.
This doesn't mean that the block was harder – there is no such thing.

I disagree. I consider a block "harder" to solve if it requires more guesses. A block where the nonce value is 1 is easier to solve, IMO, than a block where the nonce value is 1,000,000. Some blocks won't even have a solution - no value of the nonce from 0 through 0xFFFFFFFF (inclusive) will generate a hash that meets the target requirement. Would you not consider that block impossible to solve? And is impossibility not a measure of difficulty?

To the extent the block is given no more weight than the minimum difficulty regardless of the has value as theymos said, the problem I suggested could exist, doesn't exist.

What you described sounds like the "finney attack" (or at least, my understanding of the Finney attack).

You do have a window of opportunity, but it would be measured in minutes, not hours. On average, your window will be 10 minutes minus the time it took you to find your solution (and, of course, averages cannot be applied to individual events, so you cannot predict exactly how much time you really have). Unless the value you're trying to double-spend is high, you're better off just submitting the block and claiming the 50BTC reward.

[casascius]

I disagree. I consider a block "harder" to solve if it requires more guesses. A block where the nonce value is 1 is easier to solve, IMO, than a block where the nonce value is 1,000,000. Some blocks won't even have a solution - no value of the nonce from 0 through 0xFFFFFFFF (inclusive) will generate a hash that meets the target requirement. Would you not consider that block impossible to solve? And is impossibility not a measure of difficulty?

The nonce isn't the only thing that matters, it's only 32 bits of the entire hash input.  There's also the extraNonce and the time, as well as the hash of the transaction list, which is different for everybody.  There are more bits that have to be "guessed" than the nonce to find a solution.

Otherwise this is like suggesting that because you walked out your front door and found a $20 dollar bill lying in the street, that $20 dollar bills are easy to find.

Right now, only one hash attempt in about 327 trillion (at current dificulty level) will solve a block.  That's a far wider range than 0 thru 0xFFFFFFFF.  It's more like one in about 0xFFFFFFFFFFFF.

[Jim Hyslop]

I disagree. I consider a block "harder" to solve if it requires more guesses. A block where the nonce value is 1 is easier to solve, IMO, than a block where the nonce value is 1,000,000. Some blocks won't even have a solution - no value of the nonce from 0 through 0xFFFFFFFF (inclusive) will generate a hash that meets the target requirement. Would you not consider that block impossible to solve? And is impossibility not a measure of difficulty?

The nonce isn't the only thing that matters, it's only 32 bits of the entire hash input.  There's also the extraNonce and the time, as well as the hash of the transaction list, which is different for everybody.  There are more bits that have to be "guessed" than the nonce to find a solution.

The extra nonce and the time are relatively stable compared to the nonce. I didn't mention them because I consider them part of the block to be solved: the extra nonce changes the Merkle root, and the timestamp is in the block itself.

Otherwise this is like suggesting that because you walked out your front door and found a $20 dollar bill lying in the street, that $20 dollar bills are easy to find.

I really don't see how you came to that conclusion from what I wrote. I never said that because one was easy to find, they are all easy to find. I compared two single occurrences, and asserted that one was easier than the other, therefore it is possible to say that some blocks are harder to solve than others.

Besides which, your analogy is flawed. Finding a $20 bill is a random event, unless you spend your day hunting for $20 bills. Finding a solution to a block is (or should be) a methodical approach: try one value. If it doesn't work, try the next value. If it doesn't work, try the next value. And so on, until you exhaust the values, at which point you adjust one of the other two parameters (extra nonce and timestamp), or generate a whole new block with a different set of transactions.

A guess involves adjusting one or more of the nonce, extra nonce or timestamp. More guesses mean more work for the CPU, more work means it is harder.

All of which strengthens my claim: some blocks are harder to solve than others.

[Pieter Wuille]

All of which strengthens my claim: some blocks are harder to solve than others.

I disagree, the work you need to for every block on average is identical. It is the criterion you use for marking a certain block as good or bad what will cause the difficulty. And as long as that criterion is (integer value of hash is less than given_number), all blocks that match have identical difficulty. The fact that only some of those blocks would also match a higher difficulty (and thus a different criterion), doesn't change that.

You could of course talk about the effective number of hashes one needed to try to find a block, instead of their average expected number of hashes, as you say. That's possible and reasonable, but not very useful in this context.

[casascius]

Otherwise this is like suggesting that because you walked out your front door and found a $20 dollar bill lying in the street, that $20 dollar bills are easy to find.

I really don't see how you came to that conclusion from what I wrote. I never said that because one was easy to find, they are all easy to find. I compared two single occurrences, and asserted that one was easier than the other, therefore it is possible to say that some blocks are harder to solve than others.

If the $20 bill is sitting at your doorstep and not mine, then easier for you, but not for me.  That's not the same thing as easy.

A block where the nonce value is 1 is easier to solve

... if you mean "easier to solve when one happens to have luckily picked the right nonce and timestamp to make that possible..." then you're right.  Of course, Jennifer Aniston is easy too... if she happens to show up drunk on my doorstep after a wild series of wrong turns through Salt Lake City that shake off her entire posse...

[Jim Hyslop]

Otherwise this is like suggesting that because you walked out your front door and found a $20 dollar bill lying in the street, that $20 dollar bills are easy to find.

I really don't see how you came to that conclusion from what I wrote. I never said that because one was easy to find, they are all easy to find. I compared two single occurrences, and asserted that one was easier than the other, therefore it is possible to say that some blocks are harder to solve than others.

If the $20 bill is sitting at your doorstep and not mine, then easier for you, but not for me.  That's not the same thing as easy.

Did you even read what I wrote? I never claimed anything was easy.

A block where the nonce value is 1 is easier to solve

Stay current, please, I abandoned that argument already.

... if you mean "easier to solve when one happens to have luckily picked the right nonce and timestamp to make that possible..." then you're right.  Of course, Jennifer Aniston is easy too... if she happens to show up drunk on my doorstep after a wild series of wrong turns through Salt Lake City that shake off her entire posse...

Please stop with the irrelevant, nonsensical analogies.

OK, do you agree with this statement: it takes longer to find a solution to some blocks than it does for other blocks.
Yes or no?

[Jim Hyslop]

All of which strengthens my claim: some blocks are harder to solve than others.

I disagree, the work you need to for every block on average is identical.

On average, yes. But we aren't discussing averages, we are discussing individual blocks.

You could of course talk about the effective number of hashes one needed to try to find a block, instead of their average expected number of hashes, as you say. That's possible and reasonable, but not very useful in this context.

That's basically what I'm getting at.

[casascius]

OK, do you agree with this statement: it takes longer to find a solution to some blocks than it does for other blocks.
Yes or no?

Each block is just as hard to solve as any other block with the same difficulty.  Some get solved sooner than later, and that's 100% due to pure chance, 0% to do with the intrinsic properties of the block.

Suppose someone solves a block in 5 seconds.  Then, for whatever reason, (perhaps due to a software bug that allowed an illegal transaction, as happened once before) we decide that we need to roll back that block and every one after it.  The same block must be re-solved.  Will the same block require 5 seconds to solve the second time?  I think not.