Bitcoin Forum

Attackers can easily bribe rational miners to double spend using txn fees. [this seems likely to have been discussed before; point me there if my discussion is old hat]

Say attacker starts with significant balances in two addresses at block t-1: D (double-spend) and B bribe; attacker also has empty addresses as follows: A1,A2,... and C.

1) Mine a secret side chain block that extends block t-1, In the first block of your side chain, include a txn that (secretly) transfers B->A1.  (wait to get 1 side chain block before moving to step 2)
2) On the main chain in block t, send D to purchase something you want to steal. Simultaneously, include a txn that sends B->C in this block. (this is the 'double double-spend.' You plan to reverse both txns.)
3) Wait to get the good you purchased using D (the sooner the better)
4) Announce your attack chain. Send a sequence of bribes as follows: send a high-fee txn from A1 to A2. After this enters a block, send a high-fee txn from A1 and A2 to A3. After this enters a block send a high-fee txn from A1 and A3 to A4, keep sending out the bribe sequence until you overtake the main chain or your bribe fund is exhausted.
5) Simultaneously, after each attack block is found, identify the generation address on the attack block. On the main chain, Send block reward to this generation address using address C. These sends gets reversed if the attack succeeds. If the attack fails, these sends compensate the attack miners for participation.


Consider the rational miners problem: If the attack succeeds, honest miners get nothing. If the attack fails, honest miners get block reward.
                                                  If the attack succeeds then attack miners, get block reward + bribe. If the attack fails, then attack miners get block reward.
                                                  Therefore the dominant strategy is to attack. The probability of attack success is irrelevant.

Consider the attackers problem:       If the attack succeeds, then the attacker gets a stolen value of D - bribe.
                                                  If the attack fails, then the attacker loses n*block reward, where n is the number of confirmations on the initial spend.
                                                  Therefore, if p is the probability of attack success, you attack if  p(D-B) > (1-p)(block reward)n
                                                  Clearly, B has some positive influence on p, but it is hard to guess what. If all miners were atomistic and perfectly rational, then p is 1 for B>0, so you want to attack
                                                  whenever you buy anything of strictly positive value.

Notes: To mitigate this problem, it would help if ...

a) It was extremely difficult to make secret one-block long side chains. One block public forks are fine. If it were public, the double-spend in step 2 would set off alarm bells and prevent timely completion of step 3.
b) Miners were not rewarded with fees.

I think (a) is the larger problem, (b) is kind of a side issue. Even without fees, you could still offer ex-post rewards as was done in step (5). Fees just help you commit.

Don't forget that no one will ever trust the attacker again after he publishes the proof of his misdeeds for the entire world to see.  Also, no one should be accepting transactions on low confirmation counts unless they can afford to lose it.

The attacker and the miners are pseudonymous. Coins are fungible. He can wash the dirty coins, put them in a new unknown wallets, and attack again using a fresh identity.

This seems to assume that miners are either working for one side or the other, it seems to me that if the "bribe" is less than the block generation amount the optimal mining strategy is to keep both chains going out as long as the attacker can afford and have the attack fail in the end.

The assumption is that mining is decentralized. Suppose you extend the main chain, then individually you get block reward if the attack fails, nothing otherwise. The attacker needs to distribute more bribes, but these are divided evenly (in expectation) across everyone mining the attack chain. It is not individually rational to extend the main chain in order to distribute handouts across all attack miners.

In a transaction big enough that you can afford to bribe miners to reverse it?  Not likely.

And yet you have some centralized channel setup to announce your attack chain to miners?  Perhaps I'm misunderstanding it somewhere but doesn't the satoshi client not forward competing blocks until they become part of the longest chain?  I see how it mirrors game theory in that your individual reward might be highest helping the attacker, but the assumption there is that the players can't communicate with each other and I'm not sure that holds true in this case.

Of course, I am assuming that people don't use the satoshi client to mine. Otherwise how can there be attackers? Instead they adopt some another client which is more flexible (allows communication with attackers), but which still produces valid blocks. You can think of the new client as League of Shadows P2Pool. They adopt this client because it works just as well for honest purposes, but also allows for extra earnings through illicit activity.

You mean the assumption is that the players can communicate with each other? (Otherwise how does the attacker announce his sidechain?) Yes, I'm assuming players can communicate freely and that the modified client allows them to do this. I think that is a pretty standard assumption. Assuming that no one can communicate at all except via the Satoshi client is bizarre.

How would communication across players possibly help them rationally fight the attacker?

I thought the point was that (if miners behave rationally and are atomistic), then any tx is big enough that you can afford to bribe miners to reverse it.

I might be missing something but I don't see how this isn't just obvious. You can buy more mining power yourself or your could hire out.

Well, you are wrong about that.  If that is the conclusion you've come to, then you aren't tracking the costs and rewards properly along with the probabilities of success for all of the parties.  It gets worse when you add in reputation costs, but even ignoring those, it still doesn't work.

You fail in reading comprehension, perhaps intentionally. I said "if" indicating an assumption, not a conclusion. You are assuming that reputation is strictly a positive force, which is not necessarily the case.

If GPUmax has a reputation for paying a premium on shares and miners are greedy, then reputation can make things worse. I think this is freemoney's point that this whole scenario is obvious. He is thinking of a centralized double-spending business, rather than a decentralized mechanism of attack. If the business pays more for shares and maintains a reputation for doing so, it should get 51% of the hash power.

I am thinking of decentralized double-spending p2p software that any attacker can use. The nice thing about the decentralized mechanism is that it allows attacker to be anonymous. This might be preferred if attackers face real world retribution.

It might be difficult to make GPUmax an anonymous hidden service (not sure though).

Finally, perhaps you are referring to the costs of failed attack which sucks for the attacker. You can solve this by making the bribes really big and not insuring the miners against failure at all. Then you only pay out for a successful attack. Problem is that attack is no longer a dominant strategy for miners. Whether you attack or not depends on your prior beliefs about attack success. This problem is considerably more complicated because you have to specify how beliefs are formed. In general, there will be multiple equilibria and these will depend on miners prior beliefs.

Yes, this issue (and variants) have been discussed before.

This type of analysis has a few problems. The first is that it redefines the word "rational" to mean "short term thinker", which is not the same thing. Life is full of examples where you can make a quick buck in the short term but destroy your income over the long term, and somehow civilization still makes progress. A rational miner would not simply double-spend any transaction with high enough fees, because that would result in a short term profit at the cost of destroying confidence and thus usage of Bitcoin over the long run.

That possibility is explicitly addressed in Satoshis paper:


The actual quote is discussing the case of trying to individually obtain enough mining power to outrun the chain and double spend, but buying hash power to do so is not much different.

So the only way this scenario can occur is if all miners end up being exclusively short term and being willing to sacrifice Bitcoin to get a few double-spend fees that they then immediately cash out. But many miners are in it for the long term, either for ideological reasons, or because they have large sunk costs in Bitcoin-specific hardware, or both. Killing confidence in the system is not in their interests.

The other problem is that it's not true that purchasers are always anonymous. Today that may often be true, but that's because Bitcoin is primarily used for relatively small and unimportant purchases. Nothing says merchants have to deal with anonymous customers, and if double spends become common merchants will just start requiring ID in order to sell you things, with some kind of distributed reputation system over those IDs. Eg, the Bitcoin Foundation does not sell membership to anonymous people.

Incidentally, I think eventually double spends will happen semi-regularly and anonymous purchases will become less common for that reason, but I think it'll happen for different reasons to what you think (ie not a conspiracy of short term miners).

In the OP I used "rational". In a reply, I clarified to write "rational" and "atomistic". "Rational", "atomistic" miners are of course "short term thinkers" by definition.
I invite you to point out any problems you see with the analysis in this case. I don't see any at all.

There is no conspiracy involved here. All of the miners are individually rational. They are not colluding in any way. There is a single attacker who mined one block and then leverages this to execute an attack in full public view.

You are being presumptuous. This post does not refer to what I think will happen. I think that PoW mining (if it survives at all) will become a completely centralized monopoly. The attack scenario is no longer relevant in this case, but this type of attack provides one important reason to expect the PoW monopoly to emerge or alternatively PoW to be supplanted by a more robust design. I'm not sure whether the monopoly will allow treat bitcoin like cash or credit cards (regular double spends). That will be up to the monopoly operator.

Could you explain why you think there will be regular double spends in the future?

It is always amusing to see how rational people believe that all people are rational. I have to disappoint all believers in the rationality of homo sapiens. I agree that long term a human or organization of any kind has to be rational to survive, but the world is full of short term madness.

Even institutionalized madness is on the rise recently. For instance, the president of ECB Mario Draghi is such an example. When discussing the future of euro he said they will protect euro "whatever it takes"... Can you imagine what this can really take? Can you imagine what will it take if EUR, USD, YEN, GBP, CHF, etcetera all together need to be saved?

If you want to really protect a system you have to protect it against irrational behavior as well.

I'm not sure what "atomistic" means, are you sure that's the word you wanted? The definition is apparently "divided into separate and often disparate elements."

There is a conspiracy because the behavior you are suggesting all miners will adopt is not the behavior of the standard software, somebody would have to write the necessary patches and then others would have to switch their regular software to the modified version. That's a "conspiracy" in the sense that it only makes sense to do so if others do it too, hence they must collude. That collusion would certainly be detected, and the fact that Bitcoin was about to get less reliable would cause selloffs that depress the exchange rate, and perhaps closure of some merchants. Certainly any miner who had any investment in Bitcoin would see the value of that investment shrivel up long before users learned about the new "status quo" and began regularly trying to use complicated bribe schemes.

This is the problem with game theory. It reduces complicated situations and actors with many competing agendas down to simple automatons.

A much bigger problem is simply people who are paid directly to mine, via sites like HashPower or GPUMAX, and who don't care what they mine on. It simplifies mounting some kinds of attack but the general economics still hold.

You are right. Downloading special software or mining at a special pool like GPUMAX is a form of conspiracy. There is an important distinction between GPUmax and special software. GPUmax is easier to set up. Special software could duplicate the function of GPUmax. Because the software could be P2P and could behave just like bitcoind under non-attack circumstances, it would be more difficult to detect and destroy. It would also be more difficult to gauge the threat posed by such software. Moreover, the software would help the attacker remain pseudonymous. This is possible with GPUmax, but probably more difficult.

In game theory, "Atomistic" refers to the assumption that individual choices have no impact on aggregate variables, i.e. individuals are tiny and numerous like atoms; aggregate variables emerge through integration over infinite numbers of tiny atoms. It is a simplifying assumption for analyzing games with large numbers of players. Here it just means that individual decisions have no effect on whether the attack succeeds. The hashing power of any one decision maker is simply too small to make a difference. Therefore, individual decision makers ignore the effect of their decisions on attack success probability. This makes it irrelevant whether they have investments in bitcoin or not.

Sorry for being a little pissy.

I agree that game theory doesn't predict behavior very well. But there isn't a good alternative to game theory besides experimentation.

Anyways, the most interesting question is why you think there will be semi-regular double spends in the future. Why?

What speed is the right speed for the Bitcoin network?

  http://bitcoin.sipa.be/speed-lin-ever.png

The simplest answer of course is "as high as possible", but that's not a good answer because we can always divert more and more wealth into hashing. The right answer  is "as much as necessary but no more". Doing more work than necessary just wastes energy and the money needed to pay for it.

So how much is necesssary? Well, it's impossible to know today because merchants don't seem to be complaining about double spends. At least if this is a regular problem I've not seen any discussion of it. So it's safe to say that our current speeds are better than necessary. We can only really find out the speed that is necessary by letting the speed fall until people start complaining. As inflation dries up and we catch up with the best possible technologies for hashingn, speeds will eventually fall until double spends start happening with some degree of regularity. At that point the community will find some way to fund the network (insurance, assurance contracts, attaching fees to important transactions, whatever).
 
This opens the question of what the right speed is, given that people have differing tolerances for risk. Some people have claimed this is a fundamental weakness of Bitcoin and that funding network security post inflation will result in a race to the bottom that destroys the system, but I don't think so. I suspect Bitcoin will stabilize at some kind of group consensus on something that's "good enough". Users with extreme needs will have to wait, combine Bitcoin with security enhancing technologies like trusted computing / smart cards, use insurance, rely on reputation and risk analysis.

Right, I am the undisputed number one proponent of this argument. If you look at my post history you will see that about 50% of my posts are related to me screaming "bitcoin will fail because of a race to the bottom." That is how I got so many ignores.

If you are worried about this, why not try to solve the root problem? There are a number of promising approaches (e.g. requiring randomly selected sequence of private keys to sign hash(block,txns in block) before the block enters the chain.) Admittedly a hard fork is absolutely required for any solution. You don't have to create inflation or stop giving block reward to PoW miners. I don't think they can keep 100% of the txn fees though.

I'd rather wait until it becomes a problem. I disagree we need any hard forks. There are plenty of proposals that don't need that.

Like what?

Moreover, do you think big fixes like this will get easier if bitcoin grows? I expect the opposite.

The simplest answer of course is "as high as needed". It must be a dynamic variable.

- needed just right to discourage attacker(s), no more.
- discouraging can be done only by attracting more honest miners.
- ad hoc attracting more honest miners can be done only by increasing incentives i.e. increasing the minimum txn fees.
- who will increase the minimum txn fee?
- if it is the mining community, can they abuse this power by launching false attacks just to increase their income?
- who will reject all transactions with insufficient txn fees?
- the process of evaluating network health must be autonomous.
- the process of evaluating network health must be closely linked to the process of defining "next block minimum txn fee" or something like that.

It is a question discussed last year. The question of dynamically defined minimum txn fees is a central question!

Like network assurance contracts.

A group of people or companies want network speeds to be higher. However, none wants to be the sucker who pays for all the others.

They broadcast an assurance contract on a separate p2p network with a pledge from themselves. The contract is a transaction with a zero value output, ie, it exists purely for fees and to incentivise mining. If others find the size of the incentive acceptable they also submit pledges in whatever amount they prefer. Once enough pledges are broadcast they are automatically combined and submitted to the main Bitcoin p2p network. Miners then race to find a block including this fee paying transaction. Once new blocks are broadcast the process can repeat. Alternatively nLockTime can be used to set up a few contracts ahead of the current chain head block.

You might say, perhaps miners would include only the incentive transaction and not any others. But with good software including other transactions, even free transactions, is so easy that miners should do it anyway for the overall health of the network (they do today, after all).

Assurance contracts are a well studied method to incentivise the creation of public goods. There are some useful economics papers on the topic if you want to read the literature.

This is not a wise approach. What you generally suggest is a second network to support bitcoin network, a network of insurers. This would be bitcoin level 2 network. And who will insure the insurers? May be a group of people or companies on a third p2p network, a bitcoin level 3 network?

Okay, you prefer a perpetual waste of resources to a hard fork. That is ridiculous in its own right, but worse yet it is not likely to work. You should read the work of Elinor Ostrom. She tries to distinguish situations where private provision of public goods works well from situations where private provision of public goods works poorly. There are many situations where it works poorly. Bitcoin will prove to be such a case. (anonymous participants, impossible to sanction free-riders, large number of participants) all these are no-nos.

Please provide an example (comparable to bitcoin) where an assurance contract has functioned effectively.

Minimum txn fees are a hard fork (and a not particularly useful one)

I don't think you understood what he is proposing.  He is saying that if the current network speed is acceptable to most people, but a few people would like it higher for their own reasons (whatever those reasons are), they have a mechanism to pay for that extra speed without changing the system.

I don't think this makes much sense. It is just the opposite what OP is about. It is the same as - if the current network speed is acceptable to most people, but a few people would like it lower for their own reasons (whatever those reasons are), they have a mechanism to pay for that extra low speed without changing the system - and then launch an attack!

So I suggest first group will pay / bribe in BTC while the second one will pay / bribe in USD or EUR?

What mechanism would they use to lower the network speed?  It is very easy to add mining incentives, but impossible to reduce them.  There are no anti-fees that you can put in a transaction to lower the reward for mining.

The OP proposes a scheme that he thinks will break the system, but he hasn't ever done a proper accounting of the costs, risk and rewards for all of the parties at each step along the way.  His conclusion is based on shitty bookkeeping, and a desire to find a way, any way, for his prejudgment about proof-of-work to be right.

Firstly, it is not that easy to ad mining incentives if you pay in BTC. And secondly, it is not that difficult to reduce network speed if you have unlimited access to USD or EUR. You raise the network difficulty through cheap subsidized ASICS and when independent miners gave up the entire network is yours. After all ASICS manufacturers are paying dollars to produce them.

Yawn.  If you want to destroy bitcoin, it would be cheaper to round up all of the miners and shoot them.  If you want to reduce the difficulty, but still keep a functioning system, what are your options?

My apologies, I had taken the total destruction option to be an assumed, but uninteresting, path.

Already explained on my previous post. You kill competition among miners through subsidized ASIC and you have what you want.

Bitcoin community is too much focuced on open source software but open source hardware is equally important for the bitcoin network. What about donating to a bitcoin specific ASIC project on OpenCores.org?

Not explained at all, merely stated.  Adding subsidized ASICs to the mix will increase difficulty, at least until the point that everyone stops using the system entirely, at which point the only person left mining is the subsidizer, and he can set the difficulty to whatever low value he wants, but, and this part is critical, but no one cares because no one else is using it.

As for opencores, go for it.  I'm totally in favor of more designs and cheaper chips.  Considering that we are (probably, heh) going to go from zero publicly available ASIC designs to at least three in the next 12 months, I wouldn't say that open hardware is critical here, but it is always desired and appreciated.

By everyone and no one you probably mean everyone and no one among miners?!

No, I meant exactly what I said, "no one else".  Would you use bitcoin if, for example, the Federal Reserve Bank was the only miner?

Exactly, kjj. This is not only the critical part but the final part because this will be the end of bitcoin. Attackers achieve their goal - bitcoin is crashed and current monetary monopoly stays intact!

Again, there are easier was to do that, and cheaper too.  That's why I say it is uninteresting, and why I had assumed that we were talking about something entirely different.

I can't see that subsidizing ASICs is going to run enough miners out of business.  Many don't, and never did, need to be profitable in any practical sense.  Many of the early full time miners were just disiplacing the electric resistive heating for their flat with as much mining heat as they could manage; simply displacing one electric heat source for another, with the potential of gaining bitcoins in the process.  Even if pool miners could be run out of business (something that I question for reasons beyond the above situation) the long term reduction of difficulty simply makes mining more attractive for those who can still justify it.

Alright, I'll check out her work. I'm not sure any previous situation is comparable to Bitcoin, so we'll have to wait and see how well it works in practice.


"Impossible to sanction free riders" is pretty much the definition of a public good. The point is you don't need to sanction them. The good gets created anyway by the people who care enough about it that they want it for themselves.


You first - provide an example comparable to Bitcoin where it didn't.

This is very difficult. Assurance contracts comparable to bitcoin are not observed because the idea is obviously unworkable. In most cases, failure would be anticipated and the experiment would never be tried.

Are you familiar with the noncooperative game theory on these issues (just the basic issue not assurance contracts)?

The most directly relevant paper is "System Reliability and Free Riding" by Hal Varian (Chief Economist at Google)
http://ns2.datacontact.dc.hu/~mfelegyhazi/courses/BMEVIHIAV15/readings/05_Varian2004system-reliability-free-riding.pdf (http://ns2.datacontact.dc.hu/~mfelegyhazi/courses/BMEVIHIAV15/readings/05_Varian2004system-reliability-free-riding.pdf)

Abstract:
System reliability often depends on the effort of many individuals, making reli-
ability a public good. It is well-known that purely voluntary provision of public
goods may result in a free rider problem: individuals may tend to shirk, resulting
in an inffecient level of the public good. How much effort each individual exerts will depend on his own benefits
and costs, the efforts exerted by the other individuals, and the technology that
relates individual effort to outcomes. In the context of system reliability, we
can distinguish three prototypical cases.

The relevant prototypical case for bitcoin is the "sum of effort case." In this case, reliability is determined by the sum of efforts of all users. The nash equilibrium is that the user who benefits the most from system contributes 100% of the effort to maintaining system reliability. Every single other user contributes zero. This is also true if there is an attacker trying to destroy the network. The attacker wins if he benefits more from destroying the network than the highest valuation user benefits from saving it. The total value of the network is irrelevant. The highest valuation user determines aggregate network security.

I will think about the economics of organizing an assurance contract. I'm pretty sure that the contract's viability will depend on the distribution of user valuations. The more equal these are, the more effective the assurance contract would be. I will think more about it. However, let me reiterate that even if an assurance contract is viable in some cases it will remain a grossly inferior substitute to a securely designed system.

I find an argument that starts with "I cannot show you an example of failure because failure is so obvious it's never happened" to be unpersuasive, especially because failure is not obvious - if you have to make complicated arguments based on game theory then almost by definition the failure isn't obvious. Humanity seems to have infinite capacity for trying bad ideas, I'm sure if you look you can find at least one comparable example.

The point of assurance contracts is to ensure that public goods are provisioned by ensuring the cost doesn't fall exclusively on the person who benefits the most, it's a solution to the problem of "the user who benefits the most from system contributes 100% of the effort to maintaining system reliability. Every single other user contributes zero."

We understand that you prefer alternative designs. At some point I'm not sure it's worth debating in more detail any more. Bitcoin isn't going to become a proof of stake system, the only way for you to really win this argument in the eyes of the world is to build a competitor that works better. If I'm right and at some point double spends do become an issue, then your competitor may look more attractive if it doesn't have that problem. Chain-trade scripts can be used to atomically swap Bitcoins for Cunicoins, perhaps on a fully automated p2p exchange, so the transition would not be too disruptive.

An example of a likely failed assurance contract (my judgement yours may differ) is the following ad:  "Double Your Difference Offset Matching program, individuals can purchase carbon offsets to reduce their carbon footprint beyond what is typically possible with efficiency. When you purchase an offset, Entergy will double the impact of your purchase by matching up to five tons of carbon offsets purchased per individual."

This is an assurance contract for a public good. I don't see global warming as solvable via voluntary private sector arrangements.

 
Maybe someday bitcoin's monthly operation will be paid for by raising funds on kickstarter (that is a famous provider of assurance contracts). I wouldn't hold my breath.
 

That example seems rather extreme. If something hasn't solved global warming, it's a failure? Pretty much everything fails that test.

Anyway, the problem with it is the outcome is not interesting to potential participants. The number of participants is limited by geography, awareness, scarcity of attention, funds, etc. Even with a huge scheme it's very likely the outcome would make no difference to most peoples lives.

So I agree that assurance contracts can't solve that. It's really up to scientists to save us from that. The existence of creative works funded by assurance contracts is a better example of how they can succeed.

Yeah, it is an extreme example.

I don't think the problem is that global warming is not interesting to potential participants. Plenty of people are concerned, aware, and pay attention. Otherwise it could not be a political issue.

It is more of 1) scaling 2) time constraints (the desired outcome spans a long time, but the contract cannot easily incorporate participants from the future) 3) Inability to sanction people who don't participate (for example by excluding them from use of the shared good).

I think all of these problems are pertinent to bitcoin.

It seems to me that cunicula has identified a really interesting vulnerability! I would be very interested to know if there is a counter-strategy or not.

I don't think there is a counter strategy in bitcoin. As you can see, the developers are opposed to modifications of the core protocol. There are counter strategies in alternate chains. One counter strategy is to require all blocks to be signed by a sequence of n randomly selected private keys before they enter the blockchain. You can't acquire these signatures without announcing your block (destroying secrecy). This makes secret double-spending almost impossible.

Without a secret block, the attacker cannot issue enforceable bribes. He could still bribe people to extend his chain, but bribes wold have to be paid after signers extend the attack chain. The signers would have to trust the attacker to make good on bribe promises.

I am curious to know if anyone has thought of alternate counter strategies.

Yes, but most cases where you see private arrangements to provide public goods working, there is some way of excluding outsiders from use of the public good. Thus the set of potential free-riders is limited. This is one of Elinor Ostrom's points. She argues that private arrangements work well for example in small communities. (e.g. where the public good is a grazing field, you let everyone in your community bring their animals to graze on the field. If you see some outsiders grazing on the field, then you send thugs to take them out.)

No, that statement just isn't correct. The definition of a public good is one in which exclusion isn't possible. The very first sentence of the Wikipedia page for public good says this:


I think this disagreement over definitions may be the root of our argument. Network security is clearly a public good, anyone can use it just by bringing up a TCP connection and broadcasting some transactions. Assurance contracts are well studied way to provide such goods, albiet one that hasn't been used much until recently - but things like Kickstarter are showing the way. You haven't provided any convincing arguments as to why this won't work.

Chris, the point of this thread are that the developers have thought of lots of counter strategies, network assurance contracts are just one. cunicula rejects all of these, but that doesn't mean he's right.

I don't want to argue with you about definitions. Public good is a loosely defined term. The key characteristics as you note are "non-excludable" and "non-rivalrous", but most "public goods" do not completely fit this description. You might find these lecture notes on public goods helpful:
http://are.berkeley.edu/courses/EEP101/spring05/Chapter07.pdf (http://are.berkeley.edu/courses/EEP101/spring05/Chapter07.pdf)

You can certainly make broadcasting TCP transactions excludable (for example by imposing a minimum fee to get them accepted in blocks). Pools can do this by forming a 51% cartel and rejecting all blocks include free or cheap transactions. Alternatively a monopoly 51% pool can form. The problem is that these solutions look very much like Paypal/Visa/MC and I once hoped that bitcoin developers had higher aspirations.


Let's examine a few problems with assurance contracts.

1) Basic Assurance Contract

Say you write some shareware that needs to a server to run. You can solicit $1 donations to support the server and say that if I get 100 of these, then I will run the server, if not then I will return the donations.
You are arguing that committing to return the donations if you get less than 100 serves as some kind of magic bullet. I think this is ridiculous.

Say that I value the service at v>1. Let x(1)>0 be the probability that the service operates if I contribute and x(0)>0 , x(0)<x(1) be the probability that the service operates if I do not contribute. The fact that I don't have to pay for nothing makes it an assurance contract. If I contribute, my payoff is x(1)(v-1). If I do not contribute then my payoff is x(0)v. Therefore, I contribute if x(1)(v-1)>x(0)v. Rearranging you get that I contribute if v>(x(1)/[x(1)-x(0)]).

Note that as x(1) approaches x(0), the valuation necessary to motivate my contribution becomes infinite. The distance between x(1) and x(0) decreases as the number of contributors increases. If you solicit small contributions from a large number of people x(1) will be very close to x(0), so no one will contribute. Even if you ask them for a very small amount.

The only approach that could work is soliciting very large contributions from a small number of big corporate donors. Then you potentially have x(1)>>x(0). I'm not sure if CorporateCoin is what everyone had in mind.

2) Dominant Assurance Contract [I have never seen an example of a contract like this in actual use, anywhere. It is easy to set up. Curious that this supposedly 'promising' concept has not been adopted by any of the assurance contract operations]

In the dominant assurance contract, there is an entrepreneur who insures the assurance contract against failure.  Perversely, after they have submitted funding, the contributors may now hope the project fails. One reason we may not see this on kickstarter is that it is an advertising platform (the contributors are supposed to aid the project, not try to hamstring it.)

Okay, back to the contract. The entrepreneur promises to refund the original contribution + a penalty, y>0, if the funding goals aren't met.

Therefore the previous problem becomes,

I contribute if x(1)(v-1)+(1-x(1))y>x(0)v. Now we contribute if v>[X-y(1-X)]/[x(1)-x(0)].
This is good because we can increase the probability of funding if the goals aren't met by offering a bonus y. If the bonus is large enough, then you will always contribute here. But the bonus is not a free lunch. The entrepreneur is taking risk here. He loses money if the fundraising fails y*n, where n is the # of contributors. Thus he needs to skim some profit off the donations.

This raises a number of concerns for me:
1) Ex-post the contributors may want the project to fail and could potentially benefit from sabotaging it. This is not a good structure for a collaborative project.
2) The arrangement requires the 'entrepreneur' to skim rents off of everyone else's donations. Compare this to say a minimum fee. With a minimum fee you get $1 of hashing power for every $1 collected with this arrangement you only get whatever is left over after the 'entrepreneur' takes his cut. Thus even if the contract works well, it will still be inferior to simply imposing a minimum fee.
3) The arrangement might be vulnerable to sabotage. Suppose that 'entrepreneur 1' offers a dominant assurance contract with a payoff y. I then contribute heavily to his contract, but not enough to put it over say 50% prob of success. Now I release my own dominant assurance contract with a payoff 2y. The new contract might persuade people to switch from his contract to mine. If my contract succeeds and his fails, then I scam entrepreneur 1 for a big profit. But wait... If I could scam the entrepreneur why doesn't another entrepreneur come along and try to scam me? Maybe I should never offer a contract in the first place? The existing literature, basically just one paper by an economist (http://www.iso.gmu.edu/~atabarro/PrivateProvision.pdf (http://www.iso.gmu.edu/~atabarro/PrivateProvision.pdf)), does not consider this issue at all.

[The sabotage issue is complex and would require a lot more work than I am willing to put in to analyze. It alarms me that the existing literature hasn't even considered this.]

I was asked to copy the following post by DeanBrettle from the newbie area:

https://bitcointalk.org/index.php?topic=238611.msg2526828#msg2526828

Probably best to continue the discussion on that thread if you want to respond.

----

This is my contribution to the November 2012 discussion of the potential for a Double Double Spend attack on bitcoin. Since it is an old thread, I'll start by trying to recap the existing discussion.

<recap>
As described in cunicula's original post, the attacker secretly mines a side chain block containing a double spend and then, after the victim has received enough confirmations to accept the original spend, the attacker bribes miners to mine on his side chain. Every time a side-chain block is mined the attacker pays the miner, on the main chain, an amount equal to the block reward, and also pays some small amount to the miner on the side chain in addition to the block reward that the miner automatically receives for mining a block. By paying the rewards on the main chain and the bribes on the side chain from a separate double spend, the attacker only pays the rewards if the attack fails. However, if miners are purely profit-driven the attack should succeed because mining the side chain is just as profitable as mining the main chain if the attack fails and it is more profitable if the attack succeeds.

mskwik pointed out that the satoshi client doesn't propagate blocks that aren't on the longest chain so the attacking miners would need to be running a client that allowed them to share the side chain while they were attacking. cunicula agreed but didn't think it was safe to assume that miners would refuse to run a more profitable client.

Mike Hearn said that miners wouldn't take part in such an attack because the attack would destroy confidence in bitcoin, which is something they have a lot invested in either financially or ideologically. He also said that if double spends become too common, merchants would require identification and a reputation system would emerge to prevent them.

cunicula's preferred fix is requiring blocks to be signed by a sequence of randomly selected private keys. If signers refused to sign blocks containing double spends, then double spends could not occur.

The rest of the thread is a discussion of the separate issue of what will happen to bitcoin as the block reward drops to zero and what, if anything, should be done about it. While I think that is an important issue, I want to focus on the attack that cunicula proposed in his original post.
</recap>

Since I didn't find Mike Hearn's response particularly reassuring, I went looking for other reasons that the attack might not be as easy as cunicula's explanation makes it seem. I think I've found two things missing from cunicula's analysis.

First, the victim is a player as well, and has at least one potential counter-strategy. Once he sees the side-chain, he can bribe the miners to mine blocks on the main chain instead of the side-chain. He can even play the same type of strategy as the attacker, paying the block reward on the side-chain for blocks mined on the main chain, and paying a bribe on the main chain.

Second, any pool operator or solo miner in possession of a locked post-fork main chain block reward will lose that reward if the attack succeeds. These entities are collateral damage from the perspective of the attacker, but they have a financial interest in stopping the attack, perhaps even stronger than the victim of the double spend. They are players as well and can use the same counter strategy as the victim. Let's call these players plus the victim collectively defenders.

With these two additions, the dominant strategy for rational miners then becomes mining for whichever side (the attacker or the defenders) offers the largest bribe.

This leaves the attacker in a war of attrition game with the defenders. The first thing to note is that depending on how the defenders play this game, the attacker might lose or might need to pay more than the value of the double spend in order to win. This means that attacking is *not* a dominant strategy as cunicula suggested. Moreover, my understandating is that the symmetric Nash equilibrium for such a war of attrition game involves both sides paying the miners at least the amount that the losing side has at stake. As a result, even if the attacker managed to win the war of attrition using a Nash equilibrium strategy, the expected cost would make the attack unprofitable, so the attacker would still not attack to begin with.

Comments?